BUG SS361: User can accidentally remove self from the own Group

[alessandromarotta]

Acceptance Criteria

• As a logged in user with access to the "Security" section, I can remove myself from groups
• As a logged in user with access to the "Security" section, I can't remove myself from any group that would deny me further access to that section (groups with ADMIN permission)
• In the "Group" edit view, I can't unlink from an ADMIN group in the "Members" GridField (either by hiding the action, or through a validation error)
• In the "Member" edit view, I get a validation error when removing from an ADMIN group

Notes

• No need for confirmation dialogs (too complex)
• Users without ADMIN, but CMS_ACCESS_SecurityAdmin permissions are an edge case that we can ignore. It means there's likely other admins left in the system to restore access if needed.
• Long term, the ListboxField should enforce this rather than relying on validation (clearableValue: false see Use react-select for react-based dropdowns (SingleSelectField and MultiSelectField) silverstripe-admin#52 and https://github.com/JedWatson/react-select#multiselect-options)

Pull requests

• Feature disable current user from modifying their own groups #7518
• Fix update getenv call silverstripe-testsession#54
• Feature use existing fixture for member with the given id if found silverstripe-behat-extension#171

Original post

Hi there!
I found out a bug (IMHO) about the /admin/security/EditForm/field/Groups/ mask.

Every user can remove self from the own Group clicking on the unlink button.
I think that it's a bad idea.

Bye,
Alessandro

Note

ACs and details can also be found here silverstripe/silverstripe-cms#730

[chillu]

Confirmed that's the case - it's a regression from 3.x (not possible there).

[tractorcow]

Confirmed that's the case - it's a regression from 3.x (not possible there).

It seems to be possible in 3.x.

[flamerohr]

older issue here: silverstripe/silverstripe-cms#730