From 69e2b806c25d1c119c7e89a731fa9b6d19ea1048 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Wed, 6 Apr 2022 17:04:15 -0400
Subject: [PATCH] UIU-2563 users manipulating psets need permission to do so
 (#2099)

Prior to `permissions` `5.5`, having `perms.users.items.put`, `...post`,
or `...delete` was a security vulnerability because it allowed any user
with the ability to assign permissions to assign permissions they did
not already have, e.g. for a user with `A` and `B` to grant `C` to
somebody else. That _is_ a useful feature, but the two should not be
coupled (assign own permissions; assign non-owned permissions).

Here, that same logic is applied to creation of permission sets: users
with the ability to create permission sets need the ability to create
sets with permissions they may not own.

Refs UIU-2563
---
 package.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 0cfc503b3..a7b3e1e2b 100644
--- a/package.json
+++ b/package.json
@@ -186,7 +186,8 @@
           "perms.permissions.item.put",
           "perms.permissions.item.post",
           "perms.permissions.item.delete",
-          "settings.users.enabled"
+          "settings.users.enabled",
+          "perms.users.assign.mutable"
         ],
         "visible": true
       },