Jump to content

User with "user-admin-all" can't make another user an "editor"


Sergio
 Share

Recommended Posts

I have this "editor" role, that has the "user-admin-all" permission.

I tried several times, doing different things sets of permissions, but I can't make a user with this role being able to make another user an "editor" too. PW disables the "editor" checkbox. I read the documentation 3 times that my eyes cannot see what I'm missing anymore. :)

Any clues?

Link to comment
Share on other sites

  • Sergio changed the title to User with "user-admin-all" can't make another user an "editor"

I've never tried this before, but quickly browsing the documentation at https://processwire.com/blog/posts/new-user-admin-permissions-automatic-version-change-detection-and-more-2.6.10/#new-user-admin-permissions leads me to ask you the following:

Stupid questions...

  • Did you give the "editor" role the "user-admin" and "user-admin-editor" permission?

It would probably be better to create a new dedicated role "editor-managers" and assign the "user-admin-editor" and "user-admin" permissions instead of trying to have the editor role do this all?

Link to comment
Share on other sites

41 minutes ago, gmclelland said:

Stupid questions...

  • Did you give the "editor" role the "user-admin" and "user-admin-editor" permission?

Yep, to add "user-admin-all" you must have "user-admin" checked. :) And I tried adding "user-admin-editor" to see what happens, but this is just a more granular control than "user-admin-all".

I followed your tip and created a "user-manager" role, and added to it the user-admin and user-admin-all permissions. Also removed them from the editor role. Now, the user with "editor" role can promote another user to the "editor" role, but cannot promote to "user-manager" role. The thing is, as I see, a user with "user-admin" permissions cannot promote another user to his/her same role level. This appears odd. 

Link to comment
Share on other sites

I just came across this also. I think that even though this is clearly intentional: 
https://github.com/processwire/processwire/blob/bafe3d4a1289f6d225c657c4206c27c7a27a5b14/wire/modules/Process/ProcessUser/ProcessUser.module#L211

it is problematic if you want to give a user the ability to create other users with the ability to also create users.

I think this should be a Github issue - anyone else have any thoughts?

If you need a quick fix, you could comment out the line shown above.

  • Like 1
Link to comment
Share on other sites

Thanks Adrian!

I can understand the decision about it. The problem is that is not clear. If you add a permission "user-admin-all" you expect that the user will be able to add to all users any roles BUT the superuser's. :) That's why I got confused.

  • Like 1
Link to comment
Share on other sites

10 hours ago, Sergio said:

Thanks Adrian!

I can understand the decision about it. The problem is that is not clear. If you add a permission "user-admin-all" you expect that the user will be able to add to all users any roles BUT the superuser's. :) That's why I got confused.

Yeah, the "user-admin-all" is very strangely named I think:

https://processwire.com/api/user-access/permissions/#user-admin-permissions

The description says that it reduces the user's rights to guest users only and then you build up from there with the user-admin-[role] option.

All that said, I still think we need a way to let a user with some user-admin permission create another user also with this ability. Otherwise you can't let a client handle the creation of new users in their organization who can also do user management.

 

  • Like 1
Link to comment
Share on other sites

1 hour ago, adrian said:

All that said, I still think we need a way to let a user with some user-admin permission create another user also with this ability. Otherwise you can't let a client handle the creation of new users in their organization who can also do user management.

Fully agree! 

Link to comment
Share on other sites

  • 4 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By prestoav
      Hi all,
      I've noticed that, when creating new users for clients, the chosen admin theme is not saved. For example, I create a new user select Reno or UIKit as the theme at point of creation and save. When logging in that user for the first time the admin theme is back to default. Changing it again and saving corrects this.

      Anyone else noticed this or is it a known bug at the moment?

      CMS V 3.0.156.

