These are roles defined by a special API code, once a system role code is detected, the role becomes locked and its permissions are sourced from the AuthManager. All permissions are granted to system roles by default, unless otherwise specified. This should make it easier to create client accounts as "Publishers", hiding developer tools like the CMS and Builder plugins by default.
Follow up to 2046efb51d.
The previous commit prevented users from visually managing permissions that they themselves didn't have access to, this follow-up commit enforces that limitation serverside to defend against crafted privilege escalation attacks by authenticated users.
Prevents users from granting permissions that they themselves do not have. Fixes#1673, and is a partial solution to #2367. However, this still does not address the issue of being able to assign / manage groups that have permissions that the user doing the management does not themselves have. That will have to be addressed separately as a part of #2367.
Samuel Georges
Luke Towers
Quezler
alekseybobkov