Jump to content
Sergio

User with "user-admin-all" can't make another user an "editor"

Recommended Posts

I have this "editor" role, that has the "user-admin-all" permission.

I tried several times, doing different things sets of permissions, but I can't make a user with this role being able to make another user an "editor" too. PW disables the "editor" checkbox. I read the documentation 3 times that my eyes cannot see what I'm missing anymore. :)

Any clues?

Share this post


Link to post
Share on other sites

I've never tried this before, but quickly browsing the documentation at https://processwire.com/blog/posts/new-user-admin-permissions-automatic-version-change-detection-and-more-2.6.10/#new-user-admin-permissions leads me to ask you the following:

Stupid questions...

  • Did you give the "editor" role the "user-admin" and "user-admin-editor" permission?

It would probably be better to create a new dedicated role "editor-managers" and assign the "user-admin-editor" and "user-admin" permissions instead of trying to have the editor role do this all?

Share this post


Link to post
Share on other sites
41 minutes ago, gmclelland said:

Stupid questions...

  • Did you give the "editor" role the "user-admin" and "user-admin-editor" permission?

Yep, to add "user-admin-all" you must have "user-admin" checked. :) And I tried adding "user-admin-editor" to see what happens, but this is just a more granular control than "user-admin-all".

I followed your tip and created a "user-manager" role, and added to it the user-admin and user-admin-all permissions. Also removed them from the editor role. Now, the user with "editor" role can promote another user to the "editor" role, but cannot promote to "user-manager" role. The thing is, as I see, a user with "user-admin" permissions cannot promote another user to his/her same role level. This appears odd. 

Share this post


Link to post
Share on other sites

I just came across this also. I think that even though this is clearly intentional: 
https://github.com/processwire/processwire/blob/bafe3d4a1289f6d225c657c4206c27c7a27a5b14/wire/modules/Process/ProcessUser/ProcessUser.module#L211

it is problematic if you want to give a user the ability to create other users with the ability to also create users.

I think this should be a Github issue - anyone else have any thoughts?

If you need a quick fix, you could comment out the line shown above.

  • Like 1

Share this post


Link to post
Share on other sites

Thanks Adrian!

I can understand the decision about it. The problem is that is not clear. If you add a permission "user-admin-all" you expect that the user will be able to add to all users any roles BUT the superuser's. :) That's why I got confused.

  • Like 1

Share this post


Link to post
Share on other sites
10 hours ago, Sergio said:

Thanks Adrian!

I can understand the decision about it. The problem is that is not clear. If you add a permission "user-admin-all" you expect that the user will be able to add to all users any roles BUT the superuser's. :) That's why I got confused.

Yeah, the "user-admin-all" is very strangely named I think:

https://processwire.com/api/user-access/permissions/#user-admin-permissions

The description says that it reduces the user's rights to guest users only and then you build up from there with the user-admin-[role] option.

All that said, I still think we need a way to let a user with some user-admin permission create another user also with this ability. Otherwise you can't let a client handle the creation of new users in their organization who can also do user management.

 

  • Like 1

Share this post


Link to post
Share on other sites
1 hour ago, adrian said:

All that said, I still think we need a way to let a user with some user-admin permission create another user also with this ability. Otherwise you can't let a client handle the creation of new users in their organization who can also do user management.

Fully agree! 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Kiwi Chris
      I have a role that has page edit, view, and clone permissions on a specific template.
      If a page using the template is locked by a user in a role with lock/unlock permissions on the template , the only button alongside it in the page tree is view, for users who don't have lock/unlock permissions.
      If however, I also give the role page-lock permission on the template, they then get additional buttons, edit, copy, and unlock.
      I don't actually want to give this role unlock permissions, but I do want the copy (clone) button to display alongside the page in the page tree.
      Elsewhere, I've discussed how I've worked out how to create a hook to unlock the copy, but I want to keep the original page so a user without lock permissions can't unlock from the page tree it to make changes.
      Question: What method should I hook into to intercept any attempt to change the lock status?
    • By AndZyk
      Hello,
      this maybe a simple question, but it bothers me for a while now:
      There used to be a warning, if two or more user try to edit the same page. But ever since AdminThemeUIkit I haven't seen it any more.
      Is this a bug or are there special circumstances under which the warning will be displayed?
      If I am logged-in in the same browser with one default and one privat window, I don't see this warning. But also different browsers on different machines in the same network don't see this warning.
      I was looking for the blog post on which this feature was announced, but couldn't find it anymore.
      We had the case, that two people were writing a text for the same page, but after person A saved the page first, the text of the person B was lost. I know we could have used ProDrafts for this case, but it shouldn't happen in the first place.
      I would appreciate some feedback. 😀
      Regards, Andreas
    • By pwFoo
      Hi,
      I try to add page-edit-own and page-delete-own permissions, but it's strange...
      If a add the custom permissions it looks like both are children of page-edit respectively page-delete. I played with added / revoked permissions, but I can't get it work, that a user of a role just can delete own content.
      First the user can't delete any content and now the user can delete own and foreign pages 🤪
      Is there a tutorial to learn more about the PW permissions?
      Or do I have to rename the permissions to page-own-edit and page-own-delete to be independent from page-edit and page-delete?
    • By SwimToWin
      I have a website that allows users to create their personal "website" (a page with sub-pages).
      Users shall be able to:
      Log in (frontend and/or admin), Edit "their" page(s) - I am using the "Page Edit Per User"-module (https://modules.processwire.com/modules/page-edit-per-user/) to grant access to the relevant pages Create child pages - possible? Users shall not be able to see other pages in the admin interface - "Admin Restrict Page Tree" may do the trick (https://modules.processwire.com/modules/admin-restrict-page-tree/)? Frontend editing shall be possible - I am considering "Fredi" (https://modules.processwire.com/modules/fredi/) for this. The challenge is that it takes a lot of modules and configuration.
      Is there a way to set this up that doesn't require a lot of configuration for each new user?
    • By benbyf
      not sure why but PW adds any uploads as permissions 600 (e.g. images wont load after upload unless i go in with the same server user and change permissions to 755 or similar). This ever happened to any one else?
×
×
  • Create New...