User edit permission split

js/src/admin/components/PermissionGrid.js

@@ -326,10 +326,26 @@ export default class PermissionGrid extends Component {
       60
     );
 
+    items.add('userEditCredentials', {
+      icon: 'fas fa-user-cog',
+      label: app.translator.trans('core.admin.permissions.edit_users_credentials_label'),
+      permission: 'user.editCredentials',
+    });
+
+    items.add(
+      'userEditGroups',
+      {
+        icon: 'fas fa-users-cog',
+        label: app.translator.trans('core.admin.permissions.edit_users_groups_label'),
+        permission: 'user.editGroups',
+      },
+      60
+    );
+
     items.add(
       'userEdit',
       {
-        icon: 'fas fa-user-cog',
+        icon: 'fas fa-address-card',
         label: app.translator.trans('core.admin.permissions.edit_users_label'),
         permission: 'user.edit',
       },

js/src/common/models/User.js

@@ -29,9 +29,15 @@ Object.assign(User.prototype, {
   discussionCount: Model.attribute('discussionCount'),
   commentCount: Model.attribute('commentCount'),
 
-  canEdit: Model.attribute('canEdit'),
+  canEditAttributes: Model.attribute('canEdit'),
+  canEditCredentials: Model.attribute('canEditCredentials'),
+  canEditGroups: Model.attribute('canEditGroups'),
   canDelete: Model.attribute('canDelete'),
 
+  canEdit: computed('canEditCredentials', 'canEditGroups', 'canEditAttributes', function (canEditAttributes, canEditCredentials, canEditGroups) {
+    return canEditAttributes || canEditCredentials || canEditGroups;
+  }),
+
   avatarColor: null,
   color: computed('username', 'avatarUrl', 'avatarColor', function (username, avatarUrl, avatarColor) {
     // If we've already calculated and cached the dominant color of the user's

js/src/forum/components/EditUserModal.js

@@ -47,96 +47,104 @@ export default class EditUserModal extends Modal {
   fields() {
     const items = new ItemList();
 
-    items.add(
-      'username',
-      <div className="Form-group">
-        <label>{app.translator.trans('core.forum.edit_user.username_heading')}</label>
-        <input className="FormControl" placeholder={extractText(app.translator.trans('core.forum.edit_user.username_label'))} bidi={this.username} />
-      </div>,
-      40
-    );
-
-    if (app.session.user !== this.attrs.user) {
+    if (app.session.user.canEditCredentials()) {
       items.add(
-        'email',
+        'username',
         <div className="Form-group">
-          <label>{app.translator.trans('core.forum.edit_user.email_heading')}</label>
-          <div>
-            <input className="FormControl" placeholder={extractText(app.translator.trans('core.forum.edit_user.email_label'))} bidi={this.email} />
-          </div>
-          {!this.isEmailConfirmed() ? (
-            <div>
-              {Button.component(
-                {
-                  className: 'Button Button--block',
-                  loading: this.loading,
-                  onclick: this.activate.bind(this),
-                },
-                app.translator.trans('core.forum.edit_user.activate_button')
-              )}
-            </div>
-          ) : (
-            ''
-          )}
+          <label>{app.translator.trans('core.forum.edit_user.username_heading')}</label>
+          <input
+            className="FormControl"
+            placeholder={extractText(app.translator.trans('core.forum.edit_user.username_label'))}
+            bidi={this.username}
+          />
         </div>,
-        30
+        40
       );
 
