Role Protect

woft

Is there a similar plugin to this available?

https://vanillaforums.com/discussion/2182/how-to-limit-user-role-editing

hgtonight

You can get it on the hosted plan.

AFAIK, there is nothing of the sort in the OS addons repository. Sounds useful though!

woft

yes, I have th eproblem at the moment that we have multiple roles within our community, the majority of which need access to the user/roles system. I need the ability to limit their self-promotion so to speak.

woft

Thank you for your response anyway.

woft

@peregrine or @R_J have any suggestions on a way I could implement this feature?

peregrine

@woft said:
peregrine or R_J have any suggestions on a way I could implement this feature?

what exactly do you want to do, in terms of privs for someone..
if you want to give someone pseudo admin privs but inablility to get to roles and permissions and users.

you could get the userid of the pseudo-admin and give them admin privs but block the view of both of those by userid.

e.g. pseudo-code

if userid == "345" return;

but you would have to test all scenarios and sublinks.

woft

Basically, the problem I have at the moment is that a mod can promote themself past mod to admin. I need mods to be able to change the ranks of normal members if necessary, so blocking the access to do so wouldn't work.
So say for example there are 5 roles (From highest permissions to lowest):
Admin,
Role 1,
Role 2,
Mod,
Member.

If a user wanted to change the role of either themself or another to an another role, I need something like
if (User Changing Role < Role to Change to) { Deny Role Change; } else { Change selected User Role to Role Selected; };
This would mean a "Mod" could not promote past "Mod" but could still promote to "Mod", A "Role 2" could not promote past "Role 2" but could still promote to "Role 2" etc etc.

I think the pseudo code makes sense.

R_J

@woft said:
peregrine or R_J have any suggestions on a way I could implement this feature?

Funny that you haven't asked @hgtonight who was in this thread at first, said he find that an interesting feature and has donated a lot more sophisticated plugins to the community than I ever will. I'd bet he already thought about how he would implement that feature, right?

To my opinion, there are two "lazy" approaches: one is to reuse the existing functionalities and the other is to reuse the existing permissions/dashboard restrictions. peregrine already spoke about how he would start: reusing the user section in dashboard. If you do it that way, you would have to make sure, that the permissions you give to your moderators doesn't empower them to things which you don't want to. I think you have to have a good knowledge of Vanilla in order to ensure this. That's why peregrine could do it that way and I would have to take another approach

I would register a permission and give that permission to every role that should be allowed to change other users role. Additionally, I would create a role array in the config, sorted in the way that you see your user roles hierarchy (user roles have no "order" other than there numerical value and that should not be mixed with higher or lower "ranks"!)
Although it is not obvious and not intuitive, I would add the possibility to change a role directly to the users profile, because creating a completely new view seems to be much harder. That's pure laziness of me. A dedicated screen would be better and having the standard view showing only the user "below the viewers own role" would be optimal. But as I said before: you would have to be 100% sure that you don't fuck up the permission system and I would be frightened not be able to be so careful.

That's why I would put it into the profile. So if user A (who is a mod) wants to change the role of user B, he has to look at the profile of user B. There he will find a dropdown with all roles < his own and a [Change Role] button (but only if user B has a role that has been granted the newly created permission to change other users role).
/!\ Don't forget to check the right permissions and role hierarchy directly before saving!
If you only check it in the view, I'll be the admin of your board in no time and you would all be my guests...

---

But if you have a working solution right now and your only problem is that users could promote themselves, than maybe you only have to implement that rank hierarchy array and test before save. No need for any additional permissions and/or views.

peregrine

r_j said:
Funny that you haven't asked @hgtonight who was in this thread at first,

hgtonight is always implied (or is that implicated) whether he is mentioned or not

Linc

We've recognized this as a deficiency in the current permission scheme and it's been revised for 2.3. That release also protects the Admin=1 users from banning and allows for more granular tinkering with permissions via plugin. Unfortunately it's still a ways off.

hgtonight

I think this is how you know you have made it @R_J, being mentioned the same time as @peregrine!

