I don’t think we meet a security issue here.
If you executed ‘Reset’ operation – it is site wide critical action, which rewrites site user roles with WordPress own initial copy (as it has on installation). ‘ure_reset_roles’ is the special user capability/permission which allows this action. What’s the purpose to grant it to the non-administrator user? Such user just becomes permissions superadmin, if grant him so critical permissions as you listed above.
My apologies, I should have been more clear in my original description.
This particular use case involved a client that had limited back end access (WooCommerce Shop Manager) with some additional custom capabilities, including the ability to modify roles (screenshot #2). The capabilities the Shop Manager user themselves did not have access to were hidden using CSS.
The URE option to show the Administrator role was un-checked and functioning as intended. The issue is, however, that if this non-admin Shop Manager user can view Administrator users, they can see the Capabilities action link beneath their username (screenshot #1).
Once they click on that link and arrive at the user-specific roles/capabilities, they are unable to view the Administrator role (per the URE option), which results in defaulting to No Role (screenshot #3). If the “Update” button is clicked in this state, then it effectively removes the Administrator role from their account.
This seemed like a potential flaw or unintended behavior to me, so I figured I’d point it out.
