Permissions for Manage Users and Manage Roles

Topics: General
Apr 12, 2011 at 5:10 PM

Right,

Following on from original thread Separating out Site Owner's permission ...

I've been working on this fork: http://orchard.codeplex.com/SourceControl/network/Forks/randompete/UserManagementPermissions

What I've got now is a working implementation (it turned out somewhat harder than I thought but I think I caught everything in the end)

I'm certainly not suggesting this be added into core quite yet :)

It adds various levels of permissions: ViewUsers, ManageUsers, ViewRoles, ApplyRoles, ManageRoles

In all cases a user with one of these permissions granted will be prevented from making any changes to a user with Site Owners permission, or to a role that includes Site Owners permission, or from granting a role that includes Site Owners permission.

So far my testing has been manual and there are no automated tests implemented yet. Most of the key requirements are definitely solid, but there are just so many permutations going on it's hard to be sure of everything. In terms of automated tests I've made a fairly extensive list of what's required, as follows;

Orchard.Users
-------------

- TODO: Approve / Disable / ChallengeEmail / Delete bulk operations could depend on slight variations in permission

Can access Admin/Index
With permission SiteOwner, EditUsers, ManageUsers, ViewUsers

Can access Admin/Index[POST] (submitBulkEdit)
With permission SiteOwner
- In all circumstances
With permission EditUsers, ManageUsers
- If checkEntries contains no users with permission SiteOwner
Not with permission ViewUsers

Can access Admin/Create
With permission SiteOwner, EditUsers, ManageUsers
Not with permission ViewUsers

Can access Admin/Create[POST]
With permission SiteOwner
- In all circumstances
With permission EditUsers, ManageUsers
- If chosen Roles do not include SiteOwner permissions
Not with permission ViewUsers

Can access Admin/Edit(id)
With permission SiteOwner
- In all circumstances
With permission EditUsers, ManageUsers
- If User(id) does not have SiteOwner permissions
Not with permission ViewUsers

Can access Admin/Edit(id)[POST]
With permission SiteOwner
- In all circumstances
With permission EditUsers, ManageUsers
- If User(id) does not have SiteOwner permissions
- If chosen Roles do not include SiteOwner permissions
Not with permission ViewUsers

Can access Admin/Delete(id)
With permission SiteOwner
- In all circumstances
With permission EditUsers, ManageUsers
- If User(id) does not have SiteOwner permissions

Can access Admin/SendChallengeEmail(id)
With permission SiteOwner, EditUsers, ManageUsers, ModerateUsers
Not with permission ViewUsers

Can access Admin/Approve(id)
With permission SiteOwner, EditUsers, ManageUsers, ModerateUsers
Not with permission ViewUsers

Can access Admin/Moderate(id)
With permission SiteOwner
With permission EditUsers, ManageUsers, ModerateUsers
- If user(id) does not have SiteOwner permissions
Not with permission ViewUsers

Orchard.Roles
-------------

Can access Admin/Index
With permission SiteOwner, ManageUsers, EditRoles, ApplyRoles, ViewRoles
Not with permission ViewUsers, EditUsers

Can access Admin/Index[POST]
With permission SiteOwner
- In all circumstances
With permission ManageUsers, EditRoles, ApplyRoles
- If chosen roles do not include SiteOwner permissions
Not with permission ViewUsers, EditUsers, ViewRoles

Can access Admin/Create
With permission SiteOwner, EditRoles
Not with permission ViewUsers, EditUsers, ManageUsers, ViewRoles, ApplyRoles

Can access Admin/Create[POST]
With permission SiteOwner
- In all circumstances
With permission EditRoles
- If chosen permissions do not include SiteOwner
Not with permission ViewUsers, EditUsers, ManageUsers, ViewRoles, ApplyRoles

Can access Admin/Edit(id)
With permission SiteOwner
- In all circumstances
With permission EditRoles
- If permissions of Role(id) do not include SiteOwner
Not with permission ViewUsers, EditUsers, ManageUsers, ViewRoles, ApplyRoles

Can access Admin/Edit(id)[POST]
With permission SiteOwner
- In all circumstances
With permission EditRoles
- If permissions of Role(id) do not include SiteOWner
- If chosen permissions do not include SiteOwner
Not with permission ViewUsers, EditUsers, ManageUsers, ViewRoles, ApplyRoles

Can access Admin/EditDelete(id)[POST]
With permission SiteOwner
- In all circumstances
With permission EditRoles
- If permissions of Role(id) do not include SiteOwner
Not with permission ViewUsers, EditUsers, ManageUsers, ViewRoles, ApplyRoles

Can access Admin/Delete(id)[POST]
With permission SiteOwner
- In all circumstances
With permission EditRoles
- If permissions of Role(id) do not include SiteOWner
- If chosen permissions do not include SiteOwner
Not with permission ViewUsers, EditUsers, ManageUsers, ViewRoles, ApplyRoles

 

So there's a lot to implement before this has thorough test coverage. It's been suggested that this would be appropriate for Orchard.Specs but I'm wondering if perhaps tests should be also at the controller level, security being paramount in this scenario. It's also quite a lot just to get my head around the Specs system let alone cover this many scenarios. Really I'm just putting this out here at this stage to see if anyone else is as interested in this permissions model as me, who might want to help implement some of the testing, or at least just get another pair of eyes on my work to check I've not missed anything :)

Aug 1, 2012 at 3:49 PM

Hello randompete. Seeing as how this post was from quite a while ago, I was wondering if you have had any success in creating a standalone module for this. I have been quite frustrated by the fact that Orchard doesn't include something like this out of the box.

Thanks

Coordinator
Aug 2, 2012 at 4:04 PM

The reason why it doesn't is that pretty much any permission to modify user or role permissions gives a way for users being granted it a way to elevate their own privileges. This is why we consider those permissions to be equivalent to site ownership.

One thing that would be useful would be delegated administration of permissions that would strictly restrict what can be changed and prevents any elevation, but that should be done as a module as it goes way beyond what typical Orchard sites need.

Aug 2, 2012 at 8:12 PM
bertrandleroy wrote:

One thing that would be useful would be delegated administration of permissions that would strictly restrict what can be changed and prevents any elevation, but that should be done as a module as it goes way beyond what typical Orchard sites need.

This sounds like what we are looking for. We would like to allow a certain user the permission to create new users with low permission levels (content creation). The problem that we are dealing with is that we want this user to do the user creation without having access to modules, themes, etc.

Aug 3, 2012 at 2:41 PM

I also need this functionality.  It's actually really common for me to allow someone to create/manage users, but I don't want them messing with modules/themes etc.  Right now, I just ask them kindly not to.  :)  Anyway, eventually I'll probably build a module for this if nobody else does.  

Coordinator
Aug 3, 2012 at 6:20 PM

Yup, somebody who needs it badly enough will have to build it ;)

Jul 10, 2014 at 12:26 AM
Edited Jul 10, 2014 at 12:35 AM
sorry double-post!
Jul 10, 2014 at 12:34 AM
So tbouma / BrandonJoyce did you guys get any further with this as we are looking at the same scenario.. being able to give relatively low level editors the ability to create new users.
Developer
Jul 10, 2014 at 5:39 AM
There are currently ManageUsers, Orchard.Users, ManageRoles and AssignRoles permissions.