See T12877. The "Can Browse User Directory" permission is misleading, and I believe it could be turned into a somewhat more useful "Can View User Profiles" permission without any gaping issues.
It would be nice to:
- Expose transactions on user profiles now that we're moving more toward a proper, modern transaction model.
- Move more user edits to transactions.
- Move approve/disapprove to distinct transactions instead of overlapping them with "disable".
- Perhaps provide bin/user with actions like enable, disable, etc., and eventually move away from the weird legacy-ish bin/accountadmin.
On this install, it would be nice to have an editable piece of login/registration remarkup. (We previously supported a piece of HTML, but removed it on security grounds; Remarkup is more survivable.)
T6703 is perhaps a stretch, but a meaningful authentication provider issue.
T7667 is not terribly difficult and nice to have a hardening measure.