[v3] A user associated to a role to manage users can upgrade user roles to administration role

[michaaa]

Greenlight V3 (release-3.0.5) doesn't seem to check this:

• a user of a role that can manage users can give other users an admin role
• it is possible to edit the own user account to "upgrade" it to a higher privileges role (i.e. admin)

User is associated to "Verwaltung" and can change its own role to "Administrator" (and this will be executed because of "manage user" ability):

In Greenlight V2 it is not possible this way:

• can't edit the own user account attributes for users with role "manage users"
• give a role to users with higher access privileges than its own role

[scouillard]

Hi,
After discussion, the users will not be allowed to change their own role under any circumstance.
However, users with the ManageUsers permission will still be able to change the roles of other users to any available role, even those with higher privileges than their own.
This opens up a variety of potential risks, as some permissions can have destructive effects.
But, it is nearly impossible to safeguard against all possible misuse scenarios.
Please take this into account when assigning the ManageUsers permission to a user.
Thank you very much for the report.

[michaaa]

Well, I think better solution would be: Only Admin Role owner should be able to give Admin Role to others.

A user account with ManageUsers role won't change its own role (after this is fixed), but it's possible to add a new admin account then and use this one to change its own role (by using the new admin). So remove the ability to give Admin roles for non admins. However, I think this was implemented this way in Greenlight V2.