Hi,

Though the README.txt says

Users with 'administer users' are able to access all userplus functionality"

it is supposed to mean "unless overwritten by system module permissions". As it is the case for all the modules I've used up to now.

In the case of the userplus module, users who are forbidden to access to site configuration still have access to "userplus settings"... In other words it overrides the permissions set for sytsem-module-:administer site configuration.

User's with administer users persmission set to "yes" and administer site configuration permission set to "no" should not have access to administer userplus settings fucntionnality.

Moreover, it's very mysleading since there is a permission attached to "administer userplus settings" functionality (users with site configuration permission are not concerned). A user who has not administer site configuration permission and not administer userplus settings permissions, is not meant to have access to administer site confirguration:userplus settings...

On such a critical issue, an implicit rule cannot override two explicit rules... And this is a huge security hole for applications that have a hierarchy of admins like those permitted by the related projet "role delegation".

An elegant solution would be to enforce administer userplus settings permission to every user, whatever her/his user module:administer users permission is. It would logically override the administer site configuration permission, since more specific explicit permissions have priority over less specific ones.

I'm sorry I don't have the progamming skills to be implement it but I hope it may help those who have these skills...