TO API - should not be able to create / update a user with a higher role than your role

[mitchell852]

Currently, to create or update a user thru the TO API, you have to have the admin or operations role, however, going forward your role will not dictate your ability to create/update users but rather the capabilities attached to your role.

Going forward roles can be arbitrarily created and attached to whatever capabilities the administration of the system desires.

For example, roles could look like this:

• admin (all capabilities)
• operations (whatever capabilities make sense for this role)
• foo (whatever capabilities make sense for this role)
• bar (whatever capabilities make sense for this role)
• read-only (whatever capabilities make sense for this role)
• disallowed (no capabilities)

In this example, if the foo role has the user-write capability, anyone with the foo role can create or update users which means they could create a user and give them the admin role and thus sidestepping roles/capabilities altogether.

When creating / updating users, you should never be able to assign a role with a higher priv level than your role's priv level.