Fixed users with permissions not allowed to change ACL

[roland-d]

Related to #10763

Summary of Changes

A user with permission to make ACL changes is denied access because the check is incomplete. The user that is part of the Administrator group or a child thereof can login and edit the permissions in Articles for example. However when this user tries that the access is denied because the access check is only done on the global level, not on the actual component level.

Testing Instructions

1. Login with a user that is part of the Administrator or subgroup of this
2. Go to Content -> Articles
3. Click on the Options button
4. Click on the Permission tab
5. Try to change a permission, there will be no visible answer from the server (unless Do not redirect in a JSON call but return a JSON string #10763 is applied)
6. Apply the patch
7. Change a permission
8. The permission is now changed

A little help from my friends @andrepereiradasilva and @infograf768

[infograf768]

@roland-d
Although this works fine, it lets a user change the permissions of his own group.

[infograf768]

It also lets a user change the permissions of his parent group.

[brianteeman]

@infograf768 I think a user should be able to change permissions of their own group ONLY if it is to a more restrictive setting but definitely not to give them access to something that was previously denied. They definitely should not be able to change permissions of parents - that would defeat the objective of an ACL system.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10764.}

[infograf768]

@brianteeman

I think a user should be able to change permissions of their own group ONLY if it is to a more restrictive setting but definitely not to give them access to something that was previously denied.

If you have multiple users in the same group, one of these could decide of a change that would apply not only to himself but all members of that group. This should only imho be the privilege of the Parent Group (With ACL access) or superuser.

We also have another bug which is a security problem and I will create an issue for it:

A member of a subgroup of administrator (with access to user manager) with less permissions than the administrator group can make himself administrator when editing himself in Users Manage....
See #10775

[infograf768]

I will propose a patch.

[infograf768]

@brianteeman
Can you set this one as release blocker? At least until it is completed or replaced by andrepereiradasilva#53 which would anyway also be a release blocker until completed.

[andrepereiradasilva]

@roland-d this should also be solved in #10793

[infograf768]

@roland-d
I suggest to close this one in favour of #10793 (which needs tests) 😃