There's already a spot for ROLE_ADMIN or similar in table user.roles (json-encoded roles array). Not sure how to create a new admin, unless you're already an admin yourself.

Admins should be able to create other admins or users. Maybe change users' passwords.
The 'this user is an admin' checkbox should ONLY appear for admins. Validate this by session, not by post data.

Fixed in 0ce3955