Jump to content
Sergio

User with "user-admin-all" can't make another user an "editor"

Recommended Posts

I have this "editor" role, that has the "user-admin-all" permission.

I tried several times, doing different things sets of permissions, but I can't make a user with this role being able to make another user an "editor" too. PW disables the "editor" checkbox. I read the documentation 3 times that my eyes cannot see what I'm missing anymore. :)

Any clues?

Share this post


Link to post
Share on other sites

I've never tried this before, but quickly browsing the documentation at https://processwire.com/blog/posts/new-user-admin-permissions-automatic-version-change-detection-and-more-2.6.10/#new-user-admin-permissions leads me to ask you the following:

Stupid questions...

  • Did you give the "editor" role the "user-admin" and "user-admin-editor" permission?

It would probably be better to create a new dedicated role "editor-managers" and assign the "user-admin-editor" and "user-admin" permissions instead of trying to have the editor role do this all?

Share this post


Link to post
Share on other sites
41 minutes ago, gmclelland said:

Stupid questions...

  • Did you give the "editor" role the "user-admin" and "user-admin-editor" permission?

Yep, to add "user-admin-all" you must have "user-admin" checked. :) And I tried adding "user-admin-editor" to see what happens, but this is just a more granular control than "user-admin-all".

I followed your tip and created a "user-manager" role, and added to it the user-admin and user-admin-all permissions. Also removed them from the editor role. Now, the user with "editor" role can promote another user to the "editor" role, but cannot promote to "user-manager" role. The thing is, as I see, a user with "user-admin" permissions cannot promote another user to his/her same role level. This appears odd. 

Share this post


Link to post
Share on other sites

I just came across this also. I think that even though this is clearly intentional: 
https://github.com/processwire/processwire/blob/bafe3d4a1289f6d225c657c4206c27c7a27a5b14/wire/modules/Process/ProcessUser/ProcessUser.module#L211

it is problematic if you want to give a user the ability to create other users with the ability to also create users.

I think this should be a Github issue - anyone else have any thoughts?

If you need a quick fix, you could comment out the line shown above.

  • Like 1

Share this post


Link to post
Share on other sites

Thanks Adrian!

I can understand the decision about it. The problem is that is not clear. If you add a permission "user-admin-all" you expect that the user will be able to add to all users any roles BUT the superuser's. :) That's why I got confused.

  • Like 1

Share this post


Link to post
Share on other sites
10 hours ago, Sergio said:

Thanks Adrian!

I can understand the decision about it. The problem is that is not clear. If you add a permission "user-admin-all" you expect that the user will be able to add to all users any roles BUT the superuser's. :) That's why I got confused.

Yeah, the "user-admin-all" is very strangely named I think:

https://processwire.com/api/user-access/permissions/#user-admin-permissions

The description says that it reduces the user's rights to guest users only and then you build up from there with the user-admin-[role] option.

All that said, I still think we need a way to let a user with some user-admin permission create another user also with this ability. Otherwise you can't let a client handle the creation of new users in their organization who can also do user management.

 

  • Like 1

Share this post


Link to post
Share on other sites
1 hour ago, adrian said:

All that said, I still think we need a way to let a user with some user-admin permission create another user also with this ability. Otherwise you can't let a client handle the creation of new users in their organization who can also do user management.

Fully agree! 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By MarkE
      Having just wasted the best part of a day debugging an access issue because I hadn't realised that page-edit-created negated any related page-edit permissions, could I suggest that a note to this effect is included in the default title. I have amended the title on my system to read:
      Edit only pages user has created (IMPORTANT: This will negate any related page-edit permission - including permissions granted to a user by other roles) ..although it may be possible to make it briefer while not losing clarity and impact.
    • By lenoir
      Is it possible to let people edit a page without having to have a user-role?
      My case is the following:
      Visitors fill in a form (Formbuilder) which is saved to pages. They get a confirmation email which could contain a unique editing link. In case they need to update some information, they can click on this link, edit the fields and save. 
      Am I totally off? Is there a better practice? 
    • By DV-JF
      Hi, 
      I'm using this kind of setup (https://processwire.com/blog/posts/language-access-control-and-more-special-permissions/#language-page-edit-permissions) in order to control the page edit permissions. Now I'm wondering if it's possible to hide the "none-ediable" language-tabs instead of striking them through.

      Many greets...
       
    • By Kiwi Chris
      I have a role that has page edit, view, and clone permissions on a specific template.
      If a page using the template is locked by a user in a role with lock/unlock permissions on the template , the only button alongside it in the page tree is view, for users who don't have lock/unlock permissions.
      If however, I also give the role page-lock permission on the template, they then get additional buttons, edit, copy, and unlock.
      I don't actually want to give this role unlock permissions, but I do want the copy (clone) button to display alongside the page in the page tree.
      Elsewhere, I've discussed how I've worked out how to create a hook to unlock the copy, but I want to keep the original page so a user without lock permissions can't unlock from the page tree it to make changes.
      Question: What method should I hook into to intercept any attempt to change the lock status?
    • By AndZyk
      Hello,
      this maybe a simple question, but it bothers me for a while now:
      There used to be a warning, if two or more user try to edit the same page. But ever since AdminThemeUIkit I haven't seen it any more.
      Is this a bug or are there special circumstances under which the warning will be displayed?
      If I am logged-in in the same browser with one default and one privat window, I don't see this warning. But also different browsers on different machines in the same network don't see this warning.
      I was looking for the blog post on which this feature was announced, but couldn't find it anymore.
      We had the case, that two people were writing a text for the same page, but after person A saved the page first, the text of the person B was lost. I know we could have used ProDrafts for this case, but it shouldn't happen in the first place.
      I would appreciate some feedback. 😀
      Regards, Andreas
×
×
  • Create New...