User with editor permission can change other users profile image

The CMS Questions
1

Hello,

Coming from wordpress, I’m now pretty much done setting everything up. Having started just locally, I published this baseline to my webserver and started setting up user roles and accounts.
The online documentation (Permissions | Kirby CMS) how to deal with permissions is pretty straight forward and easy to do.

First role I set up was the editor’s role and I did it just like the online example. However, with

permissions:
users: false

I was expecting the user cannot access the accounts of the panel.
=> But it can. It cannot change anything of any other user accounts
=> Except: This account is able to alter the profile image of any other user.

Is there anything I misunderstood?
Are users with the editor-role configured like this supposed to open the accounts-page on the panel?
How is it possible, that such a user can alter the profile-image of other users.

Another thing that I encountered:
=> Somehow as an admin-user, I cannot just set a password to other users. The dialog requests the current password first. But isn’t that the role of an administrator to set passwords for others?

Best
Rufux

4

Hi @rufux,

If you want to restrict also accessing the other users’ in the Panel, you also need to set

permissions:
  access:
    users: false

Your code

permissions:
  users: false

is only a shortcut to disable all actions listed here all at once. Combining both disables access as well as actions.

There are currently no permissions around user avatar actions. Indeed users can alter the avatars of other users. To offer permissions to restrict this is a feature we want to add in an upcoming v5.x release.

It is and you can. But you have to first enter your own current password first. This adds an additional layer of security in case malicious actors get ever access to your Panel session (but not knowing your password) that they cannot your own or other passwords without confirming the your own current password.