While this does not seems like a bug, the code in the permission checking system always validates if the user edit it self (so a non admin user can edit his account), but this code is checked globally for all permissions checks.

also, the normalization of controllers names is spread across the app.