"Administer Users" permission should be separate from "Administer Account Settings"

Problem/Motivation

It is not possible to give a user access to administer users without also giving access to all settings and configuration for user accounts. This is because the "Administer Users" permission is too broad, it allows for both the administration of user accounts as well as the user settings.

Proposed resolution

This issues proposes to split this permission into two:
* Administer Users - allowing you to create/edit/delete users
* Administer User Settings - manage the user settings, emails, fields.

Remaining tasks

• needs an upgrade path and accompanying upgrade path tests (how to: http://drupal.org/node/1429136) It should be as simple as having a user that has the 'administer users' permission in D7. And then visiting admin/config/people/accounts after the upgrading and asserting the page can be accessed.
• #1813488: Add descriptions to clarify "administer users" and "administer user settings" permissions

Steps to reproduce:

1. Install the latest Drupal 8.x using the standard profile.
2. Apply patch.
3. Go to admin/people/roles and add new role "Person manager".
4. Go to admin/people and add new user with role Person manager. Also create one user for test.
5. Go to admin/people and add new user with role Person manager.
6. Go to admin/people/permissions and give that role the permission to Administer users (but not Administer user settings).
7. Switch to that user and edit a test user account. See that he has access to /admin/people and to edit users.
8. Go to admin/config/people/accounts see that this user has access denied.
9. Give that user additional Administer user settings permission
10. Login with the user again and note differences (now should be possible to access to admin/config/people/accounts and to /admin/people)
11. Try to make the account settings change back, ensure that access changes accordingly

Pages that the permission will effect:

• admin/people/permissions
• admin/config/people
• admin/people
• admin/config/people/accounts
• do we need more pages?

User interface changes

There are no user interface changes proposed by this issue.

API changes

Administer Users permission will no longer allow assess to the manage people section under configuration. You will also need the "Administer User Settings" permission

Original report by [ceardach]

If you grant a user the "Administer Users" permission, that user can also edit the "User Settings" page. This grants more permissions than I think would be intended for anyone to administer users.

The "Administer Users" permission allows the user to create, delete and block users and change their email and password. In addition to the that, it allows all configuration options available on the "User Settings" page, which is configuring the emails sent to users, and enable/disable registration, signatures and user pictures. The two capabilities should be separated.

I do not remember encountering this in Drupal 5. Access to the "User Settings" page may have been tied in to "Administer Site Configuration."

There should be an option to disable the password strength check in the settings for user registration. Right now it can only be disabled by a custom module with a hack messing with the javascript function that checks the password.

Note: You can accomplish most of what's here in 7.x with the User settings access module.