fix: [security] privilege escalation via user edit fixed

- org admins could circumvent the role restrictions and elevate themselves to a site admin

- as reported by Dawid Czarnecki from Zigrin Security

src/Controller/UsersController.php

@@ -166,6 +166,12 @@ class UsersController extends AppController
                     }
                     return $data;
                 };
+                $params['beforeSave'] = function ($data) use ($currentUser, $validRoles) {
+                    if (!in_array($data['role_id'], array_keys($validRoles))) {
+                        throw new MethodNotAllowedException(__('You cannot assign the chosen role to a user.'));
+                    }
+                    return $data;
+                };
             }
         }
         $this->CRUD->edit($id, $params);