modules/role_delegation/role_delegation.module

<?php
// $Id: role_delegation.module,v 1.13 2009/06/29 14:52:33 davidlesieur Exp $

/**
 * @file
 *
 * This module allows site administrators to grant some roles the authority to
 * assign selected roles to users, without them needing the 'administer access
 * control' permission.
 *
 * It provides its own tab in the user profile so that roles can be assigned
 * without needing access to the user edit form.
 */

/**
 * Implementation of hook_help().
 */
function role_delegation_help($section) {
  switch ($section) {
    case 'admin/help#role_delegation':
      return '<p>'. t('This module allows site administrators to grant some roles the authority to assign selected roles to users, without them needing the <em>administer permissions</em> permission.') .'</p><p>'. t('It provides its own tab in the user profile so that roles can be assigned without needing access to the user edit form.') .'</p>';
  }
}

/**
 * Implementation of hook_perm().
 */
function role_delegation_perm() {
  $roles = _role_delegation_roles();
  $perms = array('assign all roles');
  foreach ($roles as $role) {
    $perms[] = _role_delegation_make_perm($role);
  }
  return $perms;
}

/**
 * Implementation of hook_menu().
 */
function role_delegation_menu() {
  global $user;
  $items = array();
  
  $items['user/%user/roles'] = array(
    'title' => 'Roles',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('role_delegation_roles_form', 1),
    'access callback' => 'role_delegation_access',
    'access arguments' => array(1),
    'type' => MENU_LOCAL_TASK,
  );
  return $items;
}

/**
 * Provides a form for assigning roles to the current user.
 */
function role_delegation_roles_form(&$form_state, $account) {
  $form['roles'] = array(
    '#type' => 'fieldset',
    '#title' => t('Roles'),
    '#tree' => TRUE,
  );
  // Provide a separate checkbox for each role but hide those the user has no authority over.
  $roles = _role_delegation_roles();
  $roles_preserve = array('authenticated user');
  foreach ($roles as $rid => $role) {
    if (!(user_access('assign all roles') || user_access(_role_delegation_make_perm($role)) || user_access('administer permissions'))) {
      // Hide roles the user can't assign.
      $form['roles'][$rid] = array(
        '#type' => 'value',
        '#value' => isset($account->roles[$rid]),
      );
      if (isset($account->roles[$rid])) {
        $roles_preserve[] = $role;
      }
    }
    else {
      $form['roles'][$rid] = array(
        '#type' => 'checkbox',
        '#title' => check_plain($role),
        '#default_value' => isset($account->roles[$rid]),
      );
    }
  }
  $form['roles']['#description'] = t('The user receives the combined permissions of the %roles role(s), and all roles selected here. ', array('%roles' => implode(', ', $roles_preserve)));
  $form['account'] = array(
    '#type' => 'value',
    '#value' => $account,
  );
  $form['submit'] = array(
    '#type' => 'submit',
    '#value' => t('Submit'),
  );
  
  drupal_set_title(check_plain($account->name));
  return $form;
}

/**
 * Saves the roles assigned to the account given in the form.
 */
function role_delegation_roles_form_submit($form, &$form_state) {
  if (is_array($form_state['values']['roles']) && isset($form_state['values']['account']->uid)) {
    $account = user_load(array('uid' => (int)$form_state['values']['account']->uid));
    $myroles = array();
    $rolenames = user_roles(TRUE);
    foreach (array_keys(array_filter($form_state['values']['roles'])) as $rid) {
      $myroles[$rid] = $rolenames[$rid]; 
    }
    user_save($account, array('roles' => $myroles));

    // Delete the user's menu cache.
    cache_clear_all($form_state['values']['account']->uid .':', 'cache_menu', TRUE);

    drupal_set_message(t('The roles have been updated.'));
  }
}

/**
 * Access callback for menu hook.
 */
function role_delegation_access($account) {
  // Check access to user profile page.
  if (!user_view_access($account)) {
    return FALSE;
  }
  // Check if they can use the Edit tab instead.
  if (user_edit_access($account)) {
    return FALSE;
  }
  // Check access to role assignment page.
  if (user_access('administer permissions')) {
    return TRUE;
  }
  $perms = role_delegation_perm();
  foreach ($perms as $perm) {
    if (user_access($perm)) {
      return TRUE;
    }
  }

  return FALSE;
}

/**
 * Returns all existing roles, except anonymous and authenticated user.
 */
function _role_delegation_roles() {
  $roles = user_roles(TRUE);
  unset($roles[DRUPAL_AUTHENTICATED_RID]);
  return $roles;
}

/**
 * Returns the delegation permission for a role. Any characters from the role
 * that are not allowed in permission names are filtered out.
 */
function _role_delegation_make_perm($role) {
  // Allow alphanumerics, space, hyphen, underscore.
  $role = preg_replace('/[^a-zA-Z0-9 \\-_]/', '', $role);
  return "assign $role role";
}

