If a user only have ACL to create generic object, why can use a template that fill another objects?
The problem is in class_userManagement.inc
Here: 4 Template selected and uid given - Ok, then lets adapt tempalte values.
FD adapt the template, but the template could be a samba object and the user which applied the template could have only permissions to create a generic user.
tab_class have a function called adapt_from_template, but it never do a ACL check.