AssignRoleToUsers should not be implied by EditUsers (#16954)

--------- Co-authored-by: Mike Alhayek <[email protected]>
OrchardCMS · Nov 25, 2024 · 1cd5c1c · 1cd5c1c
1 parent 299a254
commit 1cd5c1c
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/src/OrchardCore/OrchardCore.Users.Core/CommonPermissions.cs b/src/OrchardCore/OrchardCore.Users.Core/CommonPermissions.cs
@@ -21,7 +21,7 @@ public static class CommonPermissions
 
     public static readonly Permission ListUsers = new("ListUsers", "List all users", [EditUsers, DeleteUsers]);
 
-    public static readonly Permission AssignRoleToUsers = new("AssignRoleToUsers", "Assign any role to users", [EditUsers], true);
+    public static readonly Permission AssignRoleToUsers = new("AssignRoleToUsers", "Assign any role to users", true);
 
     public static readonly Permission DisableTwoFactorAuthenticationForUsers = new("DisableTwoFactorAuthenticationForUsers", "Disable two-factor authentication for any user", [ManageUsers], true);
 

diff --git a/src/docs/releases/3.0.0.md b/src/docs/releases/3.0.0.md
@@ -48,3 +48,7 @@ The following obsolete settings were removed from `LoginSettings` class
 #### Login View Update
 
 The `ExternalLogin` action has been removed from the `Account` controller. If you are using a custom `Login.cshtml` view or `Login` template, please update the external login form action. As of this update, the `ExternalLogin` action has been relocated to the `ExternalAuthentications` controller.
+
+#### AssignRoleToUsers Permission Update
+
+The `AssignRoleToUsers` permission is no longer implicitly granted by `EditUsers`. To maintain the same behavior, make sure to explicitly assign the `AssignRoleToUsers` permission to any role that already has the `EditUsers` permission.