When editing the permissions for a user, it is currently always possible in the UI to add capabilities.
But if the users doesn't have any access to a certain site, the API request for adding the capability does nothing, but still returns success.
This is somehow unexpected, as the API should throw an exception if adding a capability isn't possible. And also the UI shouldn't show the capability selection in that case.
Throwing an exception can easily be added here:
Hiding the selection box can be achieved by adding something like
v-if="userRole !== 'noaccess'" here:
@tsteur this one should be quite easy to fix. Let me know if I should quickly set up a PR to fix that.
Makes sense, put it in 4.9 as it's quick to do. If super quick feel free to do it in 4.8