@uglyeoin that is interesting but surely not an issue in a live site where new usergroups and access levels are usually tested before any real users are added to new usergroups.

I didn't test it, so we can assume someone else could do the same thing. Once I had logged in and realised the error I couldn't log out of my test user, so I couldn't fix the problem by logging back into my Super User. I could have cleared my cookies, but perhaps another user doesn't know that.

Is there ever a time when a logged in user should not be authorised to log out?

What you have said is almost on par with saying, we shouldn't check that an email address has been entered when creating a user, because surely they know to do that. In some cases we shouldn't rely on the users.

It's a valid bug

@uglyeoin @brianteeman -
Creating users is completely different, of course. In this particular case we should not be relying on users either, but new users should be able to rely on webmasters to have created their usergroup in such a way that it inherits permissions from its parent or is otherwise set up and tested properly beforehand. That is how back end administration has worked in the past.

But how can you test it without logging in as that user? And then once you do you cannot log out to fix whatever error you have made.

@uglyeoin - nothing stops you from using two different browsers.

That is a work around. Doesn't stop it being a bug that can be fixed

Is this about mod_user having Special access level (related #28804)?

yes it is but I am assuming that @uglyeoin is referring to j3 and that is for j4

Sorry I thought I mentioned it but obviously I didn't this was in J4.

@SharkyKZ yes that looks the same to me. Nice work I'll close this.