-      items.add(
-        'password',
-        <div className="Form-group">
-          <label>{app.translator.trans('core.forum.edit_user.password_heading')}</label>
-          <div>
-            <label className="checkbox">
-              <input
-                type="checkbox"
-                onchange={(e) => {
-                  this.setPassword(e.target.checked);
-                  m.redraw.sync();
-                  if (e.target.checked) this.$('[name=password]').select();
-                  e.redraw = false;
-                }}
-              />
-              {app.translator.trans('core.forum.edit_user.set_password_label')}
-            </label>
-            {this.setPassword() ? (
-              <input
-                className="FormControl"
-                type="password"
-                name="password"
-                placeholder={extractText(app.translator.trans('core.forum.edit_user.password_label'))}
-                bidi={this.password}
-              />
+      if (app.session.user !== this.attrs.user) {
+        items.add(
+          'email',
+          <div className="Form-group">
+            <label>{app.translator.trans('core.forum.edit_user.email_heading')}</label>
+            <div>
+              <input className="FormControl" placeholder={extractText(app.translator.trans('core.forum.edit_user.email_label'))} bidi={this.email} />
+            </div>
+            {!this.isEmailConfirmed() ? (
+              <div>
+                {Button.component(
+                  {
+                    className: 'Button Button--block',
+                    loading: this.loading,
+                    onclick: this.activate.bind(this),
+                  },
+                  app.translator.trans('core.forum.edit_user.activate_button')
+                )}
+              </div>
             ) : (
               ''
             )}
-          </div>
-        </div>,
-        20
-      );
-    }
-
-    items.add(
-      'groups',
-      <div className="Form-group EditUserModal-groups">
-        <label>{app.translator.trans('core.forum.edit_user.groups_heading')}</label>
-        <div>
-          {Object.keys(this.groups)
-            .map((id) => app.store.getById('groups', id))
-            .map((group) => (
+          </div>,
+          30
+        );
+
+        items.add(
+          'password',
+          <div className="Form-group">
+            <label>{app.translator.trans('core.forum.edit_user.password_heading')}</label>
+            <div>
               <label className="checkbox">
                 <input
                   type="checkbox"
-                  bidi={this.groups[group.id()]}
-                  disabled={this.attrs.user.id() === '1' && group.id() === Group.ADMINISTRATOR_ID}
+                  onchange={(e) => {
+                    this.setPassword(e.target.checked);
+                    m.redraw.sync();
+                    if (e.target.checked) this.$('[name=password]').select();
+                    e.redraw = false;
+                  }}
                 />
-                {GroupBadge.component({ group, label: '' })} {group.nameSingular()}
+                {app.translator.trans('core.forum.edit_user.set_password_label')}
               </label>
-            ))}
-        </div>
-      </div>,
-      10
-    );
+              {this.setPassword() ? (
+                <input
+                  className="FormControl"
+                  type="password"
+                  name="password"
+                  placeholder={extractText(app.translator.trans('core.forum.edit_user.password_label'))}
+                  bidi={this.password}
+                />
+              ) : (
+                ''
+              )}
+            </div>
+          </div>,
+          20
+        );
+      }
+    }
+
+    if (app.session.user.canEditGroups()) {
+      items.add(
+        'groups',
+        <div className="Form-group EditUserModal-groups">
+          <label>{app.translator.trans('core.forum.edit_user.groups_heading')}</label>
+          <div>
+            {Object.keys(this.groups)
+              .map((id) => app.store.getById('groups', id))
+              .map((group) => (
+                <label className="checkbox">
+                  <input
+                    type="checkbox"
+                    bidi={this.groups[group.id()]}
+                    disabled={this.attrs.user.id() === '1' && group.id() === Group.ADMINISTRATOR_ID}
+                  />
+                  {GroupBadge.component({ group, label: '' })} {group.nameSingular()}
+                </label>
+              ))}
+          </div>
+        </div>,
+        10
+      );
+    }
 
     items.add(
       'submit',

locale/core.yml

@@ -176,7 +176,9 @@ core:
       delete_posts_label: Delete posts
       description: Configure who can see and do what.
       edit_posts_label: Edit posts
-      edit_users_label: Edit users
+      edit_users_label: Edit user attributes
+      edit_users_credentials_label: Edit user credentials
+      edit_users_groups_label: Edit users groups
       global_heading: Global
       moderate_heading: Moderate
       new_group_button: New Group

src/Api/Serializer/UserSerializer.php

@@ -19,14 +19,14 @@ protected function getDefaultAttributes($user)
     {
         $attributes = parent::getDefaultAttributes($user);
 
