getkirby · bastianallgeier · Oct 14, 2024 · Sep 7, 2024 · Sep 7, 2024 · Sep 7, 2024
diff --git a/config/areas/users/dialogs.php b/config/areas/users/dialogs.php
@@ -20,12 +20,19 @@
 		'pattern' => 'users/create',
 		'load' => function () {
 			$kirby = App::instance();
+			$roles = $kirby->roles()->canBeCreated();
 
 			// get default value for role
 			if ($role = $kirby->request()->get('role')) {
-				$role = $kirby->roles()->find($role)?->id();
+				$role = $roles->find($role)?->id();
 			}
 
+			// get role field definition, incl. available role options
+			$roles = Field::role(
+				roles: $roles,
+				props: ['required' => true]
+			);
+
 			return [
 				'component' => 'k-form-dialog',
 				'props' => [
@@ -39,17 +46,15 @@
 						'translation'  => Field::translation([
 							'required' => true
 						]),
-						'role' => Field::role([
-							'required' => true
-						])
+						'role' => $roles
 					],
 					'submitButton' => I18n::translate('create'),
 					'value' => [
 						'name'        => '',
 						'email'       => '',
 						'password'    => '',
 						'translation' => $kirby->panelLanguage(),
-						'role'        => $role ?? $kirby->user()->role()->name()
+						'role'        => $role ?? $roles['options'][0]['value'] ?? null
 					]
 				]
 			];
@@ -228,10 +233,13 @@
 				'component' => 'k-form-dialog',
 				'props' => [
 					'fields' => [
-						'role' => Field::role([
-							'label'    => I18n::translate('user.changeRole.select'),
-							'required' => true,
-						])
+						'role' => Field::role(
+							roles: $user->roles(),
+							props: [
+								'label'    => I18n::translate('user.changeRole.select'),
+								'required' => true,
+							]
+						)
 					],
 					'submitButton' => I18n::translate('user.changeRole'),
 					'value' => [

diff --git a/config/areas/users/views.php b/config/areas/users/views.php
@@ -18,7 +18,8 @@
 			return [
 				'component' => 'k-users-view',
 				'props'     => [
-					'role' => function () use ($kirby, $roles, $role) {
+					'canCreate' => $kirby->roles()->canBeCreated()->count() > 0,
+					'role' => function () use ($roles, $role) {
 						if ($role) {
 							return $roles[$role] ?? null;
 						}

diff --git a/panel/src/components/Views/Users/UserAvatar.vue b/panel/src/components/Views/Users/UserAvatar.vue
@@ -1,5 +1,10 @@
 <template>
-	<k-button :title="$t('avatar')" class="k-user-view-image" @click="open">
+	<k-button
+		:disabled="isLocked"
+		:title="$t('avatar')"
+		class="k-user-view-image"
+		@click="open"
+	>
 		<template v-if="model.avatar">
 			<k-image-frame :cover="true" :src="model.avatar" />
 			<k-dropdown-content
@@ -30,6 +35,7 @@
  */
 export default {
 	props: {
+		isLocked: Boolean,
 		model: Object
 	},
 	methods: {

diff --git a/panel/src/components/Views/Users/UserProfile.vue b/panel/src/components/Views/Users/UserProfile.vue
@@ -8,21 +8,21 @@
 					icon: 'email',
 					text: `${model.email}`,
 					title: `${$t('email')}: ${model.email}`,
-					disabled: !permissions.changeEmail || isLocked,
+					disabled: !canChangeEmail,
 					click: () => $dialog(model.link + '/changeEmail')
 				},
 				{
 					icon: 'bolt',
 					text: `${model.role}`,
 					title: `${$t('role')}: ${model.role}`,
-					disabled: !permissions.changeRole || isLocked,
+					disabled: !canChangeRole,
 					click: () => $dialog(model.link + '/changeRole')
 				},
 				{
 					icon: 'translate',
 					text: `${model.language}`,
 					title: `${$t('language')}: ${model.language}`,
-					disabled: !permissions.changeLanguage || isLocked,
+					disabled: !canChangeLanguage,
 					click: () => $dialog(model.link + '/changeLanguage')
 				}
 			]"
@@ -37,8 +37,14 @@
  */
 export default {
 	props: {
+		canChangeEmail: Boolean,
+		canChangeLanguage: Boolean,
+		canChangeRole: Boolean,
 		isLocked: Boolean,
 		model: Object,
+		/**
+		 * @deprecated Will be remove in v5
+		 */
 		permissions: Object
 	}
 };

diff --git a/panel/src/components/Views/Users/UserView.vue b/panel/src/components/Views/Users/UserView.vue
@@ -11,7 +11,7 @@
 		</template>
 
