opengeek
commented
13 years ago opengeek submitted:
This should be properly implemented using a Group administration approach. I do not see any reason to complicate people's understanding of authority by introducing it as a separate concept on Groups. Users within groups can be group administrators or have authority within the Group, but user administration by group membership/authority is the way to go here.
dimmy created Redmine issue ID 3657
Currently, when you give a user access to modify user groups this user can always give him/herself Administrator rights. This means that there's no way to let a user access the user management panel without giving them the rights to mess up the whole site when they grant themselves administrator rights.
This problem can easily be solved by giving a user group an authority integer (as with the roles). For instance:
There are 3 user groups: Administrator - authority 1 Manager - authority 2 Editor - authority 3
If a manager may access the user groups and user account, he or she can NEVER grant themselves or another user a group that is higher then manager. So the "Administrator" group would be 'out-of-reach' for them and as such, they can never mess up the site (or access core components we do not want them to access).