Currently, users who have for example
$wgAddGroups['bureaucrat']['sysop'] = true; $wgRemoveGroups['bureaucrat']['sysop'] = false; //Just to make a point here.
can extend the expiry of a user right, but can not shorten it's duration. The opposite isn't supported. Users who have e.g.
$wgAddGroups['bureaucrat']['sysop'] = false; //see above $wgRemoveGroups['bureaucrat']['sysop'] = true;
can't manipulate the user rights expiry in any way, which means they aren't able to shorten a user rights expiry as one would expect.
This is a child of T156784 because that one introduced the feature/security fix that implements a "You can only extend the duration, not shorten it" rule and the change described here was already discussed there.