 		<k-header
-			:editable="permissions.changeName && !isLocked"
+			:editable="canChangeName"
 			class="k-user-view-header"
 			@edit="$dialog(id + '/changeName')"
 		>
@@ -50,6 +50,10 @@
 		</k-header>
 
 		<k-user-profile
+			:can-change-email="canChangeEmail"
+			:can-change-language="canChangeLanguage"
+			:can-change-name="canChangeName"
+			:can-change-role="canChangeRole"
 			:is-locked="isLocked"
 			:model="model"
 			:permissions="permissions"
@@ -71,7 +75,13 @@
 import ModelView from "../ModelView.vue";
 
 export default {
-	extends: ModelView
+	extends: ModelView,
+	props: {
+		canChangeEmail: Boolean,
+		canChangeLanguage: Boolean,
+		canChangeName: Boolean,
+		canChangeRole: Boolean
+	}
 };
 </script>
 

diff --git a/panel/src/components/Views/Users/UsersView.vue b/panel/src/components/Views/Users/UsersView.vue
@@ -5,7 +5,7 @@
 
 			<template #buttons>
 				<k-button
-					:disabled="!$panel.permissions.users.create"
+					:disabled="!canCreate"
 					:text="$t('user.create')"
 					icon="add"
 					size="sm"
@@ -30,6 +30,7 @@
  */
 export default {
 	props: {
+		canCreate: Boolean,
 		role: Object,
 		roles: Array,
 		search: String,

diff --git a/src/Cms/Roles.php b/src/Cms/Roles.php
@@ -25,9 +25,13 @@ class Roles extends Collection
 
 	/**
 	 * Returns a filtered list of all
-	 * roles that can be created by the
+	 * roles that can be changed by the
 	 * current user
 	 *
+	 * Use with `$kirby->roles()`. For retrieving
+	 * which roles are available for a specific user,
+	 * use `$user->roles()` without additional filters.
+	 *
 	 * @return $this|static
 	 * @throws \Exception
 	 */
@@ -50,7 +54,9 @@ public function canBeChanged(): static
 	/**
 	 * Returns a filtered list of all
 	 * roles that can be created by the
-	 * current user
+	 * current user.
+	 *
+	 * Use with `$kirby->roles()`.
 	 *
 	 * @return $this|static
 	 * @throws \Exception

diff --git a/src/Cms/User.php b/src/Cms/User.php
@@ -575,36 +575,23 @@ public function role(): Role
 
 	/**
 	 * Returns all available roles for this user,
-	 * that can be selected by the authenticated user
+	 * that the authenticated user can change to.
 	 *
-	 * @param string|null $purpose User action for which the roles are used (create, change)
+	 * For all roles the current user can create
+	 * use `$kirby->roles()->canBeCreated()`.
 	 */
-	public function roles(string|null $purpose = null): Roles
+	public function roles(): Roles
 	{
 		$kirby = $this->kirby();
 		$roles = $kirby->roles();
 
-		// for the last admin,
-		// only their current role (admin) is available for changing
-		if ($purpose === 'change' && $this->isLastAdmin() === true) {
-			// a collection with just the one role of the user
+		// if the authenticated user doesn't have the permission to change
+		// the role of this user, only the current role is available
+		if ($this->permissions()->can('changeRole') === false) {
 			return $roles->filter('id', $this->role()->id());
 		}
 
-		// filter roles based on the user action
-		// as user permissions and/or options can restrict these further
-		$roles = match ($purpose) {
-			'create' => $roles->canBeCreated(),
-			'change' => $roles->canBeChanged(),
-			default  => $roles
-		};
-
-		// exclude the admin role, if the user isn't an admin themselves
-		if ($kirby->user()?->isAdmin() !== true) {
-			$roles = $roles->filter(fn ($role) => $role->name() !== 'admin');
-		}
-
-		return $roles;
+		return $roles->canBeCreated();
 	}
 
 	/**

diff --git a/src/Cms/UserRules.php b/src/Cms/UserRules.php
@@ -128,7 +128,7 @@ public static function changeRole(User $user, string $role): bool
 		}
 
