Prevent a role to create an admin role


I’ve got 4 roles:

  • Admin (kirby default admin role)
  • Manager
  • Evaluator
  • Candidate

I would like the “manager” role to be able to create user with “evaluator”, “candidate” or “manager” role but not with “admin” role.

May we achieve this with blueprint user permissions (Kirby 3.2 ?)

Hm, not sure if that will actually be possible in 3.2 via blueprint settings. While you will be able to set actions per user role, I haven’t seen an example where you could define the roles.

You can prevent creating a user with the admin role though a hook though.

Maybe I could do something like this (don’t know if it’s possible):

In the config file:

if the current user == manager, set a custom panel CSS file and set display:none on the first li tag (Admin in my case) of the user role list displayed in the “Add user” modal …

Problem is that you can’t call kirby() in the config unless you do it in a closure.

Maybe it can actually be achieved with a user model (available in 3.2), haven’t really looked into that yet.

Another idea should be to set different config files according to the user role as we did with the blueprint:

Yes, that would be an option, but hiding a select option is not really a secure thing to do. The user can just change the value that is sent and there’s no validation in place to prevent that unless you use an additional hook.

I created an issue on GitHub, because I think a non-admin user shouldn’t be able to create new users with an admin role at all:

1 Like