User can change his own role in panel when changeRole is turned off

Kirby 3 Solved ✅
1

I think this is a critical bug for the user roles system. The user can change his own role in panel from “Your account” even when changeRole: false is set in the user blueprint.

My blueprint:

title: Reviewer
permissions:
  access:
    panel: true
    users: false
    site: true
  site:
    update: false
  users: false

I also tested this:

title: Reviewer
permissions:
  access:
    panel: true
    users: false
    site: true
  site:
    update: false
  users:
    create: false
    createAvatar: false
    deleteAvatar: false
    changeName: false
    changeEmail: false
    changePassword: false
    changeRole: false
    delete: false
    update: false
2

Could you post the whole blueprint please?

3

Yes, updated my post. See above.

4

Yes, I think you are right. I’m getting some issues too. With your blue print in place, I can still change the role when logged in as a Reviewer. If I log into the reviewer account and log out again, this happens…

warning
warning.jpeg735×527 28.7 KB

Looking at your blueprint against the documentation I cant see any issues with it. I’m sure one of the support team will see this shortly.

Edit: The role setting seems to work if you log out, clear the cache and log in again. You shouldnt have to do that though, I dont think.

5

As an admin, I created a new user with the reviewer role. Then logged in as this reviewer.

Result: The reviewer cannot access the user section with this setting at all with the first blueprint.

6

@texnixe The bug is when you click on “Your account” and then on the role.

7

Yes that worked for me too, its the second blue print that seems to have issues.

8

Screenshots taken with this blueprint:

title: Redaktör

fields:
  name:
    label: Namn
    type: text

permissions:
  access:
    panel: true
    users: false
    site: true
  site:
    update: false
  pages:
    delete: false
  users: false

  1. Click your account

    21
    Skärmavbild 2019-01-22 kl. 11.30.21.png581×532 16.4 KB

  2. Click on the role line
    28

  3. Popup modal with option to change your role

    39
    Skärmavbild 2019-01-22 kl. 11.30.39.png1268×959 31.8 KB

9

I think the problem is that you use the wrong setting. There is a users setting and a user setting and to deny access to a single user or to restrict what the user can do, you need the user setting.

10

That isn’t detailed in the docs, only settings for users is.

11

53
Bildschirmfoto 2019-01-22 um 11.57.53.png1780×802 20.5 KB

But yes, in the guide, that seems to be an error.

The blueprint should look like this:

title: Reviewer
permissions:
  access:
    panel: true
    users: false
    site: true
  site:
    update: false
  user:
    changeRole: false

I.e. with access > users > false, and then just the single user settings.

12

I created an issue to fix this.

13

That works. Superb help @texnixe

14

@kaloja Sorry for the trouble caused by incorrect documentation.

1 Like
15

Just to add this: In the docs, “user blueprint permissions” seem to be a bit inconsistent between the guide (usres > permissions) and the reference (panel > blueprints > user blueprint). Some options are missing in the reference; and “access > settings” seems not to be documented at all.