Prevent creation of new admin

Is there any way to prevent the creation of new admin users from the panel?
I’d love to give the admin access to a client but they’ll be able to create new users for a restricted area and I’m sure they will accidentally create ad admin user instead so I’d really like to avoid that.

There doesn’t seem to be an option apart from a user.create:before hook or maybe a custom User class.

Something like

permissions:
  users:
    create:
      - client

unfortunately, does not work.

This looks like a very weird omission honestly and it would make total sense to have it in the core. I’ll add it as a suggestion on nolt.

Done: More granular control of the roles available to be created · Kirby Feedback

Immediately upvoted :slight_smile:

1 Like

Now that I think about it, the same approach could be used to limit other things, for example

permissions:
    pages:
        delete:
            - post

That permission can already be set in the page blueprints. But I think we need some unified approach towards permissions. The current implementation is rather limited and there are too many places where permissions can be set (all sorts of blueprints, additionally hooks, custom models…).

Edit: Ohhh I think I misunderstood. He should be able to create users, but not admins?

How about a new role with every permission except users?
I would argue admin is admin for a reason :slight_smile:

title: SlightlyUnderpoweredAdmin
permissions:
  access:
    *: true
  files:
    *: true
  languages:
    *: true
  pages:
    *: true
  site:
    *: true
  user:
    *: true
  users:
    *: false

Correct, I want the current admins to only be able to create new users with roles that are not admin. Essentially I want the admins to only be the two I have created, mine and the client’s one.

I don’t want to risk them being able to create an admin user by accident.

Are there different non-admin roles?

How about a hook that checks the role and changes it from admin to editor after a user is created?
It’s not fancy, but should work for your case.

I agree with the permission system being too scattered and sometimes not granular enough.