Forum Discussion

CoenDekker's avatar
CoenDekker
Helper
8 years ago

How can I let moderators grant a specific role to users

Hi,

 

I've got a situation where we want to introduce a new board in the community. This board however, should not be accessed by everyone. We want to solve this by introducing a new role to our community, and add specific access to that role. This is implemented and works fine.

 

Now, we want moderators to be able to grant this role to users (preferably on the profile page). However, the list of roles a moderator can select is obviously smaller than an Administrator. Where can I add the newly created role for Moderators so they can also grant the specific role to other users (and themselves).

 

Thanks in advance,

Coen Dekker

  • DougS's avatar
    DougS
    Khoros Oracle
    8 years ago

    There is no "out of the box" way (that I am aware of) to specify certain roles that moderators can grant while leaving other roles that only administrators can grant -- as far as I know, it's all-or-nothing: either a user can grant any role, or they can grant no roles. If you find that is not the case, and there is in fact a way to specify certain roles that moderators can grant (while leaving other roles that only administrators can grant) please let me know.

     

    Going on the assumption above, you could set up permissions such that only Administrators can assign roles, then write a custom component for the user profile page to do what you want -- it would take a bit of scripting to get it working right. Here is roughly what you might do:

     

    Add a custom component to the user profile page that checks to see if the current user has the Moderator role and not the Administrator role and then renders an html form that contains a hidden form field with the user id of the user whose profile the moderator is viewing, and a select box with the roles you would like Moderators to be able to grant in them (plus potentially a hidden form field that contains a CSRF-prevention ticket/token -- see below). You could make it an ajax form and use a studio endpoint to submit the form to (since it's an ajax form, you won't leave the page), or you could have it submit to the same page (the user profile page) and use a page initialization script to handle the form submit logic. I personally would take the ajax form approach over a page reload and page initialization script.

     

    Your form submit logic (which would either be in a studio endpoint for an ajax form, or possibly in a page initialization script for a page reload) would use restadmin to bypass the permission restrictions that are normally put on Moderators so that the submitted user id can be added to or removed from the submitted role. Since you are bypassing permission restrictions for the call, it is essential that your form submit logic should also check that the current user has the Moderator role, that the role to be granted is in the list of roles moderators are allowed to set, and you might want to implement some kind of ticket/token to prevent CSRF attacks (that could potentially trick a Moderator into assigning a role to a malicious user).

     

    -Doug

  • mhock's avatar
    mhock
    Leader
    6 years ago

    DougS,

    I must have uncovered a bug.  I just provided the ability to add a role to a new role I created.  I am seeing this same issue.  I am seeing a subset of roles.  I want to be able to eliminate some and add others.

    How do I do this?