Why does a user have many roles


I noticed accessing 0th index used to access a user’s role. Shouldn’t the user only have one role?


The associative table roles_users exists to represent the many-to-many relationship.


The permission system we have is an implementation of role based access control which traditionally supports users having multiple roles, as roles can give permissions to very different domains.

However, as you mentioned - currently ghost users should only have one role - and that is handled here: https://github.com/TryGhost/Ghost/blob/master/core/server/models/user.js#L420