It appears that any user given the ability to edit user profiles based on role also obtains the ability to edit/delete the admin user's profile. I added the following to prevent that across the board:
// don't allow user to edit admin
if ($uid == 1) {
drupal_set_message(t('You do not have permission to edit %user.', array('%user' => $account->name)), 'error');
drupal_goto("user/$uid");
}

As an aside, it also appears that any user given the ability to edit user profiles based on role must be given the permission to 'edit users with role authenticated user' or 'delete users with role authenticated user', respectively, since any user with a role must be authenticated. I eliminated that requirement as follows:
foreach ($account->roles as $role) {
if ($role == 'authenticated user') {
continue;
}
if (!user_access('edit users with role '.$role)) {
$allowed=false;
}
}

Thanks for the module...

Comments

smokris’s picture

smokris
Location Athens, Ohio, USA
CreditAttribution: smokris commented
Status: Active » Fixed

I tweaked your patches slightly and applied them to 5.x-1.3 and 6.x-1.3. Thanks for reporting this.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.