skyred 发布
Today, I received a request that how to let certain users to have the permission to edit all user accounts but not admin users. Drupal has this user permission called "Administer users (Warning: Give to trusted roles only; this permission has security implications.)". If this permission is granted to a role, then of course, this role can edit ANY accounts. Therefore, we need something more.
I see this could be a common request, and it can be achieved in many ways, such as writing custom codes, using hook_menu_* or hook_form_* (to control more details). However, I would like to present the solution below, using Panels overwrite, which don't require any coding or additional module and is performance friendly.
Suppose we have 3 roles: supervisor, manager and administrator. We would like supervisor to have the Drupal "Administer users" permission but don't want them to edit manager or administrator accounts. On the other hand, we want manager and administrator roles to be able to edit any account.
- Let's install and enable Panels and Page Manager modules, and all of the dependent modules
- Go to /admin/structure/pages, and enable "User edit template"
- Edit the template and create a "variant", enabling "Selection rules"
- Edit "Selection rules", add two rules: 'User: role User being edited has one of "manager, administrator"' and 'User: role NOT (Logged in user has one of "manager, administrator")'. Also make sure "All criteria must pass."
Let me explain this a little bit: we are creating a special page/variant when a supervisor tries to edit either manager or administrator account, and tell supervisor that the permission is not sufficient. But, in other cases, this page/variant won't be triggered, so the supervisor goes to normal user editing page - Edit "Content" of this variant, add a custom block, saying, for example, "Hey supervisor, you are not supposed to edit manager and administrator accounts!"
- Save the variant and save the panel!
- Go to /admin/people/permissions and give supervisor, manager and administrator roles "Administer users" permission
Now, try to test this with logging as different roles and trying to edit different roles' accounts! It just works! Moreover, If you have more complicated situations, then you will need to make adjust the selection rules to meet your case.
Caution: if your site does advanced stuff like using web services to let Android or iPhone users to update users' profiles, then this method won't help much. Because Panels won't be loaded through web services calls.
Anyway, I hope you enjoy this method and the capability of Panels.
评论
rooby 答复于 永久连接
User protect module
Try the User protect module.
It's great for this.
Watch out for the default settings though, they are a little backwards.
Rajeev Kumar 答复于 永久连接
Very Nice
So many times I have had to do this. At first I tried solution to avoid giving this permission & other time I have adopted custom coding but bere knew I can do it by panel like this...
Thanks for great tutorials..
RajeevK,
http://drupalconnect.in
Weijian 答复于 永久连接
great
Very good toturial and helpful. Thanks. I make a variant based on yours. For 'Variant type", using 'HTTP Response code' with 403. It make consistent to error dealing of the site.
Weijian,
http://blog.bestbole.com
http://bendrun.com
Iago Physhgavak 答复于 永久连接
Perfect!
It works perfectly. The tutorial is pretty simple to understand! Great work skyred!
liyi 答复于 永久连接
Thank you for your tutorial.
Thank you for your tutorial.
Here,I have a question:in step 5,where is the "add a custom block"?
Steffen 答复于 永久连接
Still not secure
Hi.
The supervisor will still be able to go to admin/people and block ad delete manager & administrator users.
EducaMan 答复于 永久连接
it's just security through obscurity
@Steffen: +1, I think it's just security through obscurity ...
添加新评论