Conflict between manageUsers and admin roles --------------------------------------------
Key: CONTINUUM-935 URL: http://jira.codehaus.org/browse/CONTINUUM-935 Project: Continuum Issue Type: Bug Affects Versions: 1.1 Environment: acegi branch Reporter: Carlos Sanchez Priority: Critical An user with manageUsers role should not be able to assign the admin role to anybody. The problem expands to any role, i think the solution should be implemented in UserManager When getting the list of available groups for adding to an user it must not return groups that have roles that the current user does not have. This must be checked in the method that adds an user to a group too. When adding roles to an user group, only the roles of the current user can be added, to avoid people adding roles to their groups. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira