I don't see any difference between 6.2.10 and 6.2.11.
Superadmin can edit all users, admins can edit only users that they created.
Look at the image, admin can edit user that it created (screenshot is same for 6.2.10 and 6.2.11).

Screenshot 2023-10-11 at 12.59.23.png (96,481 bytes)   

Screenshot 2023-10-11 at 12.59.23.png (96,481 bytes)   

That didn't happen in the last versions; users with full permissions to edit users could also edit permissions for users that were created by other users.
All users here are automatically created after the user successfully logs in on a federated auth, so, we have "power users" that can manage user permissions.

We made a lot of security fixes in the last few weeks, so there are more restrictions now.

@DenisChenu @gabrieljenik please correct me here if this was not a wanted change.

I would say we need to identify which ticket created this behaviour change and then evealute from there.

There are different test for User permission , before any new update we must make clean decision and write it clearly on wiki or somewhere else

See this issue for example : 19127: User with Create user permission can not create user https://bugs.limesurvey.org/view.php?id=19127

That didn't happen in the last versions; users with full permissions to edit users could also edit permissions for users that were created by other users.

I think he can make update via Quick Menu but not via simple menu ?

@tibor.pacalat : the issue here are about updating system. If you can confirm user need both : update + owner to edit another user in 3 and 1st 5.X version : we can delete update permission at 1st step (and set it at 0 when update) and add it after where user have ALL user update Permisuison.

About commit : https://github.com/LimeSurvey/LimeSurvey/commit/a2eece7853698b6145828cbbe40e10e0fdd36cb4 related issue : https://bugs.limesurvey.org/view.php?id=18355

3.X version : user need to be owner to update other user's

Then : new feature allow user to update other user

This need 2 step

1. removing current update/delete permission : owner have ALL permission on user created by himself : fix 19127. When update : DB update set all update/create user permission to 0
2. Adding again update/delete permission : allowing superadmin to create USer manager without access to Survey (for example)

Capture d’écran du 2023-10-12 09-31-47.png (90,996 bytes)   

Capture d’écran du 2023-10-12 09-31-47.png (90,996 bytes)   

Then there are a really big issue in 1st versions of 6.X

In 5.X : user can not edit other user's
update 6.X : same user can edit other user's …

We'll have a meeting next week about permission system in general, so we can decide there, what and how it needs to be changed exactly.

Hi, is there any development on this?