I am currently looking at a member area plugin and looking at what I can use and also want to combine with a language plugin and I have run into this while testing ideas.
If I create a member (like a superviser/moderator type person) and want to give them Rights to edit files and edit user permissions (ban people etc)
then they can give themselves any permission they please. They can also remove all there permissions except the user permission one. I would have thought that a person who has user permissions can only give permissions to those rights he has access/permissions to . For example lets say person A has rights to file editing and user permissions, then he can only enable and disable his file editing and user permissions on himself and anybody else (except admin)