October: Super users are unable to modify their own group assignments

Created on 9 Sep 2016 · 10Comments · Source: octobercms/october

Expected behavior

Be able to change the backend user's groups on the update screen for that user.

Actual behavior

The groups field does not display on the update screen for backend users. This is due to the context value being set for the groups field. There appears to be a bug in how its contexts are specified or how the form field code handles arrays for context values, as removing that property displays the groups field on the update screen for backend users.

groups:
    context: [create, update]
    label: backend::lang.user.groups
    commentAbove: backend::lang.user.groups_comment
    type: checkboxlist

Reproduce steps

Create a backend user, assign it to some groups, and then attempt to update it. The groups field will be missing from the update screen.

October build

dev-develop (Version as of 2016-09-08)

High Accepted Bug

Source

LukeTowers

All 10 comments

Update:
I just realized that the reason I wasn't seeing the groups field was that I only had one backend user, and the page that backend users get when they view their own account is a different context: myaccount.

Should the field be extended to be show within the myaccount context as well and just use permissions to set if they can manage groups or not?

LukeTowers on 9 Sep 2016

Correct, myaccount context should allow updating groups for super users only. Regular users probably shouldn't have this kind of access.

daftspunk on 10 Sep 2016

👍1

@daftspunk does issue #1673 relate to this?

mosid on 10 Sep 2016

👍1

Closing as not relevant anymore.

LukeTowers on 6 Aug 2018

It's still relevant I think: I cannot assign groups to my own user, whereas I can assign groups to everyone else.

I am a super user, can make other people super user, et cetera.

I'm having trouble understanding the need for the myaccount controller action? Surely the form and the options are applicable to all users, regardless of them being the currently logged-in user?

I'm interested in doing a PR, but would like to understand the reasoning first, to ensure informed decisions.

harmenjanssen on 18 Apr 2019

@harmenjanssen it's mostly from when permissions were assigned to groups, we didn't want users granting themselves more permissions by assigning new groups to themselves. Feel free to make a PR.

LukeTowers on 18 Apr 2019

Hmm, makes sense. But in my case I can do more to others than myself.

I'll think about this some more.

harmenjanssen on 18 Apr 2019

To be clear, that shouldn't be too much of an issue anymore, as groups no longer contain permissions. However, probably the best way of handling this is to only add it to the myaccount context when the user has the appropriate permissions to use it (probably just manage_users)

LukeTowers on 18 Apr 2019

How is it checked outside myaccount?
Is the split still necessary even? I'm assuming I cannot add groups to other users without the right permissions, so wouldn't that mean I can just show the same form for "me" as for other users, since permissions are already checked correctly in the form?

harmenjanssen on 18 Apr 2019

I'd say the split is still worth it given potential for future changes that could continue to benefit from the current user having a different context when attempting to modify their own account.

LukeTowers on 18 Apr 2019

Was this page helpful?

0 / 5 - 0 ratings