Authors can edit Member Role permissions

[michael-e]

Backend authors are able to edit Member Role permissions. This feels like a bug to me. Or is this intended?

[nitriques]

This feels like a bug to me.

Me too. Only Managers should be able to do it.

[animaux]

Shall we simply move it to blueprints to fix this or rather hide it like the CSV extension does?

public function fetchNavigation()
{
    // Author: Use the accessor function if available (Symphony 2.5)
    if (is_callable(array('Symphony', 'Author'))) {
        $author = Symphony::Author();
    } else {
        $author = Administration::instance()->Author;
    }

    if ($author->isDeveloper()) {
        return array(
            array(
                'location'	=> __('System'),
                'name'		=> __('Import / Export CSV'),
                'link'		=> '/'
            )
        );
    }
}

[michael-e]

Blueprints is not the right place. We should hide it and programatically prevent using it (by checking the author role).

[animaux]

I moved it to Blueprints as a quick workaround and it feels quite natural to have it there. :)

But you are probably right.

[nitriques]

@animaux Can you send a PR please ? So we can discuss it better ? Thanks.

[animaux]

I don’t have the extension-knowledge to do that the way @michael-e suggests. Would have to copy code from other extensions which might not be the best way to do it. Maybe someone with more expertise can take over?

[nitriques]

Ok