Comment 2 for bug 2020196

Confirmed. Somebody with UPDATE_USER normally cannot edit a user record at all unless they have the relevant application_perm corresponding to the record's profile, but via batch patron update (assuming they have the CONTAINER_BATCH_UPDATE permission) they can get past this restriction in certain contexts:

- barred: if they have BAR_PATRON/UNBAR_PATRON
- active, juvenile, expire_date, net_access_level: all they need is UPDATE_USER
- home_ou: they need UPDATE_USER at both the old and new orgs

However, they _cannot_ change the profile unless they have the corresponding application_perm.

This doesn't appear to support a privilege escalation attack, but could support a denial of service attack against other staff users.