Can't create a user in the admin section without "Manage Customer Roles" permission #806
Comments
|
it's good if: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If an "admin" user has got the "Manage Customers" permission, but not the "Manage Customer Roles", they are unable to create a new Customer through the Manage Customer admin section as the system requires a new customer to be either a Guest or a Registered user, which the admin user is not allowed to set.
The problem is that if you give an admin user the "Manage Customer Roles" permission they can assign any role (including Administrator) to any user (including themselves), which will then allow them to do anything in the system.
An easy way to fix this will be to default newly created users to the "Registered User" Role, but I think a nicer way is:
Have some sort of "Customer Role Hierarchy", this could be something simply like a permission number (see below), and only allow users to assign roles lower or equal to theirs. This could also be extended to not allow users (Customers) with a lower role from editing customers with a higher role)
This would also make it easier and safer to give login details to individual store owners.
Guest: 0
Registered: 20
Forum Moderators: 50
"Junior Admin": 60
"Senior Admin": 70
Administrators: 100
The text was updated successfully, but these errors were encountered: