If the parent of the file attachment relationship already exists, then attach the file directly to it in this request instead of going through deferred bindings. Will continue to attach files through deferred binding if the parent relation doesn't exist.
Credit to @alxy
In case a new administrator is created by a non-superuser and no permission is set directly on creation, `permissions` is not initialized correctly. Thus, when the non-superuser tries to acceess `$this->model->permissions` it is not populated with an empty array as expected.
I have actually no clue why it does work for superusers however, as they should certainly experience the same issue, but this is not the case.
This fixes#2613 by reloading the form widgets with the modified data after `model.filterFields`. **NOTE**: `$this->processExistingItems()` isn't simply just moved to `prepareVars()` because that messes up the adding new repeater item functionality by repeating the content from the fields for the last item in that group that already exists on the repeater.
Adds the ability to specify an `ignoreTimezone: true` option on the config for a datepicker form widget or date column type. This will ignore both October's and the backend user's timezone settings to display the date exactly as it is stored.
These are roles defined by a special API code, once a system role code is detected, the role becomes locked and its permissions are sourced from the AuthManager. All permissions are granted to system roles by default, unless otherwise specified. This should make it easier to create client accounts as "Publishers", hiding developer tools like the CMS and Builder plugins by default.
Follow up to 2046efb51d.
The previous commit prevented users from visually managing permissions that they themselves didn't have access to, this follow-up commit enforces that limitation serverside to defend against crafted privilege escalation attacks by authenticated users.
Prevents users from granting permissions that they themselves do not have. Fixes#1673, and is a partial solution to #2367. However, this still does not address the issue of being able to assign / manage groups that have permissions that the user doing the management does not themselves have. That will have to be addressed separately as a part of #2367.
