Prevent users that aren't administrators from assigning the administrator role

Topics: Customizing Orchard
Apr 1, 2015 at 3:57 PM
Edited Apr 1, 2015 at 3:57 PM
Currently in Orchard if a user has the ManageUsers permission they can do anything within the users area. We need a little more control than that. We have users that need to be able to manage/create users but the administrator role should not be available in the list of roles to assign a user. We also need to prevent the site owner and any administrators from showing up in the list of users in this scenario.

I created a controller and admin menu with its own permissions based off of the Orchard.Users module, but am unable to remove the option for the Administrator role as the shape is built with the BuildEditor() function. Below is the Create ActionResult:
public ActionResult Create()
            if (!Services.Authorizer.Authorize(Permissions.ManageBankUsers, T("Not authorized to manage users")))
                return new HttpUnauthorizedResult();

            var user = Services.ContentManager.New<IUser>("User");
            var editor = Shape.EditorTemplate(TemplateName: "Parts/User.Create", Model: new UserCreateViewModel(), Prefix: null);
            editor.Metadata.Position = "2";
            var model = Services.ContentManager.BuildEditor(user);

            return View(model);
The only way I can think of for making this change would be to alter the UserRolesPart itself, but that seems like a poor option. Any ideas would be greatly appreciated. Thanks.