The fix requires a few changes - today the situation is:
1- Today only admin can manage users under system / settings / users , we want to open this to any user that has the right visualisation and ACL permissions.
We need to enable visualisations so not just admin can see other accounts ONLY if excepted on system / settings / visualisations. Admin will have still the hardcoded exception meaning always will see other accounts no matter what is defined on the visualisations exceptions. So if user X which belongs to any group is excepted on visualisations will see other accounts.
There are four key actions on ACL that control users:
- /users/edit (which edits accounts and also allows users)
- importTool/upload/User (imports)
- user comments and attachments
We need to create a group called “User Management” with description “This group allows members to add, edit, import and delete user accounts. Add this group to System / Settings / Visualisations / User Management if you want them to be able to edit and delete accounts other than theirs” that grants the permissions mentioned above.
Any user granted these permissions should be able to perform them, of course this is for nothing unless they are exempted on the visualisation settings mentioned above. Hardcoded conditions:
- Admin can do all no matter what ACL is on it (this is default anyway)
- Users cant delete their own accounts, the option should simply be not visible to them…now you see the delete option and get this error:
- Users can not edit their own accounts, all fields (except password) are disabled:
I see no reason for this, if they have been granted edit permissions they should be able to edit all fields, so dont disable them.
5- the profile functionality (users/profile/) works even if its denied on the ACL (there seems to be an acl for this? which one?), that is fine as any user should be able to update their own password. i dont think the profile should allow users to modify the name, surname and email tough so please grey those fields out so they are not editable.