Jump to content

User with "user-admin-all" can't make another user an "editor"


Sergio
 Share

Recommended Posts

I have this "editor" role, that has the "user-admin-all" permission.

I tried several times, doing different things sets of permissions, but I can't make a user with this role being able to make another user an "editor" too. PW disables the "editor" checkbox. I read the documentation 3 times that my eyes cannot see what I'm missing anymore. :)

Any clues?

Link to comment
Share on other sites

  • Sergio changed the title to User with "user-admin-all" can't make another user an "editor"

I've never tried this before, but quickly browsing the documentation at https://processwire.com/blog/posts/new-user-admin-permissions-automatic-version-change-detection-and-more-2.6.10/#new-user-admin-permissions leads me to ask you the following:

Stupid questions...

  • Did you give the "editor" role the "user-admin" and "user-admin-editor" permission?

It would probably be better to create a new dedicated role "editor-managers" and assign the "user-admin-editor" and "user-admin" permissions instead of trying to have the editor role do this all?

Link to comment
Share on other sites

41 minutes ago, gmclelland said:

Stupid questions...

  • Did you give the "editor" role the "user-admin" and "user-admin-editor" permission?

Yep, to add "user-admin-all" you must have "user-admin" checked. :) And I tried adding "user-admin-editor" to see what happens, but this is just a more granular control than "user-admin-all".

I followed your tip and created a "user-manager" role, and added to it the user-admin and user-admin-all permissions. Also removed them from the editor role. Now, the user with "editor" role can promote another user to the "editor" role, but cannot promote to "user-manager" role. The thing is, as I see, a user with "user-admin" permissions cannot promote another user to his/her same role level. This appears odd. 

Link to comment
Share on other sites

I just came across this also. I think that even though this is clearly intentional: 
https://github.com/processwire/processwire/blob/bafe3d4a1289f6d225c657c4206c27c7a27a5b14/wire/modules/Process/ProcessUser/ProcessUser.module#L211

it is problematic if you want to give a user the ability to create other users with the ability to also create users.

I think this should be a Github issue - anyone else have any thoughts?

If you need a quick fix, you could comment out the line shown above.

  • Like 1
Link to comment
Share on other sites

Thanks Adrian!

I can understand the decision about it. The problem is that is not clear. If you add a permission "user-admin-all" you expect that the user will be able to add to all users any roles BUT the superuser's. :) That's why I got confused.

  • Like 1
Link to comment
Share on other sites

10 hours ago, Sergio said:

Thanks Adrian!

I can understand the decision about it. The problem is that is not clear. If you add a permission "user-admin-all" you expect that the user will be able to add to all users any roles BUT the superuser's. :) That's why I got confused.

Yeah, the "user-admin-all" is very strangely named I think:

https://processwire.com/api/user-access/permissions/#user-admin-permissions

The description says that it reduces the user's rights to guest users only and then you build up from there with the user-admin-[role] option.

All that said, I still think we need a way to let a user with some user-admin permission create another user also with this ability. Otherwise you can't let a client handle the creation of new users in their organization who can also do user management.

 

  • Like 1
Link to comment
Share on other sites

1 hour ago, adrian said:

All that said, I still think we need a way to let a user with some user-admin permission create another user also with this ability. Otherwise you can't let a client handle the creation of new users in their organization who can also do user management.

Fully agree! 

Link to comment
Share on other sites

  • 4 weeks later...
  • 3 years later...

Got hit by this as well.

I'm having role "admin" for managing the website (aka webmaster role)

I want the users of group "admin" to be able to create other users with role "admin", but the role is blocked:

oEP5GEY.png

--> you are not allowed to change this role

I've also tried to add an "user-admin-admin" permission and assign that to the "admin" role. Nothing.

How do you handle that? Am I missing something?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...