Lister Pro interferes with viewable users when user-admin-[role] permission is assigned

[Toutouwai]

Short description of the issue

This section of ProcessUser is supposed to limit the users that are listed at Access > Users for those who have been assigned a user-admin-[role] permission. They are only supposed to be able to see users with the role they have been given the user-admin permission for.

Example if user-admin-editor is given to a role:

But if ListerPro is installed and the "Config" page for the Users lister has ever been saved (even if no customisations have been made) then ListerPro forces the initSelector setting for the Users lister, overriding the limited initSelector that was set by ProcessUser. This reveals users that a person with the user-admin-[role] permission shouldn't be able to see.

Same example as above, but the ListerPro config page has been saved for the Users lister:

Setup/Environment

• ProcessWire version: 3.0.135

[ryancramerdesign]

@Toutouwai I had a closer look at this, and I think you are right that ListerPro shouldn't override that initSelector. But I also want to clarify that the purpose of the user-admin-* roles is not to limit what users can be visible, only what users can be editable. In addition, ProcessUser doesn't filter by editable role unless the user-admin-all permission is installed and the current user (with user admin permission) lacks it. For that case, it should do what you describe, and looks like it isn't due to that initSelector override. Before I attempt a fix, I just wanted to make sure that I've understood it all correctly, and also that what I've mentioned all makes sense?

[Toutouwai]

@ryancramerdesign, I know about the need to install the user-admin-all permission and not to assign it to administrators who may not edit users with all roles. I didn't mention it in the issue description but those steps were done when producing the screenshots that illustrate the issue.

Not sure I quite understand the part where you say...

But I also want to clarify that the purpose of the user-admin-* roles is not to limit what users can be visible, only what users can be editable.

...because it looks like the purpose of the code in ProcessUser that I linked to in the first sentence is to use the user-admin-* roles to limit the visibility of users that the administrator does not have permission to edit. That seems like quite an important thing because:

1. Some administrators who have permission to edit a limited set of (front-end) users may nonetheless be quite low-level in terms of their status in the overall administrator hierarchy, and not entitled to knowledge about other classes of user.
2. Some information that may be stored on a user page might be quite sensitive, so it's not just the ability to edit the user information that matters but to view it also. Unless special restrictions have been set, ProcessUser allows all user field values to be viewed by adding columns to the lister.

I noticed some installable user-view-* permissions but I couldn't see that ProcessUser checks for those when determining what user information to reveal.

[adrianbj]

Sorry to hijack a bit, but @ryancramerdesign if you do start looking into the user-view-* permissions that @Toutouwai mentions at the end, could you also please take a look at: #1455

I know it's only related to alt template / parent users, but it is another situation where the user view permissions are problematic. Thank you!