At present, if the user has the settings.enabled permisson, then the Settings link is enabled – quite rightly – but then clicking on that link offers settings for each module, even when the user does not have permissions to use any of the module's settings.
We can fix this:
Each module should define an additional permission, settings.NAME.enabled, and the <Settings> component should display the module's permissions only if this is defined.
Each settings.NAME.enabled permission should include settings.enabled as a sub-permission.
Each permission for a specific part of the settings (e.g. settings.usergroups.all in the ui-users module) should include the relevant module-wide settings permission (in this case settings.users.enabled).
Then users will see only those settings areas that they have permission to use some part of.
Which completes the issue, and frees Wayne to build a new backend VM that uses all the permissions from the versions of the descriptors in the git-head versions.
At present, if the user has the
settings.enabledpermisson, then the Settings link is enabled – quite rightly – but then clicking on that link offers settings for each module, even when the user does not have permissions to use any of the module's settings.We can fix this:
Each module should define an additional permission,
settings.NAME.enabled, and the<Settings>component should display the module's permissions only if this is defined.Each
settings.NAME.enabledpermission should includesettings.enabledas a sub-permission.Each permission for a specific part of the settings (e.g.
settings.usergroups.allin the ui-users module) should include the relevant module-wide settings permission (in this casesettings.users.enabled).Then users will see only those settings areas that they have permission to use some part of.