Ticket #3211 (closed Bug: fixed)
Permissions changes to allow non-managers to mange users
|Reported by:||alecm||Owned by:|
It would be nice if it were easier in Plone to grant the ability to manage users to non-managers. Currently this requires either assigning the drastic 'Manage portal' permission or a large amount of customization, primarily because a few specific methods require this seemingly overused permission. As these methods are used exclusively (as far as I can tell) for managing users, it would perhaps be more sensible to have them protected by the 'Manage users' permission, so that granting that permission to a role/group along with the addition of an action leading to the prefs_users_overview template would be all that is necessary to grant a user the ability to manage users. The methods which would need their security declarations modified are:
MembershipTool.getMemberById() MembershipTool.listMembers() MembershipTool.listMemberIds() PloneTool.setMemberProperties()
Making those methods protected by 'Manage users' which by default is assigned only to Manager, would be a great start in increasing the security granularity of plone. I just noticed that CMF head has already made the first three changes to its MembershipTool, so all that really needs to be done is the last (plone specific) change. Though it might not be a bad idea to override them all in plone (temporarily) so that users not running on CMF head (probably all users) can take advantage of the increased granularity. Thanks.