Today, I received a request that how to let certain users to have the permission to edit all user accounts but not admin users. Drupal has this user permission called "Administer users (Warning: Give to trusted roles only; this permission has security implications.)". If this permission is granted to a role, then of course, this role can edit ANY accounts. Therefore, we need something more.
I see this could be a common request, and it can be achieved in many ways, such as writing custom codes, using hook_menu_* or hook_form_* (to control more details). However, I would like to present the solution below, using Panels overwrite, which don't require any coding or additional module and is performance friendly.
Suppose we have 3 roles: supervisor, manager and administrator. We would like supervisor to have the Drupal "Administer users" permission but don't want them to edit manager or administrator accounts. On the other hand, we want manager and administrator roles to be able to edit any account.
- Let's install and enable Panels and Page Manager modules, and all of the dependent modules
- Go to /admin/structure/pages, and enable "User edit template"
- Edit the template and create a "variant", enabling "Selection rules"
- Edit "Selection rules", add two rules: 'User: role User being edited has one of "manager, administrator"' and 'User: role NOT (Logged in user has one of "manager, administrator")'. Also make sure "All criteria must pass."
Let me explain this a little bit: we are creating a special page/variant when a supervisor tries to edit either manager or administrator account, and tell supervisor that the permission is not sufficient. But, in other cases, this page/variant won't be triggered, so the supervisor goes to normal user editing page
- Edit "Content" of this variant, add a custom block, saying, for example, "Hey supervisor, you are not supposed to edit manager and administrator accounts!"
- Save the variant and save the panel!
- Go to /admin/people/permissions and give supervisor, manager and administrator roles "Administer users" permission
Now, try to test this with logging as different roles and trying to edit different roles' accounts! It just works! Moreover, If you have more complicated situations, then you will need to make adjust the selection rules to meet your case.
Caution: if your site does advanced stuff like using web services to let Android or iPhone users to update users' profiles, then this method won't help much. Because Panels won't be loaded through web services calls.
Anyway, I hope you enjoy this method and the capability of Panels.