-        $canEdit = $this->actor->can('edit', $user);
-
         $attributes += [
-            'joinTime'         => $this->formatDate($user->joined_at),
-            'discussionCount'  => (int) $user->discussion_count,
-            'commentCount'     => (int) $user->comment_count,
-            'canEdit'          => $canEdit,
-            'canDelete'        => $this->actor->can('delete', $user),
+            'joinTime'           => $this->formatDate($user->joined_at),
+            'discussionCount'    => (int) $user->discussion_count,
+            'commentCount'       => (int) $user->comment_count,
+            'canEdit'            => $this->actor->can('edit', $user),
+            'canEditCredentials' => $this->actor->can('editCredentials', $user),
+            'canEditGroups'      => $this->actor->can('editGroups', $user),
+            'canDelete'          => $this->actor->can('delete', $user),
         ];
 
         if ($user->getPreference('discloseOnline') || $this->actor->can('viewLastSeenAt', $user)) {
@@ -35,7 +35,7 @@ protected function getDefaultAttributes($user)
             ];
         }
 
-        if ($canEdit || $this->actor->id === $user->id) {
+        if ($attributes['canEditCredentials'] || $this->actor->id === $user->id) {
             $attributes += [
                 'isEmailConfirmed' => (bool) $user->is_email_confirmed,
                 'email'            => $user->email

src/User/Access/UserPolicy.php

@@ -24,4 +24,19 @@ public function can(User $actor, $ability)
             return $this->allow();
         }
     }
+
+    /**
+     * @param User $actor
+     * @param User $user
+     */
+    public function editCredentials(User $actor, User $user)
+    {
+        if ($user->isAdmin() && !$actor->isAdmin()) {
+            return $this->deny();
+        }
+
+        if ($actor->hasPermission('user.editCredentials')) {
+            return $this->allow();
+        }
+    }
 }

src/User/Command/EditUserHandler.php

@@ -58,15 +58,14 @@ public function handle(EditUser $command)
 
         $user = $this->users->findOrFail($command->userId, $actor);
 
-        $canEdit = $actor->can('edit', $user);
         $isSelf = $actor->id === $user->id;
 
         $attributes = Arr::get($data, 'attributes', []);
         $relationships = Arr::get($data, 'relationships', []);
         $validate = [];
 
         if (isset($attributes['username'])) {
-            $actor->assertPermission($canEdit);
+            $actor->assertPermission($actor->can('editCredentials', $user));
             $user->rename($attributes['username']);
         }
 
@@ -78,17 +77,18 @@ public function handle(EditUser $command)
                     $validate['email'] = $attributes['email'];
                 }
             } else {
-                $actor->assertPermission($canEdit);
+                $actor->assertPermission($actor->can('editCredentials', $user));
                 $user->changeEmail($attributes['email']);
             }
         }
 
-        if ($actor->isAdmin() && ! empty($attributes['isEmailConfirmed'])) {
+        if (!empty($attributes['isEmailConfirmed'])) {
+            $actor->assertAdmin();
             $user->activate();
         }
 
         if (isset($attributes['password'])) {
-            $actor->assertPermission($canEdit);
+            $actor->assertPermission($actor->can('editCredentials', $user));
             $user->changePassword($attributes['password']);
 
             $validate['password'] = $attributes['password'];
@@ -108,7 +108,10 @@ public function handle(EditUser $command)
         }
 
         if (isset($relationships['groups']['data']) && is_array($relationships['groups']['data'])) {
-            $actor->assertPermission($canEdit);
+            $actor->assertPermission($actor->can('editGroups', $user));
+
+            $oldGroups = $user->groups()->get()->all();
+            $oldGroupIds = Arr::pluck($oldGroups, 'id');
 
             $newGroupIds = [];
             foreach ($relationships['groups']['data'] as $group) {
@@ -117,8 +120,11 @@ public function handle(EditUser $command)
                 }
             }
 
+            $adminChanged = in_array('1', array_diff($oldGroupIds, $newGroupIds)) || in_array('1', array_diff($newGroupIds, $oldGroupIds));
+            $actor->assertPermission(!$adminChanged || $actor->isAdmin());
+
             $user->raise(
-                new GroupsChanged($user, $user->groups()->get()->all())
+                new GroupsChanged($user, $oldGroups)
             );
 
             $user->afterSave(function (User $user) use ($newGroupIds) {