I would probably try to mimic exactly what the Role Protect plugin does how it is described here: https://vanillaforums.com/discussion/2182/how-to-limit-user-role-editing

The way I read it, you give someone this new permission Garden.Roles.Selective in addition to the Garden.Users.Edit permission and pick which roles you want to 'lock'. Anyone with this permission cannot add/remove any role that is locked. This means you have to register a new permission, add a way to 'lock' roles via the GUI (or not if you are lazy), and hook into the user role editing to add a new validation check:

  public function UserController_BeforeUserEdit_Handler($Sender) {
    $Session = Gdn::Session();
    // Since super admins always pass all permission checks, we make sure the user
    // isn't a super admin before checking the selective permission
    if(!$Session->User->Admin && $Session->CheckPermission('Garden.Roles.Selective')) {
      $Roles =& $Sender->EventArguments['RoleData'];
      $LockedRoles = C('Plugins.RoleProtect.LockedRoles', array());

      // Remove the locked roles from the form data
      foreach($LockedRoles as $RoleID) {
        unset($Roles[$RoleID]);
      }
    }
    else {
      return;
    }
  }

If you are looking for some type of hierarchical roles, I would check out the Ranks feature of Yaga. I plan on implementing not being able to award ranks higher than your own in the near future.

I am actually packaging a role protect addon as we speak. I want to make it be nice to operate by end users.

R_J

@hgtonight said:
I think this is how you know you have made it R_J, being mentioned the same time as peregrine!

Naw! I thought he was only polling opinions from the whole bandwidth of skilled users...

hgtonight

@woft Here you go: http://vanillaforums.org/addon/roleprotect-plugin

peregrine

@R_J said:
Naw! I thought he was only polling opinions from the whole bandwidth of skilled users...

if he mentioned vrijvlinder and peregrine. he would be looking for comic relief, quotes and cartoons.

The day is gonna come @r_j, when somebody says "hey x00 and r_j I need some help" Then you know you are on the Olympic platform.

I figured hgtonight would burst thru with a plugin, I could sense it in my feathers.

woft

WOW, guys thank you for your input, i simply mentioned @R_J and @peregrine because i had most contact with you two in the past. I am still relatively new here. Either way you guys have said a lot of helpful things. I will give the plugin a try. I am using 2.0.18.10 so will give it a try and get back to you.

peregrine

@woft

you might give hgtonight an awesome click in reactions for the effort.

woft

Just an update: @hgtonight this works perfectly on 2.0.18.10

So I looked at the Yaga Ranks Feature, this has the correct idea of having a higher rank and not being able to obtain a hgher rank without a hgher rank prmoting to said rank.

But would there be a way of making the plugin you created more dynamic.

So rather than having a saved array of locked ranks, have them hard coded into the plugin. That way you could validate the user role on a sesison by session basis.

I assume this would require each role to have the heirachical value. How would i go about setting a value to a role? form what I read it is through the config.php file.

Would it be possible to set this heirachical value base don the layout of the role page. As on my roles&permissions page I have ordered the roles from highest to lowest. I assume this data is saved somewhere as it is always the same structure wheneever I load it. If not, Just as the new GUI page is set for the Role Protect Plugin, could this page be edited so that is saved the order rather than a check box? giving higher values to a role higher up the list?

I understand what I am saying now is probably a hell of a lot of work, and please don't misconstrue this as ungreatfulness for the plugin so far. Just putting ideas out there

woft

@peregrine HAHA missed that, have done now :P

hgtonight

There is a sort column in the Role table. This is only used to keep things in order. Roles aren't meant to be hierarchical. A single user can have many roles.

What I mean to say, I think you are looking to use Roles in a way they weren't designed. You are looking for a system that has a hierarchy and you can only be one level at a time. This is what Ranks are designed to do.

I could modify this plugin to have a sort option. Then unlock all roles below the sort of the highest role the current user has. Doesn't that just seem messy?

vrijvlinder

@peregrine said:
if he mentioned vrijvlinder and peregrine. he would be looking for comic relief, quotes and cartoons.

Yes, and here is my Jester Badge to prove it

woft

Ok so I am busy updating my forums to 2.1b2 at the moment, will continue to look into this once i have completed the upgrade.