An Admin with only "Quick Add User" permission can see all users and access inline edit for all

[Vodhin]

Bug Description

An Admin with only "Quick Add User" permission can see all users and access inline edit functions including display name, real name, email address, and assign user classes. Since Login Names are visible, it might be possible to change another Admin's email and then use the Forgot Password to change their password, locking them out and gaining whatever permissions they have.

How to Reproduce

Steps to reproduce the behavior:

1. Make a new user account to test
2. Go To e107_admin/users.php and make that user an Admin
3. Go to e107_admin/administrator.php and Edit that user's permissions
4. Check only Quick Add User in the General Tab
5. Log Out
6. Log In as that User, go to e107_admin/users.php and change any users' email, display name, and whatever.

Expected Behavior

User should only see the Quick Add User Form and no user list (or a list of only users they have added might be nice).

[CaMer0n]

Thank you @Vodhin !! I didn't hide the user list, but I did disable 'inline' editing, which prevents any editing of it. I also prevented this type of admin from creating new admins. (ie. elevated access).