User and Users permissions

I’m building a new site for a client. I will be the Admin User, the client an Editor User. I’m writing an Editor Users Blueprint, setting up Permissions. The bit I don’t understand is the difference between the ‘user’ permissions and the ‘users’ permissions? They kind of sound like the same thing?

Here’s my blueprint (just the sections in question):

title: Editor
description: Allows editing and updating the website
permissions:
  user:
    changeEmail: true
    changeLanguage: false
    changeName: true
    changePassword: true
    changeRole: false
    delete: true
    update: true
  users:
    changeEmail: true
    changeLanguage: false
    changeName: true
    changePassword: true
    changeRole: false
    create: true
    delete: true
    update: true

I want the client / editor to be able to:

  • change their email address and the email of any new users they set up.
  • not change my Admin email
  • change their password, but not my password, or any other users password.
  • not change their role to Admin, or make any new user role as Admin
  • delete other editor users, but not delete the Admin user

Is this possible and does this code do the trick?

Thanks for any help

User permissions: What the user can do with their own account
Users permissions: What the user can do with regard to other user accounts

A non-admin user cannot create admin users, nor can they make themselves admins.

As far as I know you cannot allow/disallow based on role, so either a user can delete other users or not, regardless of their status, unless there is only one admin, which then cannot be deleted.

Thanks for the simple explanation!

If I allow the Editor to change other users:
email addresses
passwords
roles
and delete users

– will they be able to do this to the Admin users account?

Our messages crossed

They would be able to

  • delete other users of all roles apart from the last/only admin user
  • change the email addresses of all users
  • change the password of all users
  • change the role of all non-admin users (doesn’t have an effect if there are only 2 roles)

I think it would make more sense to set changePassword/changeEmail users permissions to false, and allow users to reset their passwords (enable password reset in config).

Or you set these permissions to true, but use hooks to prevent this for admin users: Permissions | Kirby CMS

Thanks