      Thanks!
    • By jonatan
      "Permission “page-sort” for template “ ... ” not allowed (requires “page-edit” permission)"

      – This lovely error message is thrown at me, if, as implied by it, I try to add (to my "editor" role) the permission "page-sort" for a specific template, without the permission "page-edit" enabled for the same template.
      Seems like it's been mentioned a few times before but never properly answered, by e.g. @Robin S ... :  
      "Allow the granting of page-sort permission independent of page-edit": https://github.com/processwire/processwire-requests/issues/29
       
       
       


      Why do I wanna do this?:

      I have a page tree structure  🌳  as so:

      ________________________

      Category [C1]
      – Page a [C1_p] – Page b [C1_p] Different category [C2]
      – Page c [C2_p] – Page d [C2_p] ________________________

      The page "Category" has the page-template "C1",
      the pages "Page a" and "Page b" both have the page-template "C1_p".
      The page "Different category" has the page-template "C2"
      the pages "Page c" and "Page d" both have the page-template "C2_p".
       
      The two pages called "Category" and "Different category" do not have any content, they only serve as containers for pages belonging to that category.
       
      I want my "editor" role not to be able to do anything at all with these pages "Category" and "Different category"; i.e. I do not want my editor to be able to edit, move, unpublish, hide, lock, delete (or do anything else to) these category pages. 
      – So, I want my "editor" role to have the "page-edit" permission for pages with the templates "C1_p" and "C2_p", but not for the pages with the category templates "C1" and "C2",
      Also, I want my "editor" role to be able to move the pages with the templates "C1_p" and "C2_p" within their parent-pages. 


      Problem:

      But if I just simply add the "page-edit" and the "page-move" permissions for the "C1_p" and "C2_p" templates, then, using the "editor" role, I am not able to move these "C1_p" (and "C2_p") -template-based pages. I can actually click "MOVE" next to them and then move them, but... then I will be met by the error message "You do not have permission to sort pages using this parent - /Category/".  
      – So, I try to add the "page-sort" (description: "permission to sort child pages") permission to the "C1" and "C2" templates... but then trying to do so I am met by the initially mentioned error message   ! Permission “page-sort” for template “C1” not allowed (requires “page-edit” permission)  . 
      And, as mentioned, I do not want my editor role users to be able to edit these category ("C1" and "C2") pages...
      – what to do about this? 😅 
       
      All the best,
      Jonatan 
    • By snck
      Hey there,
      for a client website I need to implement a "reviewer" role. "Reviewers" should be able to review new (unpublished) articles to give feedback to editors, but not have the permission to change them. 
      I built a new "reviewer" role that only has page-view permissions for the respective templates, but this permission does not include viewing unpublished pages. How can I grant them access to the unpublished articles without giving them page-edit permission?
      Cheers,
      Flo
    • By snck
      Hey,
      I want my editors to be able to use the page lister, especially the bookmarks. I added the page-lister permission to the editor role, but Page lister ("Find" menu item) does not show. Is there anything else I have to do? Links to bookmarks work for the editors, but I would be glad to show them the menu item as well.
      Maybe this has something to do with the long history of the site (started with ProcessWire 2.4 and upgraded to 3.0.148 over the years)?
      Thanks,
      Flo 
    • By Greg Lumley
      Hi! I've just discovered Processwire and I'm absolutely loving how clean it is. Especially with the full control over what it outputs. 
      Excuse me if this is a really stupid question.
      What happens if a user wants to insert multiple images into the blog field? In other words Shift+Click all the images attached to a specific page in and insert. It seems I can insert one at a time but not multiple.

      Based on the above, I want to rebuild my website. I'm a photographer (ex php dev 2004) and plan also to target websites at other photographers. So inserting multiple images into blog posts is a key part. I'd like to output that to something like UIkit or some kind of Masonry Gallery script. Any thoughts would be fantastic please. 
      Thank you.
      Greg. 
      I'm an ex PHP developer now photographer, now thanks to Corona and not photo work, a rusty PHP developer 😁
×
×
  • Create New...