Forum Discussion
There is no "out of the box" way (that I am aware of) to specify certain roles that moderators can grant while leaving other roles that only administrators can grant -- as far as I know, it's all-or-nothing: either a user can grant any role, or they can grant no roles. If you find that is not the case, and there is in fact a way to specify certain roles that moderators can grant (while leaving other roles that only administrators can grant) please let me know.
Going on the assumption above, you could set up permissions such that only Administrators can assign roles, then write a custom component for the user profile page to do what you want -- it would take a bit of scripting to get it working right. Here is roughly what you might do:
Add a custom component to the user profile page that checks to see if the current user has the Moderator role and not the Administrator role and then renders an html form that contains a hidden form field with the user id of the user whose profile the moderator is viewing, and a select box with the roles you would like Moderators to be able to grant in them (plus potentially a hidden form field that contains a CSRF-prevention ticket/token -- see below). You could make it an ajax form and use a studio endpoint to submit the form to (since it's an ajax form, you won't leave the page), or you could have it submit to the same page (the user profile page) and use a page initialization script to handle the form submit logic. I personally would take the ajax form approach over a page reload and page initialization script.
Your form submit logic (which would either be in a studio endpoint for an ajax form, or possibly in a page initialization script for a page reload) would use restadmin to bypass the permission restrictions that are normally put on Moderators so that the submitted user id can be added to or removed from the submitted role. Since you are bypassing permission restrictions for the call, it is essential that your form submit logic should also check that the current user has the Moderator role, that the role to be granted is in the list of roles moderators are allowed to set, and you might want to implement some kind of ticket/token to prevent CSRF attacks (that could potentially trick a Moderator into assigning a role to a malicious user).
-Doug
Related Content
- 2 years ago
- 10 months ago
- 11 months ago