I created a User whose role denies him access to certain roles like superuser, editor etc. The goal was to create a limited user manager that only can assign certain roles to new users.

after setting the required role access to denied, the "Choose" button in the "new user" dialog correctly showed only the allowed roles.
However it is still possible to add a new user with the role "superuser" by just typing "/superuser" in the field for the roles. I guess the same applies also for other areas like groups etc.

This behaviour allows a limited user to bypass the Rights. In my opinioon it should be checked on Save if the user has read access to the Role or not.