Description of problem: I'm not sure there's a permission combination possible that would allow users to change their password. Note that this isn't a bug re: the fact that there is no UI presently to do such a thing - this is more about the idea that there seems to be no way to configure such a right. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. As admin, Create a user, "nonadmin" with no rights 2. As admin, click the link at the top-right corner to go to what is presumably the placeholder for user info (and probably where a user will be able to change his info) 3. Login as nonadmin; attempt to visit the user info page - note permission denied. 4. Log back in as admin. Create a new role, "user_role" and create a global permission called Update Users, which has a permission:verb of User:Update Users 5. Log back in as nonadmin and attempt to navigate to user info page. Actual results: This exercise appears to demonstrate that any present/future attempts to grant rights that would allow a user to change his own password (or at very least, view his own user info) are inextricably tied to the a role that grants Update rights across a global (or org-centric) basis - though presumably view user info would be available under Access Users. Expected results: There should be a role/permission that allows/will allow users to access their own user info without granting them such access on a larger scale. Additional info:
added ability for users to edit their own info by clicking on their user name in the upper right hand corner. 030f9e69b377bf3e818237d46256e79fd028c970
As noted in the initial paragraph above, this bug has little to do with the fact that a user could not modify his or her own personal information - although now having this page makes it more readily apparently. That said -- creating a user with no roles/permissions cannot access that page. Such a user, when clicking the login name, gets a permission denied. OTOH, you can grant Update Users perm to this user - but then this user would be have rights to edit users globally or across an organization. /That/ is the point of this bug. Any ability for a user to edit his or her own information is inextricably tied to a larger role which thus allows update all users, either globally or on an org-by-org basis.
sorry, there was a (mistaken) requirement that to visit that page you needed to be in at least one org. Fixed: 3ca2afb11c35dff870946754417336ea0860246b
QA Verified.
getting rid of 6.0.0 version since that doesn't exist