Standalone - Iterate on Roles
Follow up to #4466 (closed)
At the Ashbourne Sprint, discussion was had on roles and Standalone now has 3 roles:
- Everyone, including anonymous users
- Staff
- Administrator
One possible concern is that the Administrator
role can be changed. Recent PRs have made it that the role cannot be removed, but the capabilities are editable. If the capabilities were changed by an existing admin, the system will become unusable/
Steps to reproduce
- Login as an admin
- remove all permissions for the administrator role except AuthX.
- Log out
- Log in
- Error - with too many redirects as the admin account cannopt access CiviCRM
We should protect against this by
- not having any permissions show for the administrator account
- make the internal name unchangeable
- The label can be changed by the site admin
- programmatically granting all permissions to the
administrator
role
In addition, there is a potential UX issue with assigning permissions.
The Search kit multi-select is useful if we only want a few permissions, but difficult if a role needs many permissions.
Rather than revert to the existing laundry list of permission that are used by Drupal and WP, we should consider using a cjheckbox approach by 'category'
@andyburns sugested an interface that is similar to the following:
This interface is from the User Role Editor plugin from WordPress.
It categorizes permissions by type, allows filtering and has a checkbox interface. I think this would be a nice improvement to be considered.