Further thoughts: access to the developer settings will in any case be controlled by the forthcoming settings.developer.enabled permission (see ), so the need for individual permissions controlling each page of the settings is reduced.
Putting it all together, I think we need do nothing for this issue. Closing as WONTFIX.
Mike Taylor August 31, 2017 at 2:56 PM
I'm going to take this one last, as it's not obvious whether we care about restricting people's right to use the developer tools.
Crucially, the developer settings pages all do only client-side things – there is no communication with Okapi – so permissions enforcement on the client side would not protect users from server-side permission errors.
Equally, preventing people from using the developer settings would not actually stop them doing the things the developer settings expose – they could do all the same things from the JS console if they were patient enough.
So I am inclined to think that this might be a WONTFIX.
See for details.