Prevent the `edit users` and `change passwords` permissions from affecting Super Admins

[aaronbushnell]

Currently when the edit users or change passwords permission is enabled it allows a user with that permission to edit any user's data or password—even if that individual is a Super Admin.

I'd like to allow a client to edit their colleague's information and passwords without also being able to edit super users, too.

[aaronbushnell]

After a Discord discussion with Jason an option to work around this is to create a custom user policy that will prevent super admins from being edited by non-admins.

I still think a more ideal solution would be for Statamic to natively prevent non-admins from editing an admin, but this may help in the meantime!

AppServiceProvider

public function register(): void
{
    $this->app->bind(UserPolicy::class, CustomUserPolicy::class);
}

app/CustomUserPolicy.php

<?php

namespace App;

use Statamic\Facades\User;
use Statamic\Policies\UserPolicy;

class CustomUserPolicy extends UserPolicy
{
    public function edit($authed, $user)
    {
        $user = User::fromUser($user);
        $authed = User::fromUser($authed);

        if (! $authed->isSuper() && $user->isSuper()) {
            return false; // Non-super users may not edit super users.
        }

        return parent::edit($authed, $user);
    }

    public function editPassword($authed, $user)
    {
        $user = User::fromUser($user);
        $authed = User::fromUser($authed);

        if (! $authed->isSuper() && $user->isSuper()) {
            return false; // Non-super users may not edit super users.
        }

        return parent::editPassword($authed, $user);
    }
}