*bump

Well it's mainly that if you're creating a forum for some group of people with a strict hierarchy, they like to keep it. I need to assign role privileges so that those lower down the ranks can bump up people who are below them, but can't immediately boost themselves up to Administrator, mainly as a prevention of havoc.

I'm just going to bump this again..

I have 2 ranks in a forum who should be able to edit Roles, but they're still restricted concerning most of the administrative features.
My problem is that although the roles can be clearly ordered in a hierarchical fashion, if I assign role changing privileges to the lower-ranked of these two roles, they can still edit the role of the ones above them. It's possible for them to ban the roles above them and raise themselves to Administrator where they can edit all sorts of settings I'd rather they didn't; if they were so inclined of course.

I just want them to only be able to raise the Role of those beneath them.. a Corporal shouldn't be able to promote a Private to Captain, or dismiss the General...

ok yes, i'd like to be able to do this too.

I don't think you can change your own role, but if you have a "Change user roles" permission you could sign up to the forum with a new account and assign that account an admin role and once you have the admin role you can do everything.

I don't like this for lots of reasons.

If a user has a "Change user roles" permission, wouldn't it be better to only allow them to assign roles up to and including their rank/priority or "pay grade"?

I'm having this same issue.

I hear what your saying conradslater, but I cant say my forum works in the same way. Basically the priority level (order) of each role doesnt seem to affect who can give who what role.

Any answers or add ons for this issue?

Its crazy that a moderater can change a members role to one which is higher than themselfs!

Cheers.

Agreed. But how do we get this into the development cycle, or at least for the meantime - make an extension for this?

How do we do this?

@minisweeper
I think what IS in the core is not being able to edit the role of admin, or maybe only the first account (1). but what ISN'T in the core is not being able to change the role of someone w/ a higher hierarchy; at least that's the conclusion I have come to.

i don't know how to make an extension of it, i think you would need some delegates added, but this seems to work maybe someone can use it and make the extension:

you have to edit three files.

First: library/People/People.Class.RoleManager lines 30-37 - Add a "Priority" field to the select statment array on line 33

30 function GetRoleBuilder($GetUnauthenticated = '0') {
31 $s = $this->Context->ObjectFactory->NewContextObject($this->Context, 'SqlBuilder');
32 $s->SetMainTable('Role', 'r');
33 $s->AddSelect(array('Priority', 'RoleID', 'Name', 'Icon', 'Description', 'PERMISSION_SIGN_IN', 'PERMISSION_RECEIVE_APPLICATION_NOTIFICATION', 'PERMISSION_HTML_ALLOWED', 'Permissions', 'Unauthenticated'), 'r');
34 $s->AddWhere('r', 'Active', '', '1', '=');
35 if (!$GetUnauthenticated) $s->AddWhere('r', 'Unauthenticated', '', '0', '=');
36 return $s;
37 }


Next: library/People/People.Class.Role - Add a Priority property to the Role class
so three edits will do it -
add this property

var $Priority;

this line to the Clear method

$this->Priority = 0;

and this line to the GetPropertiesFromDataSet method

$this->Priority = ForceInt(@$DataSet['Priority'], 0);



And last but not least: library/Vanilla/Vanilla.Control.AccountRoleForm.php - you need to compare the users role level(priority) against the role level(priority) being assigned

you need to change the following piece of code

36 if ($this->PostBackAction == 'ProcessRole' && $this->IsValidFormPostBack() && $this->Context->Session->UserID != $User->UserID && $this->Context->Session->User->Permission('PERMISSION_CHANGE_USER_ROLE')) {
37 $urh = $this->Context->ObjectFactory->NewObject($this->Context, 'UserRoleHistory');
38 $urh->GetPropertiesFromForm();
39 if ($UserManager->AssignRole($urh)) $Redirect = 1;
40 }


to note: line 39 is the only line changed

36 if ($this->PostBackAction == 'ProcessRole' && $this->IsValidFormPostBack() && $this->Context->Session->UserID != $User->UserID && $this->Context->Session->User->Permission('PERMISSION_CHANGE_USER_ROLE')) {
37 $urh = $this->Context->ObjectFactory->NewObject($this->Context, 'UserRoleHistory');
38 $urh->GetPropertiesFromForm();

$rm = $this->Context->ObjectFactory->NewContextObject($this->Context, 'RoleManager');

$UserRole = $rm->GetRoleById($this->Context->Session->User->RoleID);
$NewRole = $rm->GetRoleById(($urh->RoleID));

if ($NewRole->Priority > $UserRole->Priority) {
$this->Context->WarningCollector->Add('You cannot change a users role to a level higher than yours.');
} elseif ($UserManager->AssignRole($urh)) {
$Redirect = 1;
}
40 }


Just checked out your fix Gerry, and it works great for refusing access to a higher level than yourself (great work! see image), but unfortunately it still lets you 'demote' a level higher than you.

