Users need 'administer permissions' to edit roles on the user edit page

Issue created by @Liam Morland
Status changed to Needs review over 1 year ago6:07pm 13 September 2023
Open in Jenkins → Open on Drupal.org →
Core: 9.5.5 + Environment: PHP 7.3 & MySQL 5.7
last update over 1 year ago
11 pass
Comment over 1 year ago →
🇨🇦Canada Liam Morland Ontario, CA 🇨🇦
Open in Jenkins → Open on Drupal.org →
Core: 10.1.x + Environment: PHP 8.2 & MySQL 8
last update over 1 year ago
11 pass
Status changed to Postponed: needs info 16 days ago12:59pm 27 May 2025
Comment 16 days ago →
🇧🇪Belgium dieterholvoet Brussels
If a user has permission administer users but not administer permissions, they cannot edit user roles on user/UID.

Seems like they can. The core AccountForm does contain the following code:

$form['account']['roles'] = [ '#type' => 'checkboxes', '#title' => $this->t('Roles'), '#default_value' => (!$register ? $account->getRoles() : []), '#options' => $roles, '#access' => $roles && $user->hasPermission('administer permissions'), ];
but this module adds its own role_change field to the user form and the core access check doesn't affect that. Or am I missing something here?
Comment 16 days ago →
🇨🇦Canada Liam Morland Ontario, CA 🇨🇦
What if a user only has administer users? They cannot edit roles on user/UID and they do not have access to user/UID/roles.

Comments & Activities