There was a couple of extra things I added to this PR and its related Frontend PR:
The default should not change the role, but it was before this PR.
Changing roles would disable the user. This does not make sense, as an admin is making the change to their role, and therefore, it can be assumed that the admin does not want to have to take the extra step to enable the user.
Made the BaseAPI and HttpAPI use doPostWithToken. It seemed more appropriate than making the post statements be only related to secrets.
There was a couple of extra things I added to this PR and its related Frontend PR: