This recipe requires UserFrosting version 4.1.12 or newer.
This recipe will guide you on how to give access to the users and groups pages to any registered users. To see the results, you'll need to use two user accounts: The root account and a non-root account. The root account will be used to change the roles from the UI and the non-root user to test those changes.
This example only covers the built-in permissions and roles. For a more in-depth discussion of adding custom permissions to your application, and managing additional roles, see the Access Control chapter.
The first steps are to edit the default permissions of the User role, which was automatically created when you installed UserFrosting. The goal here is to give read access to the built-in Group Management page and User Management page for users who have the User role. With the root account, go to the Roles page and click on Manage Permissions from the Actions dropdown of the User role.
Add the following permission to the role:
At this point, any user (assuming they have the User role) should be able to see the
Users links in the sidebar, as well as the list and details pages for users and groups.
As of version 4.1.12, the Action dropdown in the user and group management tables still shows links to administrative functions, even if the current user doesn't actually have the necessary permissions. Clicking on any link will throw a
ForbiddenAccessexception. This is a known limitation and only constitutes a minor user experience issue. It is not a security issue, as access is still controlled in the relevant server-side endpoints.