User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: 3.0.4
Allowing to create groups also allows to edit group inheritance/membership. This ultimately allows anyone with creategroups admin rights.
Steps to Reproduce:
1. User is in group 'creategroups' and group A.
2. User modifies group settings for 'group A' to inherit 'editusers' or 'admin'.
User is now admin, or can put other users (or himself) in the admin group.
Not allow editing group security (or at least not inheriting admin or editusers etc).
Following the discussion resulting in bug 315064, comment 5, this a probably a dupe of bug 194686 .
This is a different bug, as we are not giving anyone editusers permissions.