Ticket #11888 (closed Bug: fixed)
Site administrators cannot assign groups when creating users
|Reported by:||lentinj||Owned by:|
With Plone 4.1rc2, create a new user in "Site administrators" group, log in as that user. Try and create another user, assigned to at least one group. No error appears, but user is not assigned to that group. However, clicking on the user and the "group memberships" tab, the groups can be assigned successfully.
I have done some digging:-
In plone/app/users/browser/register.py, which manages the "Add user" overlay form...
- It checks for the "Manage users" permission (which Site admins don't have) and if not available then skip over them silently. This check is unnecessary anyway and should be removed.
- Calling addMember() will check "Manage users" anyway, as well as other ways you could have permission to edit the group in Products.PlonePAS.tools.groupdata.canAdministrateGroup(). Unfortunately site admins don't match any of these checks so an error is thrown.
- There is a double redirect after submission of the add user form, which eats any error messages from the above.
In plone/app/controlpanel/usergroups.py, which is the form that allows site admins to add groups, addMember() isn't used. It performs it's own (different) security checking and uses addPrincipalToGroup() directly. The site admin passes these checks fine so the change goes through without a hitch.
My suggestion is that plone/app/controlpanel/usergroups.py should be modified so it relies on addMember() instead, and addMember() altered so site admins are allowed to use it.