My editor user has access to my admin role. He can change name, email and even passwords.
Is this a know bug or should I configure some files in order to fix it?
That shouldn’t be the case and I can’t reproduce this issue in a 2.5.10 StarterKit. What is your Kirby version? Have you set up permissions?
If so, add the following to your editor permissions:
'panel.user.*' => false,
'panel.user.read' => true, // or limit to own user
Toolkit Version: 2.5.10
Kirby Version: 2.5.10
Panel Version: 2.5.10
roles/editor.php:
<?php
return [
'name' => 'Editor',
'default' => false,
'permissions' => [
'*' => true,
'panel.page.url' => function() {
$excluded = c::get('excluded.pages');
if(!in_array($this->target()->page()->uri(), $excluded)) {
return true;
}
}
]
];<?php
return [
'name' => 'Editor',
'default' => false,
'permissions' => [
'*' => true,
'panel.page.url' => function() {
$excluded = c::get('excluded.pages');
if(!in_array($this->target()->page()->uri(), $excluded)) {
return true;
}
},
'panel.user.*' => false,
'panel.user.read' => true, // or limit to own user
]
];
Replaced the code, unfortunately the editor can’t edit is own role now.
Then you have to add a permission for panel.user.update,
'panel.user.update' => function() {
if($this->user()->is($this->target()->user())) {
// users are allowed to edit their own information
return true;
} else {
// other users can't be edited
return false;
}
}
This is directly from the docs and should allow them to update their own profile but not others.
Ok, your code fixed the issue.
But would it be cool to enable it by default?
I think this is the default setting when not using permissions. But permissions override the default settings, and in the file above, all permissions are set to true with a wildcard (’*’ => true,) and then limited. You could also do it the other way round, prohibit everything and then only allow certain actions. It really depends on what you want to achieve.