This project is read-only.

Edit user permissions for non-SiteOwner users

Topics: Writing modules
Jul 4, 2011 at 7:43 PM
Edited Jul 4, 2011 at 7:46 PM


I've got a requirement where I need to be able to allow certain users to edit and create users without being able to perform other admin actions such as editing site settings or enabling features. I was expecting to see a ManageUsers permission under Orchard.Users, however on closer inspection it appears that Orchard.Users.Controllers.AdminController uses the SiteOwner permission. I can see there are permissions for other core features such as themes and widgets but I cannot see a way of removing these permissions for a stereotype via the IPermissionProvider mechanism. Is there any way to meet this requirement?

Jul 5, 2011 at 1:31 PM

I implemented a set of permissions for this, in a fork of the main project:

I've manually tested a variety of scenarios to make sure there's no danger of "elevation of privilege" - but I'd like to write proper tests before I started asking for it to be merged into core. Although I do think having those permissions available is absolutely essential for anything but very basic websites!

Jul 5, 2011 at 3:16 PM

Fantastic - well done Pete. We've just moved up to 1.2 so I'm not comfortable moving to a branch just yet, but would be happy to volunteer some time towards testing if required.

I'll find some time tonight to have a gander and see what's what.

Jul 6, 2011 at 2:25 PM

It's a completely separate fork, not a branch. It is merged with 1.2 already, so it's otherwise exactly the same as what you're using.

For testing I created a number of different users each with different combinations of roles and permissions, and checked that each was unable to do specific things (e.g., a Manager shouldn't be able to grant or revoke any roles that contain "site owners" permission, but they can manage other roles). Further testing would most definitely be appreciated, and if you're at all familiar with writing automated tests, they would be extremely good to have. I started looking at the Specs system to do that, but it was incredibly abstract, and maybe tests directly around the controllers would be more solid in any case.