Variant Analysis Log - Fri Feb 20 14:56:29 UTC 2026
========================================


--- VARIANT 1: Direct role parameter submission ---
       [VULNERABLE] Direct role assignment from form data found
       [CONFIRMED] No privilege check found in vulnerable version
       [FIXED] Privilege check enforced in create()
       [FIXED] Role parameter explicitly overridden in setMultiple()


--- VARIANT 2: UI visibility restrictions ---
       [VULNERABLE] No role field visibility restriction
       [FIXED] Role field visibility restriction present


--- VARIANT 3: Role permission configuration ---
       [VULNERABLE] Editor role lacks explicit create denial
       [FIXED] Editor role has explicit create denial


--- VARIANT 4: Profile edit role escalation ---
       [PROTECTED] canChangeRoleOf check found in profile edit
       [PROTECTED] canChangeRoleOf requires admin


--- VARIANT 5: RegisterController ---
       [PROTECTED] RegisterController only works when no users exist