Can I limit the administer users ability a little more?

[Vigilante]

I have a site where guest users become "limited" users. The limited users can't see any content on the site, but their account is pending review. Then there is our "member" role which is the standard user role for accessing the site.

After a user registers, we need a super user or somebody with "administer users" to be able to add the "member" role to these new users.

The problem is that this gives a little too much ability. Say I have a role named "member-manager" and give them admin user ability. Well not only can they add or remove the member role, but most other roles too. Thankfully, not super user, but for example they could make other users also be member-managers and this isn't right. 

We only want the member-manager roles to be able to access the limit users and convert them to members, that's about it. No other roles should be available, and they shouldn't be able to add member-manager either.

Is there a way, once I've given the admin user ability, to further limit which users they can see, and what roles they can add or subtract? For another example, we have other roles like "editor" and these member-managers don't need to be able to add or remove this role from anybody.

How could I do this?

[rick]

Maybe this topic helps?
 

[bernhard]

I think the best would be to create a custom process module. You can assign a permission to that module so that only some of your users can view this pages in the backend. This page could be a 100% custom UI with a list of all pending users and a button for each of them that adds the role to that user when clicked.

class Process extends Process {
  public static function getModuleInfo() {
    return [
      'title' => '',
      'version' => '0.0.1',
      'summary' => '',
      'icon' => '',
      'requires' => [],
      'installs' => [],
      
      
      // name of permission required of users to execute this Process (optional)
      'permission' => 'foo',
      // permissions that you want automatically installed/uninstalled with this module (name => description)
      'permissions' => ['foo' => 'May run the foo module'],
      
      // page that you want created to execute this module
      'page' => [
        'name' => 'helloworld',
        'parent' => 'setup', 
        'title' => 'Hello World'
      ],

      // optional extra navigation that appears in admin
      // if you change this, you'll need to a Modules > Refresh to see changes
      'nav' => [
        [
          'url' => '', 
          'label' => 'Hello', 
          'icon' => 'smile-o', 
        ],[
          'url' => 'something/', 
          'label' => 'Something', 
          'icon' => 'beer', 
        ],
      ]
    ];
  }

  public function init() {
    parent::init(); // always remember to call the parent init
  }

    /**
   * 
   */
  public function execute() {
    $this->headline('Manage users');
    $this->browserTitle('Manage users');
    /** @var InputfieldForm $form */
    $form = $this->modules->get('InputfieldForm');
    
    $form->add([
      'type' => 'markup',
      'label' => 'foo',
      'value' => $this->usersTable(),
    ]);
    
    return $form->render();
  }

  /**
   * Render users table
   */
  public function usersTable() {
    $users = $this->pages->find('...');
    $out = '<table>';
    foreach($users as $user) {
      $button = "<a href='./activateUser/?id=" . $user->id . "'>activate</a>";
      $out .= "<tr><td>{$user->name}</td><td>$button</td></tr>";
    }
    $out .= "</table>";
    return $out;
  }

  /**
   * Activate user and redirect to overview
   */
  public function executeActivateUser() {
    // get user
    $user = $this->pages->get($this->input->get('id', 'int'));

    // !!!! caution !!!!
    // check if user is really a user and if the current user is really allowed
    // to modify this user!
    if(!$access) throw new WireException("no access");

    // otherwise add role to user
    $user->of(false);
    $user->addRole(...);
    $user->save();
    
    // redirect to overview
    $this->session->redirect("./");
  }
}