Lilly
September 4, 2023, 7:32pm
1
It appears that all staff seem to have access to the editor for custom global menu sections, although if anyone but admin tries to save changes, a permission error is generated. Only admins should be able to see the pencil editor buttons and access the custom menu sections modals (not all staff). Also, only admins should see the globe icon that indicates a public menu section. Mods can see both the globe and pencil icons.
Repro: (first two screenshots in safe mode )
Make a custom global menu section with admin account (or with a moderator staff account!)
Log in with a Moderator account and see globe and pencil icons in global menu section
Try to edit the custom section and make a change and click save button.
Permissions settings for moderator (non-admin staff) used in screenshots above.
5 Likes
Canapin
(Coin-coin le Canapin)
September 5, 2023, 6:03am
2
Lilly:
Make a custom global menu section with admin account
Log in with a Moderator account and see globe and pencil icons in global menu section
The first step can also be âcreate a new custom section with a staff, non-admin accountâ. The behavior is the same.
I can repro the issue. The checkbox shouldnât appear is we donât have the right to change a section globally.
4 Likes
Lilly
September 5, 2023, 6:06am
3
oh I didnât even try that part doh! Thanks for pointing that out. I will add to OP.
1 Like
ted
(Ted Johansson)
September 27, 2023, 7:16pm
6
Thanks for the report @Lilly ! The UI did indeed not reflect the fact that a moderator cannot create, edit, or delete a public category. This has been solved in the fix below:
discourse:main
â discourse:fix/disallow-mods-from-public-sidebar-sections
opened 01:49PM - 27 Sep 23 UTC
### What is this change?
Currently moderators can see the custom public sideb⌠ar section edit button, but they are prevented from making any changes by an error. According to the back-end, moderators can not access these.
**Trying to edit or create:**
<img width="508" alt="Screenshot 2023-09-27 at 3 48 14 PM" src="https://github.com/discourse/discourse/assets/5259935/c95584f9-1368-4181-a4f1-450e23852734">
**Trying to delete:**
<img width="255" alt="Screenshot 2023-09-27 at 3 48 21 PM" src="https://github.com/discourse/discourse/assets/5259935/3f333622-555e-45f8-b163-341f4c6a3df9">
This PR hides the custom public sidebar section edit button, as well as the "make public" checkbox of the create modal, if the user is not an admin, bringing the UI in line with the back-end.
If needed, we can add a site setting to allow moderator access when the need arises.
8 Likes
Lilly
September 27, 2023, 7:41pm
7
Nice work @ted ! thanks for the response and fix
4 Likes