[UX] Add newly-created roles between the "Authenticated" and "Administrator" roles #4507
Comments
|
I initially attempted to implement this in a very simplistic way, by adding all new roles after the Authenticated role (setting their weight to
|
|
I came across this problem last week (October 2021) and there are more problems... Backdrop V 1.20.1 I have created a "Student" role and it appeared after administrator so it inherited all of the admin's permissions. I then moved the role after Anon and before Authenticated
and the role still has Admin permissions that can't be changed.
When you click on [Configure Role] then [Set Permissions] none of the permissions are set.
"View comments" is one that's visible in the images. |
That's wrong (but also a separate issue). All roles should be created without any permission assigned to them.
That's because you have assigned these permissions:
That's how Drupal/Backdrop permissions work if assigned to any of these "special" roles.
That's a bug when editing a role individually. Can you please file a separate issue for it? I'm assuming that the JavaScript that takes care of auto-selecting checkboxes based on whether the respective permissions have been assigned to anonymous/authenticated fails, since there is only a single column of permissions loaded in that page. |
|
...it seems to me that we should:
|
Nope, it's a brand new install, I haven't changed any roles or permissions other than creating the "Student" role... I was experimenting with membership_entity on this install... but had the same problem on another install. |
|
It appears that while I have moved the "Student" roll which now has a weight of 1, it is still inheriting the "Authenticated" users permissions which can't be changed. The only way to change the permissions of "student" is to re-order the roles so that "student" comes after "Authenticated" then change the permission of the "Authenticated" user, which then stops the inheritance to the Roles right of it.
Hope that makes sense :) |
|
When I then changed the permissions of "Student" the "editor" to the right did not inherit the permissions. See "View Comments" permission.
|
|
So it looks like the "Authenticated" user is hardcoded somewhere which means that the "Anonymous" and "Authenticated" roles need to be fixed and none moveable. It looks like the logic for permission inheritance is messed up and assumes that Auth will always be after Anon roles and no other roles will have a weight lower than it. While I understand the reasoning... the implementation and [UX] needs to be updated so that the logic works correctly or as mentioned above Anon and Auth roles need to be fixed in place.
|
|
Is it possible for the Drag-handles to be removed for the two roles? And if so, the Admin may as well be removed. - Not sure if that is in fact feasible or not.
|
Ooh, I like this idea!
I have a lot of sites where I add a |
|
'Anonymous' refers to users of the site that aren't logged in (i.e. no roles at all). So it's unique and can't be inherited (doesn't make sense). 'Authenticated' refers to users that are logged in, therefore they may have 0 or more roles. These permissions are inherited by all other roles (other than 'Anonymous') since it's not possible for another role to have less permissions than a user with no roles. So if you create a new role (e.g. 'Student') it's going to have at least the same permissions as 'Authenticated'. This can't be changed as it wouldn't make sense to. Hope that helps. |
Although the above is true, it may be confusing from an end user perspective. A better way to explain it is that if you grant a permission to the anonymous role, then any other role automatically inherits that permission. Another way to think about it is this: if anonymous can perform a specific task, then everyone (any role) can. |
|
@klonos Not true:
|
|
Huh! ...I stand corrected then - I had this wrong all along 🤔 |
|
@klonos I think you got
|
|
It is also feasible that a site owner may want a Guest role, where they are allowed to do something but not everything an Authenticated user can do. If this is ever the case, then the Authenticated User Role would need to be modified and reduce its permissions in order to allow a Guest Role, then another role would need to be added for Full Authenticated roles. Probably a very very small use case, but still a valid one. For example, the site may have content that only Members can see, so an Authenticated user can see and create new posts whereas a Guest user may only be able to view the Members only posts and not create them. Hope that makes sense :-) |
|
Yup, that's it @jenlampton ^^ |
Never mind. I did that: #5336 |
@albanycomputers This is the wrong way to think about it. Authenticated isn't a normal role you can assign or unassign users. All users are authenticated. Therefore if you give Authenticated users the ability to create posts, all users will be able to create posts. What you want is for Authenticated to be your Guest role, where they can view member-only content. Then you need a new role, like Editor, which can create posts. You'll have to decide how/which users are given the Editor role. |
|
Thanks @BWPanda I came to that conclusion :) I would suggest that the Anon, auth and admin users be "Locked" into position so that they can't be repositioned with drag-handles :) |
|
I agree re. Anon and Auth, but not Admin. There's nothing special about that role and no reason it can't be less permissive than a new, custom, more advanced role... |
|
Also, in upgrades from D7, there's likely not a role with that title/machine name for Admin. |
Wondering if there is an alternative/intuitive way to replace the entire "Administrator role" fieldset with some sort of "drag the admin role to the bottom of the list" functionality 🤔 ...I'll play around with some mockups to see if that works well. |
This was suggested by @BWPanda in #4504 (comment)
The recommendation @BWPanda mentions above is a portion of the help text that was added as part of #4504:
The text was updated successfully, but these errors were encountered: