Cannot edit User roles even if the permissions allow it

Kirby 4 Issues 🪲
,
1

I’m trying to set up user roles on my site. But I cannot get a non-admin account to have the rights to change his, or an other users role. Even explicitly adding the following in the user blueprint it will not work, while changing all the other permissions does reflect immediately in the panel.

permissions:
[...]
  user:
      changeRole: true
  users:
    changeRole: true

Am I overlooking something?

2

I fear this is due to a known bug I’ve been working on in the last week. Technically the permission works in some way but Kirby returns the available roles for non-admins as only their own role (which is false). But then the panel disables the UI as it thinks there is no other role available to change to and then it doesn’t need to show the UI with only one option. We hope to have this finally fixed in v4.5.

3

Thank you for your quick answer. I will keep it as is then, and wait for the bugfix.

4

Hey,
I just jumped into the Kirby code and think I found the solution.
In kirby/crs/Cms/User.php there’s the roles() function:

	public function roles(): Roles
	{
		$kirby = $this->kirby();
		$roles = $kirby->roles();

		// a collection with just the one role of the user
		$myRole = $roles->filter('id', $this->role()->id());

		// if there's an authenticated user …
		// admin users can select pretty much any role
		if ($kirby->user()?->isAdmin() === true) {
			// except if the user is the last admin
			if ($this->isLastAdmin() === true) {
				// in which case they have to stay admin
				return $myRole;
			}

			// return all roles for mighty admins
			return $roles;
		}

		// any other user can only keep their role
		return $myRole;
	}

The problem is this:

		// any other user can only keep their role
		return $myRole;

There are checks performed earlier to prevent a non admin user to create new users, and there are also checks to prevent the changerole menu from showing if the user is not authorized to changerole. So changing the code to this fixes the problem:

		// any other user can only keep their role
		return $roles;

However it means non-admins get the menu to change the roles of admins, except they don’t actually have the permission. So it’s not a full solution.

5

It’s exactly the faulty spot but as you also discovered, it needs a little more to get the proper solution.

1 Like