HSD8-613 If role_delegation module is enable, limit which roles a user can add in the saml user add form.

[pookmish]

READY FOR REVIEW

Summary

• When role_delegation is enabled, users should only be able to add roles that they have permission to.
• If role delegation is not enabled, allow all roles.

Needed By (Date)

• asap

Urgency

• kinda high. security implications since site managers could add a user with administrator role.

Steps to Test

1. enable role_delegation and configure for a role
2. go to the user add form as a user with limited role add permissions
3. verify they can not add a user with an administrator role.

Affected Projects or Products

• Humsci right now, all in the future

See Also

• PR Checklist

[sherakama]

Starting review of this now.

[sherakama]

I suspect this also in the D7 version. Should we backport?

[pookmish]

its likely its an issue in D7. but i dont see role_delegation in the stacks

[sherakama]

I know a guy. Let me talk to him.

I think this is a known issue and that we limit access to the role mapping form but I want to check.