The module has options to "Restrict password management" and "Restrict email management" to hide access to these fields on the user edit form. But if the user has the "administer users" permission, they bypass this restriction. This is problematic for my use case, where I want to give some users the "administer users" permission so they can create/edit/delete users but don't want them to be able to edit the password and email fields.
Add a new config option "Allow users with administer users permission to bypass the above password/email restrictions" that only appears when either the checkbox for "Restrict password management" or "Restrict email management" are checked. Have it disabled by default, but add an update hook to enable it for existing sites that have either of these checkboxes checked.
Adds some complexity here, but this preserves the existing behavior.
I think in a future major version of the module, we might consider just removing this new setting and just change the behavior so that it's never allowed to edit them by anyone.
A new setting "Allow users with administer users permission to bypass the above password/email restrictions".
Active
2.0
CAS
Merged 3.x into MR branch and addressed merge conflicts. Should be ready for review.