Any user with permission to create/edit users can effectively assign himself or any other user any permissions

[juro]

juro created Redmine issue ID 10443

Situation: admin needs to create special user/role/policy (e.g. Manager) that is able to create/edit other users (e.g. department manager can manage users from his dept.) To be effective, manager must have at least these permissions: access_permissions (at least User management action must be visible in top menu) new_user, view_user, edit_user, delete_user, save_user, view_role Sadly this also means that Manager can: delete or disable admin add himself or any user any role (Superuser) and assign to any User group (Administrator) it also means he can create snippets and plugins, thus effectively run any PHP code on server, access database directly etc. The resolution would be that anybody can assign (view) roles up to his own role and assign to his own user groups.

[splittingred]

splittingred submitted:

I think the best solution is to add a few more permissions, as it seems 'access_permissions' is bearing too much of the weight. We'll address this in 2.0.3.