search

TryGhost / Ghost

Independent technology for modern publishing, memberships, subscriptions and newsletters.
https://ghost.org
MIT License
47.15k stars 10.26k forks source link

Administrator permissions #8602

Closed JohnONolan closed 5 years ago

JohnONolan commented 7 years ago

image

I am an administrator, Kevin is the owner, when I try to give Kevin a location for his public profile... I get access-denied.

The intended behaviour is that administrators should be able to edit all users. The only thing they can't do is delete the owner. I have no idea if this is a new issue or an old issue

Ghost 1.0 beta-1

ErisDS commented 7 years ago

This is a different incarnation of the same issue that means it is pretty darn near impossible for us to make it so that authors cannot publish.

Administrators must not be allowed to change the role of an Owner.

A change is to a role is an "edit" action, we can either allow all edit actions or no edit actions.

Same with publishing a post, publishing is an edit to status, and we can either allow an author to edit everything or nothing.

We desperately need more fine-grained permissions. I would LOVE for someone to come along and see if they can even find a hacky workaround for this. I looked a couple of times and the level of hack grew beyond my tolerance each time.

PaszaVonPomiot commented 7 years ago

Hi, I see no reason why Administrator should be able to edit Owner's profile so I would give it a low priority. However as @ErisDS mentioned more granular permissions are important to have for example equivalent of Wordpress "contributor" role.

paulmaunders commented 7 years ago

As mentioned by @PaszaVonPomiot and @ErisDS more granular permissions would be really useful. We've been using Ghost for the last six months on one of our sites and we love it, but we are thinking we may have to switch back to WordPress to get a 'contributor' type role (e.g. someone who can write a post, but not publish). Are there any plans for this any time soon?

ErisDS commented 7 years ago

My last comment is the latest information there is. If you can PR it, we will merge it.

ErisDS commented 5 years ago

We now have support for attribute based permissions, so it should be possible to fix this. This issue needs a review, if it's now possible and straightforward to fix (i.e. will take < 1/2 day) we should fix it.

Else we should close due to lack of traction.

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.