Can we change the permissions of the administrator to avoid him do some action in the Panel?

The CMS Questions
1

Hi,

For a particular use case I need to prevent the administrator to open a subpage in the panel.

So I’ve made some tests to use the Kirby permissions.
I’ve created a file “administrator.php” in the site/roles/ folder and try this simple test:

return [
  'name'        => 'Admin',
  'default'     => false,
  'permissions' => [
    '*'               => true,
    'panel.page.read' => false
  ]
];

This code is supposed to prevent the administrator to edit any pages/subpages in the panel. Right?

But in my case the administrator still access to any pages/subpages in the panel.
So I was wondering if we can change the permissions of the administrator to avoid him do some action in the Panel?

2

I don’t think that is possible. But can’t you create a new user role that is allowed to do anything but read pages?

3

Ok so suppose that the current Kirby administrator is the superadmin and I create a custom role “customadmin” that is allowed to do anything but read pages.

May I hide the superadmin role to the new “customadmin” role to avoid him to affect a superadmin role to himself or to a new user ?

4

That should be doable via permissions, I think.

5

Maybe with a trigger function on the ‘panel.user.create’ and ‘panel.user.update’ permissions for the “customadmin” role …

Something like:

function:
if current user != superadmin and role_affected=superadmin then return a message “You have not this privilege”

But don’t know how to check which role is affected :-/
$this->target()->data()[‘role’]?

6

I think it has to happen on the panel.user.update permission. But I’m not sure how to test for the assigned role. I would expect $this->target()->data() to contain that information…

Edit: Looks like a non-admin user generally can’t change user roles once the user is created… :thinking:

7

Yes I confirm, made some test and my new customadmin role can’t change the role of other user.

8

Also, a non-admin user can only create new users with the default role :pensive:

Looks like we need some more fine grained permissions here…

9

I had a look at the source code, and there is definitely no way a non-admin can change the role of a user without modifying the Panel source. Here’s the code that defines when the field is readonly.

'readonly' => (!panel()->user()->isAdmin() or ($user and $user->isLastAdmin()))

(/panel/app/forms/users/user.php)

I’ll mark this as solved as the question is answered, even if the answer does not meet your needs.