You are here

Home » API reference » User protect 5

README.txt in User protect 5

Same filename and directory in other branches
  1. 8 README.txt
  2. 6 README.txt
  3. 7 README.txt
****************************************************
User Protect Module -- README

written by Chad Phillips: thehunmonkgroup at yahoo dot com
****************************************************

This module provides various editing protection for users. The protections can
be specific to a user, or applied to all users in a role. The following protections
are supported:

  -- username
  -- e-mail address
  -- password
  -- status changes
  -- roles
  -- deletion
  -- all edits (any accessed via user/X/edit)

When a protection is enabled for a specified user (or the protection is enabled
because the user belongs to a role that has the protection), it prevents the
editing operation in question that anyone might try to perform on the
user--unless an administrator who is permitted to bypass the protection is
editing the specified user. The module will protect fields by disabling them at
user/X/edit.

User administrators my be configured to bypass specified protections, on either
a global or per-administrator basis.

These protections are valid both when trying to edit the user directly from
their user/X/edit page, or using the mass user editing operations.

The module also provides protection at the paths user/X/edit and user/X/delete,
should anyone try to visit those paths directly.

Note: this module is compatible with the RoleAssign module.

SETTINGS:
At administer -> user management -> userprotect, you'll find the settings for the
module. When the module is initially enabled, the default settings are such:

  -- User administrators bypass all protections.
  -- The root user specifically bypasses all protections.
  -- The anonymous user is specifically protected from all edits.
  -- The root user is specifically protected from all edits.
  -- All role protections are disabled.
  -- The 'change own e-mail' and 'change own password' permissions are enabled for
     authenticated users in the userprotect section at
     administer -> user management -> access control.

This effectively amounts to no protections. It is suggested that you turn off as
many default administrator bypass settings as possible, and set bypass
settings for specific user administrators--this allows you to take advantage
of the status, roles, deletion, and edit protections in a meaningful way. Because
of the per-user bypass/protection settings for the anonymous and root user,
this will also begin protecting those users, without compromising the root
user's access to the entire site.

Important note: In order to protect a user from a deletion by visiting the
user/X/delete directly, you must enable the 'delete' protection specifically.
The 'all account edits' protection only disables the delete button at user/X/edit!

Also note that this module only provides protection against actions via the
website interface--operations that a module takes directly are not protected!
This module should play well with other contributed modules, but there is no
guarantee that all protections will remain intact if you install modules outside
of the drupal core installation.

ADDING PROTECTIONS FOR A SINGLE USER:
This is done at administer -> user management -> userprotect -> protected users.
Any time a user is added for protection, they will initially receive the default
protections enabled at 
administer -> user management -> userprotect -> protection defaults.

ADDING PROTECTIONS FOR ROLES:
This is done at administer -> user management -> userprotect -> protected roles.
Be cautious about adding protections by role, or you can lock out users from
things unintentionally!

In particular, note the if you enable role protections for a specific role, and you
have no bypasses enabled, you've effectively locked out any role editing for
that role by anybody, unless you come back to the settings page and disable
the role protection!

ADDING ADMINISTRATOR BYPASS RULES:
One of the more powerful features of the module are the administrator bypass
settings. Any user that has been granted the 'administer users' permission can
be configured to bypass any protection, either via the default administrator
bypass settings at 
administer -> user management -> userprotect -> protection defaults, or via
a per-administrator setting at 
administer -> user management -> userprotect -> administrator bypass. If a
bypass is enabled for a user administrator, they will be given editing rights on
that protection regardless if it is enabled for a single user or an entire role.

Note that the per-administrator bypass settings override the default bypass
settings.

DEFAULT PROTECTION SETTINGS:
Set the default protections for newly protected users at
administer -> user management -> userprotect -> protection defaults. In
addition, you can enable the auto-protect feature, which will automatically
add the default protections to any newly created user accounts, and set default
bypass options for all user administrators.

HOW THE MODULE DETERMINES A PROTECTION:
In order to properly use User Protect, it's important to understand how the
module determines if a specified field is to be protected. Here is the basic
logic:

  -- If the current user is a user administrator, check if they have per-administrator
     bypass settings. If so, then check to see if they are allowed to bypass the
     protection. If so, then stop the checks and allow editing of the field.

  -- If not, then if the current user is a user administrator, check if the default
     administrator bypass is enabled for the protection in question. If so, then
     stop the checks and allow editing of the field.

  --  If not, check if the user is editing their own account. If so, determine the
      protections for e-mail and password by examining the userprotect permissions
      for 'change own e-mail' and 'change own password', and continue with the rest
      of the checks below.

  -- If not, check if the protection is set for the individual user being edited.
     If so, then stop the checks here, and prevent editing of the field (this
     effectively means that individual protections override role protections).

  -- If not, then examine all the roles for the user being edited. If any of those
     roles have the protection enabled, then prevent editing of the field.

  -  If not, then allow the field to be edited.

Note: If a user is editing their own account, they are never protected from editing
their own username, e-mail, or password. Administrators can still limit the ability
of users to change their username via the role-based permission at
administer -> user management -> access control.

File

README.txt
View source 
  1. 

  2. ****************************************************

  3. User Protect Module -- README

  4. 

  5. written by Chad Phillips: thehunmonkgroup at yahoo dot com

  6. ****************************************************

  7. 

  8. This module provides various editing protection for users. The protections can

  9. be specific to a user, or applied to all users in a role. The following protections

  10. are supported:

  11. 

  12.   -- username

  13.   -- e-mail address

  14.   -- password

  15.   -- status changes

  16.   -- roles

  17.   -- deletion

  18.   -- all edits (any accessed via user/X/edit)

  19. 

