getkirby · distantnative · Sep 7, 2024 · Aug 31, 2024
diff --git a/config/areas/users/dialogs.php b/config/areas/users/dialogs.php
@@ -21,9 +21,14 @@
 		'load' => function () {
 			$kirby = App::instance();
 
+			// get role field definition, incl available role options
+			$roles = Field::role(context: 'create', props: [
+				'required' => true
+			]);
+
 			// get default value for role
 			if ($role = $kirby->request()->get('role')) {
-				$role = $kirby->roles()->find($role)?->id();
+				$role = $kirby->roles()->canBeCreated()->find($role)?->id();
 			}
 
 			return [
@@ -39,17 +44,15 @@
 						'translation'  => Field::translation([
 							'required' => true
 						]),
-						'role' => Field::role(props: [
-							'required' => true
-						])
+						'role' => $roles
 					],
 					'submitButton' => I18n::translate('create'),
 					'value' => [
 						'name'        => '',
 						'email'       => '',
 						'password'    => '',
 						'translation' => $kirby->panelLanguage(),
-						'role'        => $role ?? $kirby->user()->role()->name()
+						'role'        => $role ?? $roles['options'][0]['value'] ?? null
 					]
 				]
 			];
@@ -228,7 +231,7 @@
 				'component' => 'k-form-dialog',
 				'props' => [
 					'fields' => [
-						'role' => Field::role($user, [
+						'role' => Field::role($user, 'change', [
 							'label'    => I18n::translate('user.changeRole.select'),
 							'required' => true,
 						])

diff --git a/src/Cms/Roles.php b/src/Cms/Roles.php
@@ -33,7 +33,7 @@ class Roles extends Collection
 	 */
 	public function canBeChanged(): static
 	{
-		if (App::instance()->user()) {
+		if (App::instance()->user()?->isAdmin() !== true) {
 			return $this->filter(function ($role) {
 				$newUser = new User([
 					'email' => '[email protected]',
@@ -57,7 +57,7 @@ public function canBeChanged(): static
 	 */
 	public function canBeCreated(): static
 	{
-		if (App::instance()->user()) {
+		if (App::instance()->user()?->isAdmin() !== true) {
 			return $this->filter(function ($role) {
 				$newUser = new User([
 					'email' => '[email protected]',

diff --git a/src/Cms/UserRules.php b/src/Cms/UserRules.php
@@ -128,7 +128,11 @@ public static function changeRole(User $user, string $role): bool
 		}
 
 		// prevent changing to role that is not available for user
-		static::validRole($user, $role);
+		if ($user->roles()->canBeChanged()->find($role) instanceof Role === false) {
+			throw new InvalidArgumentException([
+				'key' => 'user.role.invalid',
+			]);
+		}
 
 		return true;
 	}
@@ -191,15 +195,6 @@ public static function create(User $user, array $props = []): bool
 			return true;
 		}
 
-		// only admins are allowed to add admins
-		$role = $props['role'] ?? null;
-
-		if ($role === 'admin' && $currentUser?->isAdmin() === false) {
-			throw new PermissionException([
-				'key' => 'user.create.permission'
-			]);
-		}
-
 		// check user permissions (if not on install)
 		if (
 			$user->kirby()->users()->count() > 0 &&
@@ -210,6 +205,18 @@ public static function create(User $user, array $props = []): bool
 			]);
 		}
 
+		$role = $props['role'] ?? null;
+
+		// prevent creating a role that is not available for user
+		if (
+			in_array($role, [null, 'default', 'nobody'], true) === false &&
+			$user->kirby()->roles()->canBeCreated()->find($role) instanceof Role === false
+		) {
+			throw new InvalidArgumentException([
+				'key' => 'user.role.invalid',
+			]);
+		}
+
 		return true;
 	}
 
@@ -357,20 +364,4 @@ public static function validPassword(
 
 		return true;
 	}
-
-	/**
-	 * Validates a user role
-	 *
-	 * @throws \Kirby\Exception\InvalidArgumentException If the user role does not exist
-	 */
-	public static function validRole(User $user, string $role): bool
-	{
-		if ($user->roles()->find($role) instanceof Role) {
-			return true;
-		}
-
-		throw new InvalidArgumentException([
-			'key' => 'user.role.invalid',
-		]);
-	}
 }
diff --git a/src/Panel/Field.php b/src/Panel/Field.php
@@ -194,6 +194,7 @@ public static function password(array $props = []): array
 	 */
 	public static function role(
 		User|null $user = null,
+		string|null $context = null,
 		array $props = []
 	): array {
 		$kirby = App::instance();
@@ -203,9 +204,19 @@ public static function role(
 		// get all roles but filter out the admin role
 		// if the current user is no admin
 		$roles ??= $kirby->roles()->filter(
-			fn ($role) => $role->name() !== 'admin' || $kirby->user()?->isAdmin() === true
+			fn ($role) =>
+				$role->name() !== 'admin' ||
+				$kirby->user()?->isAdmin() === true
 		);
 
