MINOR create the ability to have some roles only be able to be applied by admins (from r88090)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89180 467b73ca-7a2a-4603-9d3b-597d59a354a9

security/Group.php

@@ -101,20 +101,20 @@ class Group extends DataObject {
 			$fields->removeFieldFromTab('Root', 'IP Addresses');
 		}
 
-		if(Permission::check('EDIT_PERMISSIONS') && DataObject::get('PermissionRole')) {
-			$fields->addFieldToTab(_t('SecurityAdmin.ROLES', 'Roles'),
-				new LiteralField(
-					"", 
-					"<p>" . 
-					_t('SecurityAdmin.ROLESDESCRIPTION',
-						"This section allows you to add roles to this group. Roles are logical groupings of permissions, which can be editied in the Roles tab"
-					) . 
-					"</p>"
-				)
+		if(Permission::check('APPLY_ROLES') && DataObject::get('PermissionRole')) { 
+			$fields->addFieldToTab('Root.' . _t('SecurityAdmin.ROLES', 'Roles'), 
+				new LiteralField( 
+					"",  
+					"<p>" .  
+					_t('SecurityAdmin.ROLESDESCRIPTION', 
+						"This section allows you to add roles to this group. Roles are logical groupings of permissions, which can be editied in the Roles tab" 
+					) .  
+					 "</p>" 
+				) 
 			);
-			
-			$fields->addFieldToTab(_t('SecurityAdmin.ROLES', 'Roles'), new CheckboxSetField('Roles', 'Roles', DataObject::get('PermissionRole')));
-		}
+			$roleData = Permission::check('ADMIN') ? DataObject::get('PermissionRole') : DataObject::get('PermissionRole', 'OnlyAdminCanApply = 0');
+			$fields->addFieldToTab('Root.' . _t('SecurityAdmin.ROLES', 'Roles'), new CheckboxSetField('Roles', 'Roles', $roleData)); 
+		} 
 		
 		$memberList->setController($this);
 		$memberList->setPermissions(array('show', 'edit', 'delete', 'export', 'add'));