user can change their own role to ADMIN so long as they have an email address

[rhythnic]

The update for user seems to fail to check that the acting user is an admin if the target user is being updated to admin role.

[rhythnic]

It turns out that a user can't update themselves to admin. It happens implicitly, by not copying the role property from the request payload to the data object used to update the record.