/**
 * Implementation of hook_form_alter().
 */
function role_delegation_form_alter(&$form, $form_state, $form_id) {
  // Only alter user form when user can't assign permissions without Role Delegation.
  if ($form_id != 'user_register' && $form_id != 'user_profile_form') {
    return;
  }
  if (user_access('administer permissions')) {
    return;
  }
  // Split up roles based on whether they can be delegated or not.
  $current_roles = (isset($form['#uid']) && $user = user_load(array('uid' => $form['#uid']))) ? $user->roles : array();
  $rids_default = array();
  $rids_preserve = array(DRUPAL_AUTHENTICATED_RID => DRUPAL_AUTHENTICATED_RID);
  $roles_preserve = array('authenticated user');
  $roles_options = array();
  $roles = _role_delegation_roles();
  foreach ($roles as $rid => $role) {
    if (user_access('assign all roles') || user_access(_role_delegation_make_perm($role))) {
      if (array_key_exists($rid, $current_roles)) {
        $rids_default[] = $rid;
      }
      $roles_options[$rid] = $role;
    }
    else {
      if (array_key_exists($rid, $current_roles)) {
        $rids_preserve[$rid] = $rid;
        $roles_preserve[] = $role;
      }
    }
  }
  if (empty($roles_options)) {
    // No role can be assigned.
    return; 
  }
  // Generate the form items.
  $form['roles_preserve'] = array(
    '#type' => 'value',
    '#value' => $rids_preserve,
  );
  $assign_item = array(
    '#type' => 'checkboxes',
    '#title' => t('Roles'),
    '#description' => t('The user receives the combined permissions of the %roles role(s), and all roles selected here. ', array('%roles' => implode(', ', $roles_preserve))),
    '#options' => $roles_options,
    '#default_value' => $rids_default,
  );
  if (isset($form['account'])) {
    $form['account']['roles_assign'] = $assign_item;
  }
  else {
    $form['roles_assign'] = $assign_item;
  }
}

/**
 * Implementation of hook_user().
 */
function role_delegation_user($op, &$edit, &$account, $category = NULL) {
  if ($op != 'insert' && $op != 'submit') {
    return;
  }
  if (!isset($edit['roles_assign'])) {
    return;
  }
  $edit['roles'] = $edit['roles_preserve'] + array_filter($edit['roles_assign']);
}
1	<?php
2	// $Id: role_delegation.module,v 1.13 2009/06/29 14:52:33 davidlesieur Exp $
3
4	/**
5	* @file
6	*
7	* This module allows site administrators to grant some roles the authority to
8	* assign selected roles to users, without them needing the 'administer access
9	* control' permission.
10	*
11	* It provides its own tab in the user profile so that roles can be assigned
12	* without needing access to the user edit form.
13	*/
14
15	/**
16	* Implementation of hook_help().
17	*/
18	function role_delegation_help($section) {
19	switch ($section) {
20	case 'admin/help#role_delegation':
21	return '<p>'. t('This module allows site administrators to grant some roles the authority to assign selected roles to users, without them needing the <em>administer permissions</em> permission.') .'</p><p>'. t('It provides its own tab in the user profile so that roles can be assigned without needing access to the user edit form.') .'</p>';
22	}
23	}
24
25	/**
26	* Implementation of hook_perm().
27	*/
28	function role_delegation_perm() {
29	$roles = _role_delegation_roles();
30	$perms = array('assign all roles');
31	foreach ($roles as $role) {
32	$perms[] = _role_delegation_make_perm($role);
33	}
34	return $perms;
35	}
36
37	/**
38	* Implementation of hook_menu().
39	*/
40	function role_delegation_menu() {
41	global $user;
42	$items = array();
43
44	$items['user/%user/roles'] = array(
45	'title' => 'Roles',
46	'page callback' => 'drupal_get_form',
47	'page arguments' => array('role_delegation_roles_form', 1),
48	'access callback' => 'role_delegation_access',
49	'access arguments' => array(1),
50	'type' => MENU_LOCAL_TASK,
51	);
52	return $items;
53	}
54
55	/**
56	* Provides a form for assigning roles to the current user.
57	*/
58	function role_delegation_roles_form(&$form_state, $account) {
59	$form['roles'] = array(
60	'#type' => 'fieldset',
61	'#title' => t('Roles'),
62	'#tree' => TRUE,
63	);
64	// Provide a separate checkbox for each role but hide those the user has no authority over.
65	$roles = _role_delegation_roles();
66	$roles_preserve = array('authenticated user');
67	foreach ($roles as $rid => $role) {
68	if (!(user_access('assign all roles') \|\| user_access(_role_delegation_make_perm($role)) \|\| user_access('administer permissions'))) {
69	// Hide roles the user can't assign.
70	$form['roles'][$rid] = array(
71	'#type' => 'value',
72	'#value' => isset($account->roles[$rid]),
73	);
74	if (isset($account->roles[$rid])) {
75	$roles_preserve[] = $role;
76	}
77	}
78	else {
79	$form['roles'][$rid] = array(
80	'#type' => 'checkbox',
81	'#title' => check_plain($role),
82	'#default_value' => isset($account->roles[$rid]),
83	);
84	}
85	}
86	$form['roles']['#description'] = t('The user receives the combined permissions of the %roles role(s), and all roles selected here. ', array('%roles' => implode(', ', $roles_preserve)));
87	$form['account'] = array(
88	'#type' => 'value',
89	'#value' => $account,
90	);
91	$form['submit'] = array(
92	'#type' => 'submit',
93	'#value' => t('Submit'),
94	);
95
96	drupal_set_title(check_plain($account->name));
97	return $form;
98	}
99
100	/**
101	* Saves the roles assigned to the account given in the form.
102	*/
103	function role_delegation_roles_form_submit($form, &$form_state) {
104	if (is_array($form_state['values']['roles']) && isset($form_state['values']['account']->uid)) {
105	$account = user_load(array('uid' => (int)$form_state['values']['account']->uid));
106	$myroles = array();
107	$rolenames = user_roles(TRUE);
108	foreach (array_keys(array_filter($form_state['values']['roles'])) as $rid) {
109	$myroles[$rid] = $rolenames[$rid];
110	}
111	user_save($account, array('roles' => $myroles));
112
113	// Delete the user's menu cache.
114	cache_clear_all($form_state['values']['account']->uid .':', 'cache_menu', TRUE);
115
116	drupal_set_message(t('The roles have been updated.'));
117	}
118	}
119
120	/**
121	* Access callback for menu hook.
122	*/
123	function role_delegation_access($account) {
124	// Check access to user profile page.
125	if (!user_view_access($account)) {
126	return FALSE;
127	}
128	// Check if they can use the Edit tab instead.
129	if (user_edit_access($account)) {
130	return FALSE;
131	}
132	// Check access to role assignment page.
133	if (user_access('administer permissions')) {
134	return TRUE;
135	}
136	$perms = role_delegation_perm();
137	foreach ($perms as $perm) {
138	if (user_access($perm)) {
139	return TRUE;
140	}
141	}
142
143	return FALSE;
144	}
145
146	/**
147	* Returns all existing roles, except anonymous and authenticated user.
148	*/
149	function _role_delegation_roles() {
150	$roles = user_roles(TRUE);
151	unset($roles[DRUPAL_AUTHENTICATED_RID]);
152	return $roles;
153	}
154
155	/**
156	* Returns the delegation permission for a role. Any characters from the role
157	* that are not allowed in permission names are filtered out.
158	*/
159	function _role_delegation_make_perm($role) {
160	// Allow alphanumerics, space, hyphen, underscore.
161	$role = preg_replace('/[^a-zA-Z0-9 \\-_]/', '', $role);
162	return "assign $role role";
163	}
164
165	/**
166	* Implementation of hook_form_alter().
167	*/
168	function role_delegation_form_alter(&$form, $form_state, $form_id) {
169	// Only alter user form when user can't assign permissions without Role Delegation.
170	if ($form_id != 'user_register' && $form_id != 'user_profile_form') {
171	return;
172	}
173	if (user_access('administer permissions')) {
174	return;
175	}
176	// Split up roles based on whether they can be delegated or not.
177	$current_roles = (isset($form['#uid']) && $user = user_load(array('uid' => $form['#uid']))) ? $user->roles : array();
178	$rids_default = array();
179	$rids_preserve = array(DRUPAL_AUTHENTICATED_RID => DRUPAL_AUTHENTICATED_RID);
180	$roles_preserve = array('authenticated user');
181	$roles_options = array();
182	$roles = _role_delegation_roles();
183	foreach ($roles as $rid => $role) {
184	if (user_access('assign all roles') \|\| user_access(_role_delegation_make_perm($role))) {
185	if (array_key_exists($rid, $current_roles)) {
186	$rids_default[] = $rid;
187	}
188	$roles_options[$rid] = $role;
189	}
190	else {
191	if (array_key_exists($rid, $current_roles)) {
192	$rids_preserve[$rid] = $rid;
193	$roles_preserve[] = $role;
194	}
195	}
196	}
197	if (empty($roles_options)) {
198	// No role can be assigned.
199	return;
200	}
201	// Generate the form items.
202	$form['roles_preserve'] = array(
203	'#type' => 'value',
204	'#value' => $rids_preserve,
205	);
206	$assign_item = array(
207	'#type' => 'checkboxes',
208	'#title' => t('Roles'),
209	'#description' => t('The user receives the combined permissions of the %roles role(s), and all roles selected here. ', array('%roles' => implode(', ', $roles_preserve))),
210	'#options' => $roles_options,
211	'#default_value' => $rids_default,
212	);
213	if (isset($form['account'])) {
214	$form['account']['roles_assign'] = $assign_item;
215	}
216	else {
217	$form['roles_assign'] = $assign_item;
218	}
219	}
220
221	/**
222	* Implementation of hook_user().
223	*/
224	function role_delegation_user($op, &$edit, &$account, $category = NULL) {
225	if ($op != 'insert' && $op != 'submit') {
226	return;
227	}
228	if (!isset($edit['roles_assign'])) {
229	return;
230	}
231	$edit['roles'] = $edit['roles_preserve'] + array_filter($edit['roles_assign']);
232	}