AssignRoleToUsers should not be implied by EditUsers

[MikeAlhayek]

In the permission structure we currently have. The AssignRoleToUsers permission should NOT be implied by EditUser. AssignRoleToUsers should be explicitly granted instead.

Change

OrchardCore/src/OrchardCore/OrchardCore.Users.Core/CommonPermissions.cs

Line 24 in dd03cf8

public static readonly Permission AssignRoleToUsers = new("AssignRoleToUsers", "Assign any role to users", [EditUsers], true);

to

    public static readonly Permission AssignRoleToUsers = new("AssignRoleToUsers", "Assign any role to users", true);

[github-actions]

We triaged this issue and set the milestone according to the priority we think is appropriate (see the docs on how we triage and prioritize issues).

This indicates when the core team may start working on it. However, if you'd like to contribute, we'd warmly welcome you to do that anytime. See our guide on contributions here.

[sebastienros]

I agree with the issue description.

However I think it may be fine as a non-breaking change. Kind of a fix. Would the fix also add the permission by default to the roles that have Edit Users?

[MikeAlhayek]

If we provide a migration to grant the permission for all the roles, then we won't break anything. But we would have to make sure that migration does run for new tenants.