How to define custom permissions for staff, admins, moderators

Agreed Discourse needs extra controls for customization. Like what others have mentioned with hiring outside contractors to use higher level functions while still protecting members information.

Group moderation is decent but sometimes you might want some higher functions of a full Mod but not all of the functions.

A plugin indeed might be helpful. But like Merge User Plugin was merged into core; so should stronger moderator/admin customized features to allow more staff types.

1 Like

I agree with others here that the access control model would be improved with an extra layer of RBAC (roles-based access control) granularity that specifies what staff and admin can access (for certain functions, not all).

For example, a site might want to add more admins; but they prefer to grant smaller set of admin RBAC privileges; for example, grant or not grant the ability to download the entire site backup or to access certain staff action log files. In addition, a site might want to insure that some staff do not have the RBAC permissions to view staff actions of admins or developers, or just certain actions which are considered more “private”.

All cybersecurity experts are taught (and know by direct experience) that the largest threat to any organization is the “disgruntled insider” and not outside hackers or attackers. There is no doubt about this basic IT security risk, and it is well established knowledge for trained or seasoned hands-on IT security professionals. Therefore, dismissing the insider threat with “just trust your admin” or “you must trust your staff” is not a technical solution, for IT professionals. Even the most trustworthy staff, loyal for many years, can start experiencing life problems which can cause them to shift to be a “disgruntled staff member”. In addition, it is the most privileged staff which make the most errors; and we all know that well-intended staff / admin mistakes generally cause more downtime than any hacker, generally speaking.

A while back, I considered altering Discourse class Guardian for our site but after further examination of that class it was not obvious to me there was a “quick fix” which would allow me to write a minimal amount of monkey patch code to enhance the RBAC for Discourse. Being lazy by nature and preferring to create simple solutions whenever possible, I put the idea on the back burner and moved on to other “well paid client” projects.

Subsequently, I considered going a level down in the code and transferring some of the staff and admin functions to developer, but this approach required too many monkey patches, which I thought was not a good idea at the time. After, all if we can accomplish something with one monkey patch versus ten, obviously one patch is better.

I have not yet had the time or a “burning requirement” to look deeper into this part of Discourse core to determine if there is an “easy” RBAC plugin enhancement I can write via a “relatively simple” plugin.

Honestly, I think the problem is that I am not yet a super rubyist and for the most part, consider myself more of a “wannabe” ruby coder, LOL. I am confident there is, more-than-likely, a simple RBAC plugin solution out there, but personally, I have not found it yet and perhaps a much more experienced Ruby person can quickly look at the code and see how to approach this.

My idea would be to have some new boolean site settings which would either limit or grant specific RBAC permissions based on role, and to then add those booleans to the appropriate part of the code via a monkey patch in plugin. However, I as mentioned, I would prefer to patch one file, not “many” so it is clean and simple, easy to maintain.

When I have time, I will look into this RBAC enhancement more deeper since it is interesting, for sure.

1 Like

Hi @jrgong

This is not difficult to do via a plugin, as you probably know well.

Basically, you could create a list of staff (by email, username, etc) as a global setting, similar to how Discourse defines developers by email address.

Then, you could use that GlobalSettting in some patches to permit the two use cases are you are interested in.

The first of your use cases: customize themes as staff, is relatively straight forward to core monkey patch, I think.

The second use case of yours, with not much work, you could fork this plugin and redesign the route access constraint in this plugin (and any other required changes):

Because the constraint for the ads plugin is built into the plugin, it’s a good idea to actually change that code to permit your “permitted” staff to access the parts of that plugin you wish to permit, based on your own RBAC.

In other words, both of the requirements you want are both doable, if you are willing to write the code; or of course you can ask one of the skillful Discourse plugin dev pros to help you in #marketplace


Thx @neounix I really appreciate the input! I will get a dev to get it done

edit: Is there no other way but to fork the plugin?
And how about access to babble chat plugin? That would also require a fork?

We are taking about software.

There are always many ways to do things.

I provided you my recommendations.



Sorry old post but why don’t you set up your theme as a repo in GitHub? Permission your design and UX team to have access to update the Theme in GitHub.

In Discourse you can now set Themes to auto update upon rebuild.

Your admins will now only need to rebuild to bring in any changes made by the Design and UX team and the latter will not need access to admin at all.

1 Like

Just a short note:

When coding matters of access control, in general, these RBAC checks should be performed on the server side.

RBAC code in client-side Javascript can be manipulated by the client.

This means that when defining core RBAC permissions for staff, admins and moderators, this should be done (generally speaking) in Rails, not in Javascript.

OBTW, this is also how Discourse does RBAC now, using what Discourse calls “guardian”, a Ruby class called class Guardian, here:

If a developer is going to add RBAC checks in Javascript code by calling the Discourse API, keep in mind that this code can be compromised because code which runs in the browser can be manipulated.

My recommendation is to make sure all core RBAC code is performed on the server side and do not try to short cut this in client-side Javascript.

1 Like

There is also trust level 4 and category moderators, in discourse 2.5 and beyond.

1 Like

I have a similar use case, in that I run a small non-profit community where one of our users is maintaining the themes and design.

I do not wish to give anyone beside me and my co-owner access to private user data (e-mail addresses etc.), but I do have 4 moderators.

In order for the designer to work, I’ve had to create a copy site with no content where he is the admin, and I then copy themes and components manually. However it is not desirable since some changes requires content in order to proof.


Why not add some content to the staging / testing site? That’d be the typical recommendation.

So let the developer develop on the staging site, and push the themes to github. But you’ll still need to upgrade them yourself. You might contrive to do the upgrade with the API and somehow make the developer be able to trigger it.

I’m working of a tool that might be able to help with that.

1 Like

We have this exact need as well, did anyone by any chance solve this?

I don’t know if this is useful in this situation, but if you just need some content there is the populate rake task:

1 Like

Thank you, unfortunately it’s not really useful atm.

1 Like

If you don’t trust the designer to see your data what solution would you imagine?

You could give them just an API key that would let them use the discourse_cli to push the theme there and then disable it when they were through, maybe?

1 Like

There is absolutely no reason a designer should have access to 100k users lol. Also, it would be against GDPR rules. Is it possible to give a cli key just for theme updates?


Begging your pardon! I think you’re right.

Now, unlike when this topic was created (which apparently was where my brain was when I wrote my reply), we do have granular API keys. It should not be too hard to add a new scope just for theme management.

It might be worth creating a new topic in feature asking for a theme-developer API key scope. That seems like a fine idea.


No, it is not. It can be against rules of that site, but those can and should change.


It would be good if @AV_C can maybe post a reference to this tequirement. Though I can strongly appreciate why a client would want to restrict access to the user base and even private categories due to a variety of reasons. Full Admin can access member’s sign up emails and private categories may contain other sensitive content depending on client’s use case.

I think @pfaffman has a good idea to ensure this kind of gap can be covered through restricted admin api. Once designer work comopleted key can be revoked until needed.

This would also fit Jay’s idea of not showing a user as admin on About page.

1 Like