Non-superuser with user-admin permission does not see user groups

[niklaka]

Both list in /processwire/access/usergroups/ and user groups dropdown in user edit are empty.

Selector survives find() hook unmodified (because the template is admin) so it's probably something a bit deeper. PageFinder::getQueryAllowedTemplates() gets my vote at the moment. It seems hooking that one may be inevitable. And that's perfectly logical - why wouldn't we need to catch everything having something to do with template based access control to replace it properly.

[niklaka]

Yep, PageFinder::getQueryAllowedTemplates() adds a little this and that to queries for non-superusers. Naturally it won't work as it uses template based access definitions from pages_access.

So I'd say it needs to be hooked and implemented to obey our rules. Whether we need a find() hook or not after that is left to be seen. This hook is nowhere near trivial I think - the logic has to be rock solid not to let anything slip through.

I'll leave this issue open and possibly open up another discussion issue on that hook after having thought about it a little.

For now there's a workaround: just define proper access through editing template "user-group". That'll do the magic.

[niklaka]

This will be the same for all the admin side stuff: non-superusers still need template based access to be in place. And that's fine actually, these two methods can co-exists as long as template based stuff gets hidden for templates with manage_access field.

We'll see if that hook's needed after all - there may be other ways.

[apeisa]

That was my original intention: leave the admin side as it is - defined by roles and template access. Might lead to confusion on some instances (like it sometimes does with Page fields in general - superuser sees options, while client has empty select field etc...).

[niklaka]

Yes, that sounds just fine. I think I'll close this issue for now.