Prevent self-assigning of curatory group
Closed this issue · 1 comments
darupp commented
For every user it is possible to assign theirself to a curatory group. As curatory groups give the essential permissions to edit packages, platforms and orgs, you can elude the permission model.
As right now admin action is anyway required to give the necesseray user roles to a new user, he could also assign the curatory group.
So as provisional solution I strongly recommend showing the "Assign curatory group" panel/dialogue only to role admins.