Pete Posted March 14, 2016 Posted March 14, 2016 Hi guys Here's an interesting one - on a site I have 3 custom roles: staff, customer, administrator Now administrator isn't the same as superuser, but they have been given permission to add and edit users via the "user-admin" role. Obviously they can't make themselves or anyone else a superuser - that role is hidden from them by ProcessWire already. You also can't edit superusers unless you are one yourself. What I want to do though is when they edit a user, hide "administrator" as an option for them so they can only add/edit "staff" and "customer" accounts, but there doesn't seem to be anything built-in to allow this. Does anyone know how I would go about that or if I'm just missing a hidden permission called something like "protected role"? Something like that permission could make it so that a user with that certain role can only be assigned that role or edited by a superuser
horst Posted March 14, 2016 Posted March 14, 2016 In permissions, I see: user-admin-all, user-admin-staff, user-admin-customer, user-admin-administrator. Have you tried to only give the administrator role permissions for user-admin-staff and user-admin-customer. I think you have, or not? If so, they will see in a user edit page the role of administrator too, but they cannot select/change them, like with the guest role. If one try to select / change the role, it is displayed a red warning: (You may not change this role). Or do you ask how to hide those roles? 4
Pete Posted March 15, 2016 Author Posted March 15, 2016 How do you see those extra permissions, or do you need to add them manually?
LostKobrakai Posted March 15, 2016 Posted March 15, 2016 https://processwire.com/api/user-access/permissions/#user-admin-permissions 6
Pete Posted March 15, 2016 Author Posted March 15, 2016 Ah, sweet! So that was added not long ago then, like Ryan once again knew I'd need this soon (get out of my head! ). 3
LostKobrakai Posted March 15, 2016 Posted March 15, 2016 It was actually requested here in the forums iirc. 1
cstevensjr Posted March 15, 2016 Posted March 15, 2016 I actually think ProcessWire now has some the best and varied level of permissions that I have seen in years. Between ryan (updating ProcessWire) and adrian (creating his many permission modules) I have been very busy working on projects.
kiennguyen1101 Posted March 23, 2016 Posted March 23, 2016 Hi guys, I set up "staff" so that they have user-admin-customer permission, edit "customer" profile permission, however I do not want "staff" to add new users in the backend. How do I achieve this?
horst Posted March 23, 2016 Posted March 23, 2016 For what do they have the permission user-admin-customer?
kiennguyen1101 Posted March 23, 2016 Posted March 23, 2016 For what do they have the permission user-admin-customer? My case is pretty similar to that of Pete, however I don't want users with "staff" role to add new users since "user-admin" permission allows all roles with that permission to add new users, even though these users could only be of "guest" role.
horst Posted March 23, 2016 Posted March 23, 2016 you may look here: https://processwire.com/talk/topic/7850-user-admin-rolesthat-can-only-add-new-users-with-certain-roles/ You will need hook into before page::save and check if it should be a new user page, and if yes, if the current user has the right permissions or role.
kiennguyen1101 Posted March 24, 2016 Posted March 24, 2016 Here are some of my findings in case anyone need it: // hook to before page add render and prevent execution if necessary $this->addHookBefore('ProcessPageAdd::execute', $this, 'hookUserAdd'); // hide add button in the backend menu $this->addHookAfter('ProcessUser::executeNavJSON', $this, 'hideUserMenu'); public function hideUserMenu($event) { //we don't want to modify links for super user if ($this->user->isSuperuser()) return; //ajax only if($this->config->ajax){ $options = json_decode($event->return, true); unset($options['add']); foreach ($options['list'] as $key => $value) { //check and unset if necessary } $event->return = json_encode($options); } } public function hookUserAdd($event) { if (!$this->user->isSuperuser()) { $event->replace = true; $this->error('You do not have permission'); return; } } That is because I still want "staff" role to use page-lister permission. Hooking to ProcessPageLister is much harder and require regex to hide the "Add new" buttons. Also, to modify the result returned from the selector, you can add hook to getSelector function (this is undocumented in Captain Hook) $this->addHookAfter('ProcessPageLister::getSelector', $this, 'hookPageListerSelector'); For better security, add hook to Pages::save (similar to ProcessPageAdd) to deny saving new user. 5
horst Posted March 24, 2016 Posted March 24, 2016 @kiennguyen1101: Very good findings! Looks good. And thanks for sharing!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now