Description
Summary
User which can edit users (and this User is not Administrator) must have the 'namespaces' permission. If not, then this User will get the error message about permission denied every time when user edit page loaded.
Permission of 'namespaces' allows to view and edit at once. So this User with 'namespaces' permission can edit namespaces by link '?a=workspaces/namespace'.
This is not good.
Step to reproduce
Disable 'namespaces' permission and go to edit user (?a=security/user/update&id=).
Enable 'namespaces' permission and go to edit user (?a=security/user/update&id=).
Observed behavior
When the 'namespaces' permission is disabled:
On edit user data page (?a=security/user/update&id=) User will get the error message 'permission denied'. Because the 'namespaces' permission need to one of lists on the 'Settings' tab.
When the 'namespaces' permission is enabled:
On edit user data page (?a=security/user/update&id=) User will NOT get the error message 'permission denied' and on the 'Settings' tab the list of namespaces will shown.
But this user also can go right to namespases management page by direct link with '?a=workspaces/namespace' and this User will get FULL access like edit, remove or add namespaces (not view only).
Expected behavior
The 'namespaces' permission disable will not generate the error message on user update page.
OR
For example, the namespaces access control will separated by two permissions like one 'list' and second 'edit'.
'List' will access to view list of namespaces only without access to '?a=workspaces/namespace' page,
'Edit' will take full access
OR
Improve functionality of Form Customization where Administrator can disable 'Settings' tab for user update page (?a=security/user/update&id=). No lists - No permissions needed :)
Environment
MODX Revolution 2.6.1-pl