I'm running version 1.3.8 build number 1164847. If I edit a role of somebody, the options I'm not supposed to be able to grant are disabled by default. But as far as I can tell, there is no server-side verification... so if I just edit the html code on runtime on my client side and erase the "disabled" of the checkbox, I can grant anything to anyone...
Hope this is already fixed in some newer release. Anyway, I'm very disappointed with the quality of this software. Cya.