+		// filter roles based on the context
+		// as user options can restrict these further
+		$roles = match ($context) {
+			'create' => $roles->canBeCreated(),
+			'change' => $roles->canBeChanged(),
+			null     => $roles
+		};
+
 		$roles = $roles->values(fn ($role) => [
 			'text'  => $role->title(),
 			'info'  => $role->description() ?? I18n::translate('role.description.placeholder'),
@@ -214,7 +225,8 @@ public static function role(
 
 		return array_merge([
 			'label'   => I18n::translate('role'),
-			'type'    => count($roles) <= 1 ? 'hidden' : 'radio',
+			'type'    => 'radio',
+			'value'   => count($roles) === 1 ? $roles[0]['value'] : null,
 			'options' => $roles
 		], $props);
 	}

diff --git a/tests/Cms/Roles/RolesTest.php b/tests/Cms/Roles/RolesTest.php
@@ -123,7 +123,7 @@ public function testLoadFromPluginsCallbackArray()
 	public function testCanBeChanged()
 	{
 		new App([
-			'user'  => 'admin@getkirby.com',
+			'user'  => 'editor@getkirby.com',
 			'users' => [
 				[
 					'email' => '[email protected]',
@@ -143,21 +143,25 @@ public function testCanBeChanged()
 					'name'  => 'editor',
 					'title' => 'Editor'
 				],
+				'users/client' => [
+					'name'  => 'client',
+					'title' => 'Client'
+				]
 			]
 		]);
 
 		$roles = Roles::load();
 		$canBeChanged = $roles->canBeChanged();
 
 		$this->assertInstanceOf(Roles::class, $roles);
-		$this->assertCount(2, $roles);
-		$this->assertCount(1, $canBeChanged);
+		$this->assertCount(3, $roles);
+		$this->assertCount(2, $canBeChanged);
 	}
 
 	public function testCanBeCreated()
 	{
 		new App([
-			'user'  => 'admin@getkirby.com',
+			'user'  => 'editor@getkirby.com',
 			'users' => [
 				[
 					'email' => '[email protected]',
@@ -185,6 +189,6 @@ public function testCanBeCreated()
 
 		$this->assertInstanceOf(Roles::class, $roles);
 		$this->assertCount(2, $roles);
-		$this->assertCount(2, $canBeCreated);
+		$this->assertCount(1, $canBeCreated);
 	}
 }
diff --git a/tests/Cms/Users/UserActionsTest.php b/tests/Cms/Users/UserActionsTest.php
@@ -26,19 +26,15 @@ public function setUp(): void
 
 		$this->app = new App([
 			'roles' => [
-				[
-					'name' => 'admin'
-				],
-				[
-					'name' => 'editor'
-				]
+				['name' => 'admin'],
+				['name' => 'editor']
 			],
 			'roots' => [
 				'index'    => '/dev/null',
 				'accounts' => static::TMP . '/accounts',
 				'sessions' => static::TMP . '/sessions'
 			],
-			'user'  => '[email protected]'
+			'user' => '[email protected]'
 		]);
 	}
 

diff --git a/tests/Cms/Users/UserRulesTest.php b/tests/Cms/Users/UserRulesTest.php
@@ -376,6 +376,53 @@ public function testCreatePermissions()
 		]);
 	}
 
+	public function testCreateInvalidRole()
+	{
+		$app = $this->app()->clone([
+			'users' => [
+				['email' => '[email protected]', 'role' => 'editor']
+			]
+		]);
+
+		$app->impersonate('[email protected]');
+
+		$permissions = $this->createMock(UserPermissions::class);
+		$permissions->method('__call')->with('create')->willReturn(true);
+
+		$user = $this->createMock(User::class);
+		$user->method('kirby')->willReturn($app);
+		$user->method('permissions')->willReturn($permissions);
+		$user->method('id')->willReturn('test');
+		$user->method('email')->willReturn('[email protected]');
+		$user->method('language')->willReturn('en');
+
+		// no role
+		$this->assertTrue(UserRules::create($user, [
+			'password' => 12345678
+		]));
+
+		// role: nobody
+		$this->assertTrue(UserRules::create($user, [
+			'password' => 12345678,
+			'role'     => 'nobody'
+		]));
+
+		// role: default
+		$this->assertTrue(UserRules::create($user, [
+			'password' => 12345678,
+			'role'     => 'default'
+		]));
+
+		// invalid role
+		$this->expectException(InvalidArgumentException::class);
+		$this->expectExceptionMessage('Please enter a valid role');
+
+		UserRules::create($user, [
+			'password' => 12345678,
+			'role'     => 'foo'
+		]);
+	}
+
 	public function testUpdate()
 	{
 		$app  = $this->appWithAdmin();

diff --git a/tests/Panel/FieldTest.php b/tests/Panel/FieldTest.php
@@ -245,6 +245,7 @@ public function testRole(): void
 		$expected = [
 			'label'   => 'Role',
 			'type'    => 'radio',
+			'value'   => null,
 			'options' => [
 				[
 					'text'  => 'Admin',
@@ -271,6 +272,7 @@ public function testRole(): void
 		$expected = [
 			'label'   => 'Role',
 			'type'    => 'radio',
+			'value'   => null,
 			'options' => [
 				[
 					'text'  => 'Admin',
@@ -298,6 +300,7 @@ public function testRole(): void
 		$expected = [
 			'label'   => 'Role',
 			'type'    => 'radio',
+			'value'   => null,
 			'options' => [
 				[
 					'text'  => 'Editor',
@@ -319,7 +322,8 @@ public function testRole(): void
 		$field = Field::role($user);
 		$expected = [
 			'label'   => 'Role',
-			'type'    => 'hidden',
+			'type'    => 'radio',
+			'value'   => 'admin',
 			'options' => [
 				[
 					'text'  => 'Admin',