Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/ui

Describe the bug

When using fine grained permissions and having a user configured to manage just a particular group and it's members, roles will be displayed that aren't assignable to users in the group. This only affects being able to actually view the users, but it makes the UI difficult to use if you don't know what is going on.

I already found the issue:
line 184 if (this.auth.users().canManage() || !Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
should instead just be if (this.auth.users().canManage() && !Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
this will result in the correct behavior and only display roles that are assignable to users of the group.
Because it is an "or" it fails to recognize that the feature is enabled and it falls into the wrong block of code.

Version

26.0.5

Regression

• The issue is a regression

Expected behavior

The Role Mapping > Assign role UI should only display roles that are actually assignable to a user, not all roles from all clients.

Actual behavior

All roles from all clients are displayed whether the user making the change has permission to assign the roles or not.

How to Reproduce?

Create a group, enable fine grained permissions, add a permission to the group that allows for managing users of a client, add a user to that group of "privileged users", add roles to that new client. You should see system roles as well as the roles for the client. Attempting to add any of those system roles to the user will result in a 403, which is expected, however them being displayed in the first place is not.

Anything else?

No response