 		// prevent changing to role that is not available for user
-		if ($user->roles('change')->find($role) instanceof Role === false) {
+		if ($user->roles()->find($role) instanceof Role === false) {
 			throw new InvalidArgumentException([
 				'key' => 'user.role.invalid',
 			]);
@@ -210,7 +210,7 @@ public static function create(User $user, array $props = []): bool
 		// prevent creating a role that is not available for user
 		if (
 			in_array($role, [null, 'default', 'nobody'], true) === false &&
-			$user->kirby()->roles('create')->find($role) instanceof Role === false
+			$user->kirby()->roles()->canBeCreated()->find($role) instanceof Role === false
 		) {
 			throw new InvalidArgumentException([
 				'key' => 'user.role.invalid',

diff --git a/src/Panel/Field.php b/src/Panel/Field.php
@@ -6,6 +6,7 @@
 use Kirby\Cms\File;
 use Kirby\Cms\ModelWithContent;
 use Kirby\Cms\Page;
+use Kirby\Cms\Roles;
 use Kirby\Form\Form;
 use Kirby\Http\Router;
 use Kirby\Toolkit\I18n;
@@ -191,29 +192,33 @@ public static function password(array $props = []): array
 	/**
 	 * User role radio buttons
 	 */
-	public static function role(array $props = []): array
-	{
-		$kirby   = App::instance();
-		$isAdmin = $kirby->user()?->isAdmin() ?? false;
-		$roles   = [];
-
-		foreach ($kirby->roles() as $role) {
-			// exclude the admin role, if the user
-			// is not allowed to change role to admin
-			if ($role->name() === 'admin' && $isAdmin === false) {
-				continue;
-			}
-
-			$roles[] = [
-				'text'  => $role->title(),
-				'info'  => $role->description() ?? I18n::translate('role.description.placeholder'),
-				'value' => $role->name()
-			];
-		}
+	public static function role(
+		array $props = [],
+		Roles|null $roles = null
+	): array {
+		$kirby = App::instance();
+
+		// if no $roles where provided, fall back to all roles
+		$roles ??= $kirby->roles();
+
+		// exclude the admin role, if the user
+		// is not allowed to change role to admin
+		$roles = $roles->filter(
+			fn ($role) =>
+				$role->name() !== 'admin' ||
+				$kirby->user()?->isAdmin() === true
+		);
+
+		// turn roles into radio field options
+		$roles = $roles->values(fn ($role) => [
+			'text'  => $role->title(),
+			'info'  => $role->description() ?? I18n::translate('role.description.placeholder'),
+			'value' => $role->name()
+		]);
 
 		return array_merge([
 			'label'    => I18n::translate('role'),
-			'type'     => count($roles) <= 1 ? 'hidden' : 'radio',
+			'type'     => count($roles) < 1 ? 'hidden' : 'radio',
 			'options'  => $roles
 		], $props);
 	}

diff --git a/src/Panel/User.php b/src/Panel/User.php
@@ -70,7 +70,7 @@ public function dropdown(array $options = []): array
 			'dialog'   => $url . '/changeRole',
 			'icon'     => 'bolt',
 			'text'     => I18n::translate('user.changeRole'),
-			'disabled' => $this->isDisabledDropdownOption('changeRole', $options, $permissions) || $this->model->roles('change')->count() < 2
+			'disabled' => $this->isDisabledDropdownOption('changeRole', $options, $permissions) || $this->model->roles()->count() < 2
 		];
 
 		$result[] = [
@@ -218,14 +218,19 @@ public function prevNext(): array
 	 */
 	public function props(): array
 	{
-		$user    = $this->model;
-		$account = $user->isLoggedIn();
+		$user        = $this->model;
+		$account     = $user->isLoggedIn();
+		$permissions = $this->options();
 
 		return array_merge(
 			parent::props(),
 			$this->prevNext(),
 			[
-				'blueprint' => $this->model->role()->name(),
+				'blueprint'         => $this->model->role()->name(),
+				'canChangeEmail'    => $permissions['changeEmail'],
+				'canChangeLanguage' => $permissions['changeLanguage'],
+				'canChangeName'     => $permissions['changeName'],
+				'canChangeRole'     => $this->model->roles()->count() > 1,
 				'model' => [
 					'account'  => $account,
 					'avatar'   => $user->avatar()?->url(),