Restrict vsite_users to administrators

Events happening in the community are now at Drupal community events on www.drupal.org.
spiritcapsule's picture
Posted by spiritcapsule on April 4, 2012 at 5:01pm

We would like to have the Manage Users functionality that is available with vsite_users restricted to only those with the administrator role (and not available to scholar admin). We have integrated shibboleth, and we don't want users logging in straight through drupal instead of shibboleth. Also we don't want scholar site owners to be able to search for existing site users, due to FERPA concerns. We would like to just have the scholar site owner request from us that a user be given access to edit their site and we handle the allocation of privileges on the back end.

Currently, we have vsite_users disabled (via features /admin/build/features#openscholar-vsite) in order to remove the users section of the Control Panel. But with that disabled, there doesn't seem to be another way for Administrators to grant users access to another user's scholar site. Any ideas for how to have vsite_users enabled but only accessible by those with the administrator role?

Categories:

Comments

We discovered that when we

Posted by spiritcapsule on April 4, 2012 at 7:45pm
spiritcapsule's picture

We discovered that when we disable vsite_users, we get server 500 errors when trying to add a publication to a site.

PHP Fatal error: Call to undefined function vsite_users_hide_form_value() in /sites/all/modules/openscholar_features/scholar_publications/scholar_publications.module on line 272

That dependency is not documented in admin/build/modules > Features > Publications.

You probably need the

Posted by ferdi on April 5, 2012 at 8:35pm
ferdi's picture

You probably need the vsite_users module. You could alter the access callback function for these menu entries:

https://github.com/openscholar/openscholar/blob/SCHOLAR-2-0-BETA14/sites...

so that they show up only for people / roles that you want.

Does that make sense ?

thanks!

Here's what I did...

Posted by jgrantd on June 12, 2012 at 7:44pm
jgrantd's picture

We just had a similar issue with our OpenScholar site. We found out that users can not only add completely random users through the "Add new user" popup (They can click on "Add new", fill out a form, and create whole new users not authenticated through our LDAP system), but that the "Make administrator" button in the og_members View makes you a system Administrator for the whole site! Yikes!

I managed to do the following and:

  • Remove the "Add new" from the "Add a User" drop down so that users can't add completely random users to the system

  • Remove "Make Administrator"

  1. First, go to sites/all/modules/openscholar_vsite/vsite_users/vsite_users.module and go to about line 400 - 405.

On these lines, there is an array pointing to a special sub-menu in the "Add a new user" popup. This allows people to add wholly new users to their site (As well as the system). I went ahead and disabled this by commenting out the entire bit of code for that menu. Here's what it looks like now:

// $form['add_new_user'] = array(
// ... Bunch of stuff in between the $form[... and the end tag which is:
// );

Save the file. Run "drush cc all" from your server command line, and voila! the sub-menu is gone without affecting anything else.

  1. People can still make users "Administrators" of their site...and all of OpenScholar. I got rid of this by going to the Admin panel and changing the View that generates the list of users who have access to a site. Go to Admin >> Site Building >> Views >> List.

You'll get the Views listing. Go to the view titled "og_members" and click Edit.

In the edit area, underneath "Fields", click on the field called "Organic Groups: OG: Admin manage link". In the edit box near the bottom, click on the option for "Exclude from display", then "Update" that field. You then click on "Save" to save the entire View.

When you go back to the Users section of any profile, they will see a listing of users they have approved to view their content, but they won't be able to make them Administrators. This has saved us from making accidental Admins for the whole site.

Hope that helps.

  • Grant

Grant Dickie
ARHU Web & Applications Developer
University of Maryland, College Park

we used the access arguments

Posted by spiritcapsule on June 13, 2012 at 12:03am
spiritcapsule's picture

As ferdi suggested, we wrote a custom module to alter the access callback on the menu and created a permission (access argument) for viewing anything under cp/users and we grant that permission only to the sitewide administrator role.

So at this point on our instance no one except a sitewide admin even sees the users tab in the control panel.

I don't think the Make Administrator function on cp/users grants sidewide administrative power. From my tests, that shows to be inaccurate. But I'd like to see what the openscholar dev team says about it.

@jgrantd you can use drupal

Posted by ferdi on June 13, 2012 at 1:47pm
ferdi's picture

@jgrantd you can use drupal hook system (i.e. form_alter) instead of commenting the original file.
Not sure what you mean by "system Administrator for the whole site" but no, "make administrator" is suppose to add some admin rights to that site.

Thanks!

OpenScholar

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: