Jump to content

Clarification to role permission: Administer users


Roope
 Share

Recommended Posts

I'm not sure if I understand PW's user and role logic right so let's go trough simple scenario:

Site has two custom roles: 'admin' for site administrators and 'member' for closed member area login. At roles 'admin' has every permission enabled and 'member' has none (view pages only). Admins need to have permission to create new members.

OK, so first I need to go and edit 'user' template and give 'admin' role full edit rights.

Then I log in as 'admin' user and browse to Access > Users where I can see all user accounts except superusers. When I edit any existing account or create new one, I'm able to select 'superuser' as account role. I think this is not right?

It would sound more logical that user who has permission to administer users, would only be able to do this for accounts that have the same role(s) enabled. Eg. at Users main page it would only list users belonging to same role(s) and when creating new account or editing existing one there would only be same roles available to choose from.
Link to comment
Share on other sites

When I edit any existing account or create new one, I'm able to select 'superuser' as account role. I think this is not right?

Try to assign the superuser role when logged into your 'admin' user account. Unless your 'admin' also has the 'superuser' role, they won't be able to assign it. Yes, they'll see it as an option, but once you try to save it, it will throw an error. 

It would sound more logical that user who has permission to administer users, would only be able to do this for accounts that have the same role(s) enabled. Eg. at Users main page it would only list users belonging to same role(s) and when creating new account or editing existing one there would only be same roles available to choose from.

ProcessWire doesn't know what your roles mean to you (like one user being above another), but it does know what superuser means, so it's not going to let a non-superuser assign superuser to someone else (or yourself). Beyond that, you should consider a user with administration control of users a fairly powerful permission at present. Though I do like your idea of limiting the assignment capabilities to the roles that the user administrator also shares. It would mean giving that user additional roles purely for the sake of assignment permission, which would be a different factor for roles than we usually think. But it is an interesting possibility. Though it might conflict with what page permissions you want the user to have. But if we can assume a user powerful enough to assign a role is also powerful enough to have all the permissions of that role (like with page editing and viewing, etc.–a safe assumption I think) then it could work. I'll think more on this and perhaps it would be a good feature to add. 

  • Like 2
Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...