User create / edit / remove restriction for a user role

Is there a way to set up in the panel that a user role can create new users, but not assign the Admin role? Also, the user should not be able to edit users or see the Admin role.

I want to allow the customer to create users with certain roles, but I want to keep the Admin role only on my side.

Best Regards

This is already Kirby’s default behavior. Only admins can create admins, promote existing users to admins or demote admins to another role.

I tested it right now on my local setup and I’m logged in as a user with the role Team and I can

  • See Admin
  • Edit Admin

I can’t change the role of the admin.

But maybe I just missed some more details in my first post - what I want is, if im logged in as user with the role Team.

  • Not allowed to see Admin
  • Not allowed to edit Admin
  • Not allowed to create Admin

Admin user should be totaly hidden for the rest of the users.

Here are some screenshots and my yaml file for the team role.


Bildschirmfoto 2024-09-30 um 21.27.35

title: Team
permissions:
  access:
    panel: true
    site: true
    languages: true
    system: true
    users: true
  files:
    create: true
    changeName: true
    delete: true
    read: true
    replace: true
    update: true
  languages:
    create: true
    delete: true
  pages:
    changeSlug: true
    changeStatus: true
    changeTemplate: true
    changeTitle: true
    create: true
    delete: true
    duplicate: true
    preview: true
    read: true
    sort: true
    update: true
  site:
    changeTitle: true
    update: true
  user:
    changeEmail: true
    changeLanguage: true
    changeName: true
    changePassword: true
    changeRole: true
    delete: true
    update: true
  users:
    changeEmail: true
    changeLanguage: true
    changeName: true
    changePassword: true
    changeRole: true
    create: true
    delete: true
    update: true

Ah, I see. At the moment hiding the admin users completely will not work with blueprint configuration unfortunately.

What you could do is to replace the Users class. In your overridden class, you could then check the role of the current user and if it’s team, filter out all users with the admin role from the result set.

@lukasbestle Where I can find maybe a User Class example?

I tried a bit, but I guess I need to dive a bit deeper in the existing kirby code.

plugins/users-restricion/index.php

<?php

require_once 'vendor/getkirby/cms/bootstrap.php';

require 'classes/user-restriction.php';

use mg\core\CustomUsersView;

echo (new CustomUsersView)->render();

plugins/users-restricion/classes/user-restriction.php

<?php

namespace mg\core;

use Kirby\Cms\Users;

class CustomUsersView extends Users
{
    public static function all(array $options = [])
    {
        // Get the current user
        $currentUser = kirby()->user();

        // Fetch all users using the parent Users class
        $users = parent::all($options);

        // If the current user is not an admin, filter out admin users
        if ($currentUser && $currentUser->isAdmin()) {
           return $users->filter(function ($user) {
                return $user->isAdmin() === false;
            });
        }

        // Admins can see all users
        return $users;
    }
}

There is no full example for the Users class, however you can use the Site example as a starting point.

What’s important to know is that your custom Users class does not have (and does not need to have) a render() method. So your code will break in your index.php because you are trying to replace the Kirby instance with an instance of your CustomUsersView. Instead, you need to replace the Kirby class and return your custom Users object from that (like in the Site example, where the custom Kirby class returns a custom Site object).

Just set the permissions for that user role to allow user creation but block access to the Admin role. This way, they can create users without editing or seeing Admins.