Ok, maybe I misunderstood how this should be working or maybe there is a bug here. It's not exactly about my post above, kind of find a way to work that out.
So, lets see if I got this right.
The canEdit() in Group.php is supposed to return false if current member don't have admin permissions and is trying to edit a group that has admin permissions, right? That if-statement reads
// either we have an ADMIN
// or a privileged CMS user and a group without ADMIN permissions.
// without this check, a user would be able to add himself to an administrators group
// with just access to the "Security" admin interface
Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") &&
!DataObject::get("Permission", "GroupID = $this->ID AND Code = 'ADMIN'")
But this could never be true since DataObject::get() always return a DataList, right? So canEdit() on a group will always return false if currentMember don't have ADMIN permissions.
So that part maybe could be rewritten to
Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") && !Permission::get()->where("GroupID = $this->ID AND Code = 'ADMIN'")->First()
or something alike? Thoughts?