You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If a user does not have permission to assign roles, but the user blueprint imports a fieldset that has a roles field, the roles field is NOT read-only.
How to reproduce
create field with roles field:
-
handle: rolesfield:
type: user_roles
Import that field in the user blueprint
create user with assign roles permission
impersonate that user and open an existing user
see that the roles field is editable (it shouldn't be)
if (! User::current()->can('assign roles')) {
$blueprint->ensureField('roles', ['visibility' => 'read_only']);
}
Because the field DOES exist, that config is not merged in. If you try to use $blueprint->ensureFieldHasConfig('roles', ['visibility' => 'read_only']); instead you get an error because that method only fetches top level fields, and doesn't do the import. See the difference between:
Bug description
If a user does not have permission to
assign roles
, but the user blueprint imports a fieldset that has aroles
field, theroles
field is NOT read-only.How to reproduce
roles
field:user
blueprintassign roles
permissionLogs
No response
Environment
Installation
Fresh statamic/statamic site via CLI
Antlers Parser
Runtime (default)
Additional details
The issue stems from this code in
UserController
:Because the field DOES exist, that config is not merged in. If you try to use
$blueprint->ensureFieldHasConfig('roles', ['visibility' => 'read_only']);
instead you get an error because that method only fetches top level fields, and doesn't do the import. See the difference between:The text was updated successfully, but these errors were encountered: