User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0 Build Identifier: 3.0.4 Allowing to create groups also allows to edit group inheritance/membership. This ultimately allows anyone with creategroups admin rights. Reproducible: Always Steps to Reproduce: 1. User is in group 'creategroups' and group A. 2. User modifies group settings for 'group A' to inherit 'editusers' or 'admin'. Actual Results: User is now admin, or can put other users (or himself) in the admin group. Expected Results: Not allow editing group security (or at least not inheriting admin or editusers etc).
This is a different bug, as we are not giving anyone editusers permissions.