pwn
to utterly own someone

Problem:

A site is beautifully set up and guards against catastrophic user error (blowing things up) while giving the person you made it for as much flexibility and power to add to it as is possible... almost.

He can't change what permissions other roles have or even what roles another user has... unless you give him administer permissions.

Now Mr. Just-Learned-Drupal-From-You (in five-minute impromptu sessions because he cut the training budget from the project) can see the configure nuclear options permission, and he thinks it would be nifty to play around with that himself.

Before his assistants can use their delegated permissions, on the day of his Superbowl ad announcing the site he puts it into offline mode, the smiling blue Druplicon becomes that much more (in)famous, and he sues you for a half-million dollars.

Don't let this happen to you!

Solution:

Permit own permissions provides the share permissions permission, and the share permissions through roles.

Share Permissions: A user in a role with this permission can grant (or revoke) any permission that she has.

Share Permissions through Roles: A user in a role with this permission can grant (or revoke) any role that contains permissions s/he has. If a role has a permission that the user does not have, then that user does not have permission to grant that role.

It's that simple. That's why we needed a big lead-up.

For getting something like this into Drupal core, potentially, see Do not let grant more permissions than you actually have.

For modules providing additional, finer-grained ability to authorize other users to do things, see Role delegation, Delegate menu administration, and Taxonomy delegate

This delegation-enhancing module is, ironically, contributed by the the non-hierarchical, equality-for-all collective known as agaric. Expansion to the module has been sponsored by GoingOn so we can create better websites for education.

Project Information

Downloads