User cannot add e.g. alt text to a picture in his profile

I have installed a fresh installed Kirby starterkit 3.3.5.

Then I have added the blueprint site\blueprints\users\editor.yml:

// site\blueprints\users\editor.yml
title: Editor
    panel: true
    site: true
    settings: false
    users: false
    create: true
    changeName: true
    delete: true
    replace: true
    update: TRUE
    update: false
    create: true
    changeTemplate: true
    changeTitle: true
    changeSlug: true
    delete: false
    hide: true
    sort: true
    update: true
    create: false # how can a user create **himself** ???
    changeName: TRUE
    changeEmail: TRUE
    changeLanguage: FALSE
    changePassword: false
    changeRole: false
    delete: false
    update: TRUE

    type: fields
        label: Telefon
        type: tel
        width: 1/3
        placeholder: +49 000 00000000-000
        label: mobile Phone
        type: tel
        width: 1/3
        placeholder: +49 000 00000000
        label: Website
        type: url
        width: 1/3

    type: files
    empty: "No documents yet"
    headline: My files
    layout: cards
    size: small
    template: image

Then as admin I have added a new user Editor with this role Editor.

Then I have logged in using another browser as this user Editor.
He added a picture in his profile in the area “My files” of the panel.
If he clicks on this new picture he gets the error:


and the panel redirectes to the sites root.

As admin I can doubleclick that picture of the user and e.g. add the “alt text”. But not as Editor himself.

Something is wrong.

The problem is that the files are accessible under the panel/users/... URL. So if you set

     users: false

your user cannot access files. It’s a bit unfortunate, because this way users will still be able to see the user list, unless you create your own users view (which is still not really possible but will hopefully be fixed soon).

But then I must add

    create: false
    changeEmail: false
    changeLanguage: false
    changeName: false
    changePassword: false
    changeRole: false
    delete: false
    update: false

yes I hope too.

I suggest that there should be additional permissions for the files in the user and users profiles.

Now the Editor can see all fields and their content of all other users.

Data protection according to DSGVO-/GDPR is therefore not possible with the latest Kirby version 3.3.5, if we need such fields…

You can probably solved this with some workarounds like a before hook and some conditional style sheets to hide stuff away.

The place to post ideas is here:

(And yes, I know you don’t have an account).

I wouldn’t call this a data protection problem, your use case is just not supported at the moment. If you don’t want to allow access to users, don’t use files with meta data in the user profiles.

The tone of your post is not what we want to have here on the forum. This is a nice and friendly place, and we want to keep it this way.


Thank you very much for the issue at Github: Expose user files via the account route #2580.