AssignRoleToUsers should not be implied by EditUsers

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.

https://orchardcore.net

BSD 3-Clause "New" or "Revised" License

7.36k stars 2.37k forks source link

AssignRoleToUsers should not be implied by EditUsers #16756

Open MikeAlhayek opened 15 hours ago

MikeAlhayek commented 15 hours ago

In the permission structure we currently have. The AssignRoleToUsers permission should NOT be implied by EditUser. AssignRoleToUsers should be explicitly granted instead.

Change

https://github.com/OrchardCMS/OrchardCore/blob/dd03cf8c998b014303728e20b398239e49ff3dc8/src/OrchardCore/OrchardCore.Users.Core/CommonPermissions.cs#L24

    public static readonly Permission AssignRoleToUsers = new("AssignRoleToUsers", "Assign any role to users", true);

github-actions[bot] commented 15 hours ago

We triaged this issue and set the milestone according to the priority we think is appropriate (see the docs on how we triage and prioritize issues).

This indicates when the core team may start working on it. However, if you'd like to contribute, we'd warmly welcome you to do that anytime. See our guide on contributions here.