Jump to content

User-Admin Role - Restrict Roles


Pete
 Share

Recommended Posts

Hi guys

Here's an interesting one - on a site I have 3 custom roles: staff, customer, administrator

Now administrator isn't the same as superuser, but they have been given permission to add and edit users via the "user-admin" role. Obviously they can't make themselves or anyone else a superuser - that role is hidden from them by ProcessWire already. You also can't edit superusers unless you are one yourself.

What I want to do though is when they edit a user, hide "administrator" as an option for them so they can only add/edit "staff" and "customer" accounts, but there doesn't seem to be anything built-in to allow this. Does anyone know how I would go about that or if I'm just missing a hidden permission called something like "protected role"? Something like that permission could make it so that a user with that certain role can only be assigned that role or edited by a superuser

Link to comment
Share on other sites

In permissions, I see: user-admin-all, user-admin-staff, user-admin-customer, user-admin-administrator.

Have you tried to only give the administrator role permissions for user-admin-staff and user-admin-customer. I think you have, or not?

If so, they will see in a user edit page the role of administrator too, but they cannot select/change them, like with the guest role.

If one try to select / change the role, it is displayed a red warning: (You may not change this role).

Or do you ask how to hide those roles?

  • Like 4
Link to comment
Share on other sites

I actually think ProcessWire now has some the best and varied level of permissions that I have seen in years.  Between ryan (updating ProcessWire) and adrian (creating his many permission modules) I have been very busy working on projects.

Link to comment
Share on other sites

  • 2 weeks later...

For what do they have the permission user-admin-customer?

My case is pretty similar to that of Pete, however I don't want users with "staff" role to add new users since "user-admin" permission allows all roles with that permission to add new users, even though these users could only be of "guest" role.

Link to comment
Share on other sites

Here are some of my findings in case anyone need it:

//        hook to before page add render and prevent execution if necessary
		$this->addHookBefore('ProcessPageAdd::execute', $this, 'hookUserAdd');

//        hide add button in the backend menu
		$this->addHookAfter('ProcessUser::executeNavJSON', $this, 'hideUserMenu');
public function hideUserMenu($event) {
        //we don't want to modify links for super user
        if ($this->user->isSuperuser()) return;
        //ajax only
        if($this->config->ajax){            
            $options = json_decode($event->return, true);
            unset($options['add']);
            foreach ($options['list'] as $key => $value) {
                //check and unset if necessary
            }
            $event->return = json_encode($options);
        }
}
public function hookUserAdd($event) {

        if (!$this->user->isSuperuser()) {
            $event->replace = true;
            $this->error('You do not have permission');
            return;
        }
}

That is because I still want "staff" role to use page-lister permission. Hooking to ProcessPageLister is much harder and require regex to hide the "Add new" buttons. Also, to modify the result returned from the selector, you can add hook to getSelector function (this is undocumented in Captain Hook)

$this->addHookAfter('ProcessPageLister::getSelector', $this, 'hookPageListerSelector');

For better security, add hook to Pages::save (similar to ProcessPageAdd) to deny saving new user.

  • Like 5
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...