06 Aug 2007
22 Aug 2007
Link to this post
I have been evaluating the latest version of Sitefinity and ran into the following setup and issue with roles and permissions.
"Administrators" is being reserved for our dev company as a master role with only our people added as users to that account. This was we can limit access to sections, file manager, and permissions from our client.
I created a "Company Administrators" role for our client to use as their highest level. This role was restricted from ManagePermissions, ManageFiles, and EditTemplates. However it was given access to ManageUsers so they can create the users for their organization.
However, when I log in as this new role and create a new user, I'm allowed to add that user to the "Administrators" role which has access to everything. I logged in as this new user and indeed I did have access to everything.
I think this would be a common setup for a development company building sites for their clients. We don't want them getting in there an overwriting files or messing with templates for obvious reasons.
In addition to this fix, it would be nice to limit access to the uploading of files within the editor window. There may be times where a user can edit a page but not be able to mess around with images, flash, or media.