Open lorenzulrich opened 1 year ago
The determination whether editing/deleting/impersonating a user is allowed is based on https://github.com/neos/neos-development-collection/blob/9.0/Neos.Neos/Classes/ViewHelpers/Backend/IsAllowedToEditUserViewHelper.php. Here, there is a comparison between the number of roles of the UserManager user and the user to be edited/removed/impersonated. This is a but undercomplex and maybe not so much a topic of NeosAcl.
A person having the
Neos.Neos:UserManager
role is allowed to create/edit users with the same or lower privileges - based on their roles.When using Sandstorm.NeosAcl, you will normally assign
Neos.Neos:LivePublisher
(orNeos.Neos:Editor
) to such users so the dynamic roles don't need to be assigned explicitely.However, if they don't have these roles assigned explicitely, they technically don't have the same or higher permissions than users with dynamic roles, therefore they can't edit, remove or impersonate them.
How could this be solved? I was thinking about a parent role
Sandstorm.NeosAcl:DynamicRole
that all dynamic roles inherit from, ut I'm not sure if this would solve the problem?Steps to reproduce
Foo
.user-manager
with rolesNeos.Neos:Editor
andNeos.Neos:UserManager
.restricted-editor
with permissions RestrictedEditor and the dynamic roleFoo
.user-manager
and go to the user management module.Expected behaviour
user-manager
can edit/remove userrestricted-editor
because they (implicitly) have higher permissions.Actual behaviour
user-manager
can't edit/remove userrestricted-editor
because they don't have the dynamic Role applied.Workaround
user-manager
.