revoking permissions from administrator ?

Topics: Administration, Core, Customizing Orchard, General, Writing themes
Jun 20, 2012 at 8:12 PM

How do I revoke permissions from an administrator?

Specifically, I attempt to revoke "Add comment" and "Manage comments" from the administrator under Orchard.Comments Feature. I do it on page
http://localhost:12345/Admin/Roles/Edit/1

After I've saved the changes, I see no tick marks in the "Allow" column, but the "Effective" column keeps sporting tick marks. Subsequently, the administrator merrily adds comments to blog posts.

Can anybody shed light on this?

 

Developer
Jun 20, 2012 at 9:40 PM

Maybe that feature is implied by some other permission. Try unchecking ALL of the Administrator permissions to see if that checbox remains ticked (it should not be, except for Add Comment and Access  site front-end)

Coordinator
Jun 21, 2012 at 6:13 AM

Remove him from the administrator group and create a separate group with less rights.

Jun 21, 2012 at 12:22 PM
Edited Jun 21, 2012 at 3:51 PM

@bertrandleroy

  1. Is this a documented way of doing things or some sort of kludge? Can anybody point me to a topic in the documentation?

  2. The administrator case proves the permission system to be nebulous and confusing. There appears to be some sort of permission hierarchy and/or the system of permission overrides. Can anybody point me to a topic in the documentation that clearly, unambiguously and unequivocally lays down how the permission hierarchy functions?

Coordinator
Jun 21, 2012 at 5:31 PM

There is just no "revoke" principle in orchard. Every permission is opti in. The only exception is when using the Content Item Permissions module (Orchard 1.5), but it's a very specific module. That's why you need another role with those rights.

And actually, you might not know it, but if you want to remove some rights to a specific user, this is because he belongs to a specific category of users. Today he is alone, but what if he leaves the company, or he changes roles. Creating a role is by far more convenient, reusable and doesn't come with any restriction.

Something you could request though is to be able to clone a Role, which might come handy in your case.

Coordinator
Jun 21, 2012 at 8:57 PM

Also, http://docs.orchardproject.net/Documentation/Understanding-permissions