Clarification to role permission: Administer users

[Roope]

I'm not sure if I understand PW's user and role logic right so let's go trough simple scenario:

Site has two custom roles: 'admin' for site administrators and 'member' for closed member area login. At roles 'admin' has every permission enabled and 'member' has none (view pages only). Admins need to have permission to create new members.

OK, so first I need to go and edit 'user' template and give 'admin' role full edit rights.

Then I log in as 'admin' user and browse to Access > Users where I can see all user accounts except superusers. When I edit any existing account or create new one, I'm able to select 'superuser' as account role. I think this is not right?

It would sound more logical that user who has permission to administer users, would only be able to do this for accounts that have the same role(s) enabled. Eg. at Users main page it would only list users belonging to same role(s) and when creating new account or editing existing one there would only be same roles available to choose from.

[ryan]

When I edit any existing account or create new one, I'm able to select 'superuser' as account role. I think this is not right?

Try to assign the superuser role when logged into your 'admin' user account. Unless your 'admin' also has the 'superuser' role, they won't be able to assign it. Yes, they'll see it as an option, but once you try to save it, it will throw an error. 

It would sound more logical that user who has permission to administer users, would only be able to do this for accounts that have the same role(s) enabled. Eg. at Users main page it would only list users belonging to same role(s) and when creating new account or editing existing one there would only be same roles available to choose from.

ProcessWire doesn't know what your roles mean to you (like one user being above another), but it does know what superuser means, so it's not going to let a non-superuser assign superuser to someone else (or yourself). Beyond that, you should consider a user with administration control of users a fairly powerful permission at present. Though I do like your idea of limiting the assignment capabilities to the roles that the user administrator also shares. It would mean giving that user additional roles purely for the sake of assignment permission, which would be a different factor for roles than we usually think. But it is an interesting possibility. Though it might conflict with what page permissions you want the user to have. But if we can assume a user powerful enough to assign a role is also powerful enough to have all the permissions of that role (like with page editing and viewing, etc.–a safe assumption I think) then it could work. I'll think more on this and perhaps it would be a good feature to add. 

[Roope]

OK, thanks for clarification. Sure I didn't try to save superuser role but was just suprised to see it there as option.