Permission user-admin-[role] should apply to only that role

[Robin S]

The new user-admin permissions introduced in v2.6.10 are great, but I don't think they work in quite the right way.

Suppose I have these roles:

superuser

editor

member

guest

The two of interest here are editor and member. Editor is a site editor/administrator and member is a front-end-only user. There are various restricted front-end pages that guest does not have access to - the member role is needed.

Users with the editor role have also been given the member role, so they can browse the front-end as a member would. It is possible to set the site up differently so editors do not also have the member role and restricted front-end access is given to member or editor, but in principle roles are meant to be cumulative so it's not unusual for a user with a higher-level role to also be given a lower-level role.

The problem comes when editor needs to be given admin access to the Users section. What is desired is that editor can only edit users with the member role alone (and the guest role of course). At first glance you would think that giving editor the user-admin-member permission and not the user-admin-all permission would achieve this. But if the role has user-admin-member permission it also gives the ability to edit other users with the editor role. This should not happen in my opinion.

It would be better if the user-admin-[role] permissions worked such that a role needs to have the permissions for all the roles another user has before they can edit that user. So to edit another user with the editor role the permissions needed would be:

user-admin-member

user-admin-editor

Hope I've explained this well enough.

[apeisa]

There is no way in core to restrict user edit access based on the values of the users being edited. So you are misunderstanding what the features introduced in 2.6.10 do.

To achieve what you are describing can be done with simple module or by using https://github.com/ryancramerdesign/DynamicRoles

Update...

Sorry, I'm the one that is misunderstanding. Shouldn't read the forum as a first thing in the morning.

[Robin S]

From what I've read on the forum I believe the Dynamic Roles module has some serious bugs and probably should not be used for production websites in its current state.

[LostKobrakai]

If you want editors to have frontend access, but not be editable you should either allow editors to have frontend access by default or create a editor-frontend role. If they shouldn't be editable then they are not the same as other members anymore.

Edit: An alternative approach (more cumulative) could be

superuser

editor

member

frontend

guest

Give frontend to both editors and members so you only manage this role once, and allow editing of members to prevent editors from being edited.

[Robin S]

Thanks for the suggestions.

Give frontend to both editors and members so you only manage this role once, and allow editing of members to prevent editors from being edited.

Going down this road could lead to a very fractured roles setup, and kind of amounts to treating each role like a permission. But that does give me the idea of solving this via custom permissions that can be shared by two or more roles. Which is probably the way to go.