Credit to @alxy
In case a new administrator is created by a non-superuser and no permission is set directly on creation, `permissions` is not initialized correctly. Thus, when the non-superuser tries to acceess `$this->model->permissions` it is not populated with an empty array as expected.
I have actually no clue why it does work for superusers however, as they should certainly experience the same issue, but this is not the case.
These are roles defined by a special API code, once a system role code is detected, the role becomes locked and its permissions are sourced from the AuthManager. All permissions are granted to system roles by default, unless otherwise specified. This should make it easier to create client accounts as "Publishers", hiding developer tools like the CMS and Builder plugins by default.
Follow up to 2046efb51d.
The previous commit prevented users from visually managing permissions that they themselves didn't have access to, this follow-up commit enforces that limitation serverside to defend against crafted privilege escalation attacks by authenticated users.
Prevents users from granting permissions that they themselves do not have. Fixes#1673, and is a partial solution to #2367. However, this still does not address the issue of being able to assign / manage groups that have permissions that the user doing the management does not themselves have. That will have to be addressed separately as a part of #2367.
Alexander Guth
Steve Mortimer
Samuel Georges
Luke Towers
Quezler
alekseybobkov