User with only client authority to edit roles can still add global authorities to role

[pontus-osterdahl]

Describe the bug
We have "client-power-users" who are able to create and edit users and roles for the client but not globally.
We assign these users the client authorities

• deleteRole_clientAssignable
• editRole_clientAssignable
• addRole_clientAssignable

but not the corresponding global authorities.
However, these users are still able to assign global authorities to roles.
Not sure if this should be classified as a bug, but to me it does not seem to be the desired behaviour.

To Reproduce
Steps to reproduce the behavior:

1. Create a User with client authortiy to edit roles.
2. Log in as this user.
3. Edit a role.
4. You are able to add global authorities to the user.

Expected behavior
A user with only the client authority for editing roles should not be able to add global authorities to a role. As a solution a check for the global edit role authority could be added to roleEdit/details.xhtml. If the user only has the client authority, the global authorties should not be shown.

Release
3.5.0