  20. When a protection is enabled for a specified user (or the protection is enabled

  21. because the user belongs to a role that has the protection), it prevents the

  22. editing operation in question that anyone might try to perform on the

  23. user--unless an administrator who is permitted to bypass the protection is

  24. editing the specified user. The module will protect fields by disabling them at

  25. user/X/edit.

  26. 

  27. User administrators my be configured to bypass specified protections, on either

  28. a global or per-administrator basis.

  29. 

  30. These protections are valid both when trying to edit the user directly from

  31. their user/X/edit page, or using the mass user editing operations.

  32. 

  33. The module also provides protection at the paths user/X/edit and user/X/delete,

  34. should anyone try to visit those paths directly.

  35. 

  36. Note: this module is compatible with the RoleAssign module.

  37. 

  38. SETTINGS:

  39. At administer -> user management -> userprotect, you'll find the settings for the

  40. module. When the module is initially enabled, the default settings are such:

  41. 

  42.   -- User administrators bypass all protections.

  43.   -- The root user specifically bypasses all protections.

  44.   -- The anonymous user is specifically protected from all edits.

  45.   -- The root user is specifically protected from all edits.

  46.   -- All role protections are disabled.

  47.   -- The 'change own e-mail' and 'change own password' permissions are enabled for

  48.      authenticated users in the userprotect section at

  49.      administer -> user management -> access control.

  50. 

  51. This effectively amounts to no protections. It is suggested that you turn off as

  52. many default administrator bypass settings as possible, and set bypass

  53. settings for specific user administrators--this allows you to take advantage

  54. of the status, roles, deletion, and edit protections in a meaningful way. Because

  55. of the per-user bypass/protection settings for the anonymous and root user,

  56. this will also begin protecting those users, without compromising the root

  57. user's access to the entire site.

  58. 

  59. Important note: In order to protect a user from a deletion by visiting the

  60. user/X/delete directly, you must enable the 'delete' protection specifically.

  61. The 'all account edits' protection only disables the delete button at user/X/edit!

  62. 

  63. Also note that this module only provides protection against actions via the

  64. website interface--operations that a module takes directly are not protected!

  65. This module should play well with other contributed modules, but there is no

  66. guarantee that all protections will remain intact if you install modules outside

  67. of the drupal core installation.

  68. 

  69. ADDING PROTECTIONS FOR A SINGLE USER:

  70. This is done at administer -> user management -> userprotect -> protected users.

  71. Any time a user is added for protection, they will initially receive the default

  72. protections enabled at 

  73. administer -> user management -> userprotect -> protection defaults.

  74. 

  75. ADDING PROTECTIONS FOR ROLES:

  76. This is done at administer -> user management -> userprotect -> protected roles.

  77. Be cautious about adding protections by role, or you can lock out users from

  78. things unintentionally!

  79. 

  80. In particular, note the if you enable role protections for a specific role, and you

  81. have no bypasses enabled, you've effectively locked out any role editing for

  82. that role by anybody, unless you come back to the settings page and disable

  83. the role protection!

  84. 

  85. ADDING ADMINISTRATOR BYPASS RULES:

  86. One of the more powerful features of the module are the administrator bypass

  87. settings. Any user that has been granted the 'administer users' permission can

  88. be configured to bypass any protection, either via the default administrator

  89. bypass settings at 

  90. administer -> user management -> userprotect -> protection defaults, or via

  91. a per-administrator setting at 

  92. administer -> user management -> userprotect -> administrator bypass. If a

  93. bypass is enabled for a user administrator, they will be given editing rights on

  94. that protection regardless if it is enabled for a single user or an entire role.

  95. 

  96. Note that the per-administrator bypass settings override the default bypass

  97. settings.

  98. 

  99. DEFAULT PROTECTION SETTINGS:

  100. Set the default protections for newly protected users at

  101. administer -> user management -> userprotect -> protection defaults. In

  102. addition, you can enable the auto-protect feature, which will automatically

  103. add the default protections to any newly created user accounts, and set default

  104. bypass options for all user administrators.

  105. 

  106. HOW THE MODULE DETERMINES A PROTECTION:

  107. In order to properly use User Protect, it's important to understand how the

  108. module determines if a specified field is to be protected. Here is the basic

  109. logic:

  110. 

  111.   -- If the current user is a user administrator, check if they have per-administrator

  112.      bypass settings. If so, then check to see if they are allowed to bypass the

  113.      protection. If so, then stop the checks and allow editing of the field.

  114. 

  115.   -- If not, then if the current user is a user administrator, check if the default

  116.      administrator bypass is enabled for the protection in question. If so, then

  117.      stop the checks and allow editing of the field.

  118. 

  119.   --  If not, check if the user is editing their own account. If so, determine the

  120.       protections for e-mail and password by examining the userprotect permissions

  121.       for 'change own e-mail' and 'change own password', and continue with the rest

  122.       of the checks below.

  123. 

  124.   -- If not, check if the protection is set for the individual user being edited.

  125.      If so, then stop the checks here, and prevent editing of the field (this

  126.      effectively means that individual protections override role protections).

  127. 

  128.   -- If not, then examine all the roles for the user being edited. If any of those

  129.      roles have the protection enabled, then prevent editing of the field.

  130. 

  131.   -  If not, then allow the field to be edited.

  132. 

  133. Note: If a user is editing their own account, they are never protected from editing

  134. their own username, e-mail, or password. Administrators can still limit the ability

  135. of users to change their username via the role-based permission at

  136. administer -> user management -> access control.