Closed AdnaneAm closed 1 year ago
brandonkelly
commented
1 year ago This is expected behavior, because there is no permission escalation concerns in that case. (A user would gain nothing by creating a new user account that has the same group permissions they already have.)
AdnaneAm
commented
1 year ago Why this is something expected, if the user normally would gain nothing by creating a user that has the same group permissions as they already have why it appears as an option in the user groups list to choose from ?
brandonkelly
commented
1 year ago I can see how it could be a little confusing. Originally it was only possible for users to assign other users to the same groups they belonged to. The permissions came later, as a way to assign users to additional groups beyond that.
If you’d like to submit a feature request, we can consider changing the behavior in a major release.
AdnaneAm
commented
1 year ago Ha Okay, I understand now why the current user own group is shown by default in the permissions tab. I'll submit a feature request since I'm sure it's something other users would want.
What happened?
Description
Users can assign by default their own group to the users they create if they have the permission to register users and assign them to other user groups
Steps to reproduce
Expected behavior
Normally, based on the permissions given to user group B, they could only create users and assign them to group A.
Actual behavior
Actual behavior is that group B users can create new users and assign them to group A and group B
Craft CMS version
3.8.1
PHP version
8.1.2
Operating system and version
Ubuntu 22.04 LTS
Database type and version
MySQL v8.0.32
Image driver and version
No response
Installed plugins and versions