Sorry old post but why don’t you set up your theme as a repo in GitHub? Permission your design and UX team to have access to update the Theme in GitHub.
In Discourse you can now set Themes to auto update upon rebuild.
Your admins will now only need to rebuild to bring in any changes made by the Design and UX team and the latter will not need access to admin at all.
When coding matters of access control, in general, these RBAC checks should be performed on the server side.
RBAC code in client-side Javascript can be manipulated by the client.
This means that when defining core RBAC permissions for staff, admins and moderators, this should be done (generally speaking) in Rails, not in Javascript.
OBTW, this is also how Discourse does RBAC now, using what Discourse calls “guardian”, a Ruby class called class Guardian, here:
If a developer is going to add RBAC checks in Javascript code by calling the Discourse API, keep in mind that this code can be compromised because code which runs in the browser can be manipulated.
My recommendation is to make sure all core RBAC code is performed on the server side and do not try to short cut this in client-side Javascript.
I have a similar use case, in that I run a small non-profit community where one of our users is maintaining the themes and design.
I do not wish to give anyone beside me and my co-owner access to private user data (e-mail addresses etc.), but I do have 4 moderators.
In order for the designer to work, I’ve had to create a copy site with no content where he is the admin, and I then copy themes and components manually. However it is not desirable since some changes requires content in order to proof.
So let the developer develop on the staging site, and push the themes to github. But you’ll still need to upgrade them yourself. You might contrive to do the upgrade with the API and somehow make the developer be able to trigger it.
I’m working of a tool that might be able to help with that.
If you don’t trust the designer to see your data what solution would you imagine?
You could give them just an API key that would let them use the discourse_cli to push the theme there and then disable it when they were through, maybe?
There is absolutely no reason a designer should have access to 100k users lol. Also, it would be against GDPR rules. Is it possible to give a cli key just for theme updates?
Now, unlike when this topic was created (which apparently was where my brain was when I wrote my reply), we do have granular API keys. It should not be too hard to add a new scope just for theme management.
It might be worth creating a new topic in feature asking for a theme-developer API key scope. That seems like a fine idea.
It would be good if @AV_C can maybe post a reference to this tequirement. Though I can strongly appreciate why a client would want to restrict access to the user base and even private categories due to a variety of reasons. Full Admin can access member’s sign up emails and private categories may contain other sensitive content depending on client’s use case.
I think @pfaffman has a good idea to ensure this kind of gap can be covered through restricted admin api. Once designer work comopleted key can be revoked until needed.
This would also fit Jay’s idea of not showing a user as admin on About page.