So e.g. a moderator can change an administrator to member. Is it easy to change this aspect using the same method?

Cheers.




I suppose what we have to do is add another elseif to the last file. So we would say if CurrentUserRole priority is lower than UserRole priority, then it returns a different error. 'You cannot change the role of a user higher than yourself'.

CurrentUserRole being the role of the person who is trying to edit someone else.
UserRole being the role of the person who you are editing.

I actually fixed this off-hand while writing a separate extension. It's neatly packaged and doesn't affect the core code as it uses a delegate.

It will boot people back to the index if they attempt to change the role of someone of equal priority or otherwise it will cut off the roles from the drop-down menu which are of a higher or equal priority to the user's rank.

It can be circumvented by fabricating your own form data to send but I don't intend to close that security hole unless someone really, really wants me to. Anyway, here's the code and I'll package it as an extension if there's enough interest:

function WoWGF_FixRoleList($form) {
$Context = $form -> Context;
$Other = $form -> User;
if(!$form -> IsPostBack) return;
$sql = "
SELECT `RoleID`
FROM `{$Context->Configuration['DATABASE_TABLE_PREFIX']}User`
WHERE `UserID`='{$Context->Session->UserID}'
";
$data = $Context -> Database -> Execute($sql, '', '', '');
$rid = mysql_result($data, 0, 'RoleID');
if($rid == 4) return; // Don't cripple the administrator's privileges

$sql = "
SELECT *
FROM `{$Context->Configuration['DATABASE_TABLE_PREFIX']}Role`
";
$data = $Context -> Database -> Execute($sql, '', '', '');

while($row = mysql_fetch_assoc($data)) $priorities[$row['RoleID']] = $row['Priority'];

if($priorities[$rid] <= $priorities[$Other -> RoleID]) {
Redirect(GetUrl($Context -> Configuration, '.'));
exit;
}

foreach($priorities as $roleID => $priority) {
if($priority >= $priorities[$rid]) $form -> RoleSelect -> RemoveOption($roleID);
}

}
$Context -> AddToDelegate('AccountRoleForm', 'Constructor', 'WoWGF_FixRoleList');

I don't really check this community much as I'm pretty new to Vanilla but Ben mentioned he'd created this topic and there was some discussion. Since I had this lying around I thought I might as well throw it in here. Anyway, point is, if you need to contact me your best bet is email.

Actually that's probably the intended result if his logic works the same as mine. If you try to change your own role then it will detect that you have a role priority that is equal to the role of the user you're trying to change (which is you!). Since you shouldn't be able to change the role of people who have the same role as you, it won't let you.

Also, if you're worried about upgrading Vanilla then I'll stick my code in an extension (just a quick copy n' paste) and you can just install it. It doesn't hack the source code at all so Vanilla will update fine.

Why would anyone want to edit their own role? You'd only be able to drop yourself down to a lower one, you wouldn't be able to promote yourself, so what would be the point?

Just for the sake of argument I wouldnt necessarily assume the admin roleID is *always* 4 (particularly since it's reasonably easy to confirm either way)
I'm pretty sure not letting users change their own role is a feature of the core anyway to stop an admin accidentally removing his privelidges.

@Fyrol - these are the permissions checked at the top of settings.php, so i think it's safe to say that an administrator has all these permissions, but you're right i don't think there is one specific permission to administrator


// Ensure the user is allowed to view this page (they must have at least one of the following permissions)
$RequiredPermissions = array('PERMISSION_CHECK_FOR_UPDATES',
'PERMISSION_APPROVE_APPLICANTS',
'PERMISSION_MANAGE_REGISTRATION',
'PERMISSION_ADD_ROLES',
'PERMISSION_EDIT_ROLES',
'PERMISSION_REMOVE_ROLES',
'PERMISSION_ADD_CATEGORIES',
'PERMISSION_EDIT_CATEGORIES',
'PERMISSION_REMOVE_CATEGORIES',
'PERMISSION_SORT_CATEGORIES',
'PERMISSION_CHANGE_APPLICATION_SETTINGS',
'PERMISSION_MANAGE_EXTENSIONS',
'PERMISSION_MANAGE_LANGUAGE',
'PERMISSION_MANAGE_STYLES',
'PERMISSION_MANAGE_THEMES');


Actually, if you read the bottom of one of my posts (or the comments in the code) Administrators can do anything. They are ignored by the priority-changing logic. You just need to make sure your adminstrator role has a RoleID of 4 (which it is by default apparently).

Good point actually. That would probably be a fairly good way of detecting administrator status. I'll go update it now.

Great! Although is it right that you cannot change someones role to the same level as yours? So moderators cant make other people moderators?

Also, it still boots you back to the homepage when you try to edit the role of someone on your same level. Is it easy to have an error instead?

Good work though!