-
-
Notifications
You must be signed in to change notification settings - Fork 10.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multi-User admin UI: Who can see what. #3086
Comments
Only his own (published and drafts) + all published from someone else. Only his own posts should be editable though.
All posts. |
correct
correct
no - this leads into more discussion/work around #1895
own
all |
I have updated this issue with more info based on the comments - this has thrown up a number of API additions / amends that need to be made. |
fixes TryGhost#3275, fixes TryGhost#3290, ref TryGhost#3086, ref TryGhost#3084 - Ensure that we use the current logged in user and not just user 1 when - removing hard coded user: 1 except where absolutely necessary - passing context, rather than user to models - base model has a new function to determine what id to use for created_by etc
Updated based on comments.
This is good reference material: #2264
Note There are likely to be some subtleties here that won't be clear until we've actually tried logging in as a particular user. This is the best guess we've got in advance of how it should work.
Overall UI:
Settings screen
Settings/Users screen
Note: because editors can only edit authors, it would be nice if the user list only showed authors. However, that is counter to the API which will return all because editors can browse all users, see: #3097. Therefore it's ok if this list shows all active users, as long as only the authors are clickable.
Content list screen
Editor Screen
Note: because authors can only edit their own posts, it would be nice if the content list only showed their stuff. However, that is somewhat counter to the API which will return all because authors can browse all posts. We're going to need to change the Post API to handle this, issue TBD.
** - Because the author cannot see the settings screen, this makes editing their own profile (accessible through the user menu) somewhat weird, esp from a URL perspective. There is probably another issue to be done here.
Dealing with permissions errors:
Anyone trying to do something for which they don't have permission should see an error. Short term this is probably the error template with a 403 and a reasonable error message.
Preferable is to send them back to
/ghost/
with an error notification, but this may be too time consuming for now.The text was updated successfully, but these errors were encountered: