Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multi-User admin UI: Who can see what. #3086

Closed
13 of 17 tasks
ErisDS opened this issue Jun 24, 2014 · 3 comments
Closed
13 of 17 tasks

Multi-User admin UI: Who can see what. #3086

ErisDS opened this issue Jun 24, 2014 · 3 comments
Milestone
0.5 Multi-user

Comments

@ErisDS
Copy link
Member

ErisDS commented Jun 24, 2014

Updated based on comments.

This is good reference material: #2264

Note There are likely to be some subtleties here that won't be clear until we've actually tried logging in as a particular user. This is the best guess we've got in advance of how it should work.

Overall UI:

  • author: doesn't see 'settings' in the navbar
  • all other roles: can see the 'settings' item

Settings screen

  • author: cannot get here **
  • editor: only has the 'users' pane available.

Settings/Users screen

  • author: cannot get here **
  • editor: gets a version restricted to authors, editors can only edit author level users:
    • can invite authors only
    • can see a list of invites to authors
    • can revoke invites to authors
    • can edit authors

Note: because editors can only edit authors, it would be nice if the user list only showed authors. However, that is counter to the API which will return all because editors can browse all users, see: #3097. Therefore it's ok if this list shows all active users, as long as only the authors are clickable.

Content list screen

  • author:
    • can browse all their own posts
    • can only edit their own posts: so no post settings or edit icons if they don't own the post
  • editor: can browse and edit everything

Editor Screen

  • author: can access the editor to create new posts, or edit their own.
  • author: cannot access the editor to edit other people's posts
  • editor: can edit any post

Note: because authors can only edit their own posts, it would be nice if the content list only showed their stuff. However, that is somewhat counter to the API which will return all because authors can browse all posts. We're going to need to change the Post API to handle this, issue TBD.

** - Because the author cannot see the settings screen, this makes editing their own profile (accessible through the user menu) somewhat weird, esp from a URL perspective. There is probably another issue to be done here.

Dealing with permissions errors:

Anyone trying to do something for which they don't have permission should see an error. Short term this is probably the error template with a 403 and a reasonable error message.
Preferable is to send them back to /ghost/ with an error notification, but this may be too time consuming for now.
@ErisDS ErisDS added this to the 0.5 Multi-user milestone Jun 24, 2014
@ErisDS ErisDS added the users label Jun 24, 2014
@halfdan
Copy link
Contributor

halfdan commented Jun 24, 2014

can an author see all the posts on the content screen? or only their own posts?

Only his own (published and drafts) + all published from someone else. Only his own posts should be editable though.

if (post.status === 'published' || (post.status === 'draft' && post.created_by == currentUser)

what does an editor see?

All posts.

@JohnONolan
Copy link
Member

an author shouldn't even see the settings option in the menu?

correct

an editor should only be able to get to /settings/users, and then only to invite users who are authors?

correct

Should an editor see the general or apps panes?

no - this leads into more discussion/work around #1895

can an author see all the posts on the content screen? or only their own posts?

own

what does an editor see?

all

@ErisDS ErisDS changed the title [TBD] UI Cleanup: Who can see what? UI Cleanup: Who can see what. Jun 25, 2014
@ErisDS ErisDS changed the title UI Cleanup: Who can see what. Multi-User admin UI: Who can see what. Jun 25, 2014
@ErisDS ErisDS mentioned this issue Jun 25, 2014
Closed
@ErisDS
Copy link
Member Author

ErisDS commented Jun 25, 2014

I have updated this issue with more info based on the comments - this has thrown up a number of API additions / amends that need to be made.

@ErisDS ErisDS mentioned this issue Jul 1, 2014
Closed
26 tasks
@sebgie sebgie mentioned this issue Jul 4, 2014
Closed
@ErisDS ErisDS self-assigned this Jul 14, 2014
This was referenced Jul 16, 2014
Closed
Closed
Closed
Closed
ErisDS added a commit to ErisDS/Ghost that referenced this issue Jul 18, 2014
@ErisDS
Extending context concept to models
6e48275 
fixes TryGhost#3275, fixes TryGhost#3290, ref TryGhost#3086, ref TryGhost#3084

- Ensure that we use the current logged in user and not just user 1 when
- removing hard coded user: 1 except where absolutely necessary
- passing context, rather than user to models
- base model has a new function to determine what id to use for created_by etc
@ErisDS ErisDS mentioned this issue Jul 18, 2014
Merged
This was referenced Jul 18, 2014
Closed
Merged
@ErisDS ErisDS mentioned this issue Jul 29, 2014
Closed
@ErisDS ErisDS removed their assignment Jul 31, 2014
@ErisDS ErisDS mentioned this issue Jul 31, 2014
Merged
@ErisDS ErisDS closed this as completed in 23b2ac0 Jul 31, 2014
@snyk-bot snyk-bot mentioned this issue Mar 11, 2020
Open
This was referenced Mar 12, 2020
Open
Open
Open
This was referenced Sep 12, 2021
Open
Open
Open
Open
Open
This was referenced Mar 23, 2022
Open
Open
Open
@amgir amgir mentioned this issue May 13, 2022
Open
@mdno mdno mentioned this issue May 14, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.5 Multi-user
Development

No branches or pull requests
3 participants
@ErisDS @JohnONolan @halfdan