Changing user permissions

This recipe requires UserFrosting version 4.1.12 or newer.

This recipe will guide you on how to give access to the users and groups pages to any registered users. To see the results, you'll need to use two user accounts: The root account and a non-root account. The root account will be used to change the roles from the UI and the non-root user to test those changes.

This example only covers the built-in permissions and roles. For a more in-depth discussion of adding custom permissions to your application, and managing additional roles, see the Access Control chapter.

This recipe was sponsored by adm.ninja. Get in touch with the UserFrosting team if you want to sponsor a custom recipe for your organization!

Changing the permissions for the User role

The first steps are to edit the default permissions of the User role, which was automatically created when you installed UserFrosting. The goal here is to give read access to the built-in Group Management page and User Management page for users who have the User role. With the root account, go to the Roles page and click on Manage Permissions from the Actions dropdown of the User role.

Default permission

Add the following permission to the role:

  • View group (View the group page of any group.)
  • View group (View certain properties of any group.)
  • Group management page
  • View user
  • User management page

Modified permissions

At this point, any user (assuming they have the User role) should be able to see the Groups and Users links in the sidebar, as well as the list and details pages for users and groups.

Public group page

Public user page

As of version 4.1.12, the Action dropdown in the user and group management tables still shows links to administrative functions, even if the current user doesn't actually have the necessary permissions. Clicking on any link will throw a ForbiddenAccess exception. This is a known limitation and only constitutes a minor user experience issue. It is not a security issue, as access is still controlled in the relevant server-side endpoints.