User-Admin Role - Restrict Roles

[Pete]

Hi guys

Here's an interesting one - on a site I have 3 custom roles: staff, customer, administrator

Now administrator isn't the same as superuser, but they have been given permission to add and edit users via the "user-admin" role. Obviously they can't make themselves or anyone else a superuser - that role is hidden from them by ProcessWire already. You also can't edit superusers unless you are one yourself.

What I want to do though is when they edit a user, hide "administrator" as an option for them so they can only add/edit "staff" and "customer" accounts, but there doesn't seem to be anything built-in to allow this. Does anyone know how I would go about that or if I'm just missing a hidden permission called something like "protected role"? Something like that permission could make it so that a user with that certain role can only be assigned that role or edited by a superuser

[horst]

In permissions, I see: user-admin-all, user-admin-staff, user-admin-customer, user-admin-administrator.

Have you tried to only give the administrator role permissions for user-admin-staff and user-admin-customer. I think you have, or not?

If so, they will see in a user edit page the role of administrator too, but they cannot select/change them, like with the guest role.

If one try to select / change the role, it is displayed a red warning: (You may not change this role).

Or do you ask how to hide those roles?

[Pete]

How do you see those extra permissions, or do you need to add them manually?

[LostKobrakai]

https://processwire.com/api/user-access/permissions/#user-admin-permissions

[Pete]

Ah, sweet! So that was added not long ago then, like Ryan once again knew I'd need this soon (get out of my head! ).

[LostKobrakai]

It was actually requested here in the forums iirc.

[cstevensjr]

I actually think ProcessWire now has some the best and varied level of permissions that I have seen in years.  Between ryan (updating ProcessWire) and adrian (creating his many permission modules) I have been very busy working on projects.

[kiennguyen1101]

Hi guys, I set up "staff" so that they have user-admin-customer permission, edit "customer" profile permission, however I do not want "staff" to add new users in the backend. How do I achieve this?

[horst]

For what do they have the permission user-admin-customer?

[kiennguyen1101]

For what do they have the permission user-admin-customer?

My case is pretty similar to that of Pete, however I don't want users with "staff" role to add new users since "user-admin" permission allows all roles with that permission to add new users, even though these users could only be of "guest" role.

[horst]

you may look here: https://processwire.com/talk/topic/7850-user-admin-rolesthat-can-only-add-new-users-with-certain-roles/

You will need hook into before page::save and check if it should be a new user page, and if yes, if the current user has the right permissions or role.

[kiennguyen1101]

Here are some of my findings in case anyone need it:

//        hook to before page add render and prevent execution if necessary
		$this->addHookBefore('ProcessPageAdd::execute', $this, 'hookUserAdd');

//        hide add button in the backend menu
		$this->addHookAfter('ProcessUser::executeNavJSON', $this, 'hideUserMenu');

public function hideUserMenu($event) {
        //we don't want to modify links for super user
        if ($this->user->isSuperuser()) return;
        //ajax only
        if($this->config->ajax){            
            $options = json_decode($event->return, true);
            unset($options['add']);
            foreach ($options['list'] as $key => $value) {
                //check and unset if necessary
            }
            $event->return = json_encode($options);
        }
}

public function hookUserAdd($event) {

        if (!$this->user->isSuperuser()) {
            $event->replace = true;
            $this->error('You do not have permission');
            return;
        }
}

That is because I still want "staff" role to use page-lister permission. Hooking to ProcessPageLister is much harder and require regex to hide the "Add new" buttons. Also, to modify the result returned from the selector, you can add hook to getSelector function (this is undocumented in Captain Hook)

$this->addHookAfter('ProcessPageLister::getSelector', $this, 'hookPageListerSelector');

For better security, add hook to Pages::save (similar to ProcessPageAdd) to deny saving new user.

[horst]

@kiennguyen1101: Very good findings! Looks good. And thanks for sharing!