Sorry, we don't support your browser.  Install a modern browser

one user multiple roles#341


I would like to see the possiblity to add more than 1 role to a user in kirby.

There have been frequent discussions and questions about more than 1 role per user ( / ), but no decision, if this feature is necessary and should be implemented

How many of you might need that option?

Regards, Ralf

9 months ago

As far as I can tell, implementing support for multiple roles in the core would be very complex as the roles can contradict each other e.g. with permissions. For example one role could explicitly allow an action and the other could disallow the same action.

@Ralf_schmitt What is your use case for multiple roles per user? Maybe we can find another solution for this.

9 months ago

Lukas Bestle :
Thank you for your reply.
I’ve seen the same concern mentioned in the discussion of 2015.

But maybe there is a confusion in the way you (or maybe me) look at permissions, users and roles.

Roles collect permissions for a certain task to be given to not one, but most probably many users. Two users with different roles have different permissions, because having 2 roles with the same permissions doesn’t make sense. Two users with same roles have of course the exactly same permissions.

Users on the other hand can have more than one function in a company or a club or whatever. Meaning that IT-wise they probably need to either have more than one account OR more than one role to be able to fulfill their functions

So if two Roles give contradicting permissions to a user, you have to establish a hierarchy of permissions or statuses of permissions. And in conflict the higher permission (or status) wins.

It’s been a long time since I worked with wordpress, but as far as I remember, that’s how wordpress deals with different roles and permissions.

Looking at this from the roles perspective it seems there are contradicting permissions. But from the user perspective the permissions are complementing. As an author I can write an article, but not publish it. As an editor on the other hand I can give clearance to publish it. With both roles I have extended permissions. And still all the other authers cannot publish their articels themselves…

In kirby-terms that means: if you have panel:false in one role-blueprint and panel:true in another and both roles are given to one user, true always wins.

So, if that makes sense to you, it should be possible to come up with something that allows kirby-users to have more than one role. Other CMS’s are doing it too 🙂

9 months ago

You are right, from that perspective it makes sense. The more roles someone has in the company, the more permissions that user will have in Kirby.

One potential problem though: The default permission for every action is true in Kirby. So if you have one role that disables some permissions and another role that doesn’t define a value at all for the same permissions, the second role will allow access. This could be by design or by accident. This behavior is not bad by itself, but it needs to be considered by developers when working with multiple roles per user – the roles need to be carefully designed.

But if we look at it from the same perspective as in your example it still makes sense: If a user already has most permissions because one role doesn’t explicitly block these actions, then another role can only ever extend that set of permissions.

8 months ago

@Lukas Bestle : Good to hear.
So, will it probably become a feature in kirby 4? Or even earlier?

8 months ago

To be honest it’s one of these features where surprising issues can pop up during the implementation. It’s hard to say in advance whether there will be breaking-changes or unexpected limitations.

So far I don’t see a huge breaking-change, so the feature can come in Kirby 3.x.

However I can’t promise when it will happen at this point. The list of feature requests is long and we really need to focus on features that are useful to many users. So let’s see how high the demand in the community is for this feature. I hope you understand. :)

8 months ago