I would like to confirm this statements regarding permissions, ACL and groups (Wordpress 4.7.1, civicrm 4.7.15)
1- Permission to edit contacts (ACL or general), allows user to assign contacts to ANY group
2- As 1 is true, user can add himself to another group and thus obtain its ACL related permissions
This is a serious issue for us as it hinders the flexible security management ACL provides. I would like to evaluate viability of a feature to solve this problem. I see two approaches:
1- A general permission (not ACL related, in wordpress related to wordpress user role) which would control assignment to control access groups (this will be enough for our organization)
2- As 1, combined with ACL permissions (p.e. denied general permission but allowed assignment to certain control access groups through ACL)
I would be capable to work in any of this approaches (1 in first phase, then 2) but I am not yet very familiar with civicrm code structure. Can you point out the possible problems and difficulties of implementation of these features? Is there any related isssue in Jira?