mirror of
https://github.com/pelican-dev/panel.git
synced 2026-07-16 04:03:50 +03:00
Users can add permissions they don't have #279
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @TigerGamer134 on GitHub (Mar 17, 2025).
Originally assigned to: @lancepioch, @Boy132 on GitHub.
Current Behavior
Currently, (although this role has update role permissions), anyone with said role can add permissions that they don't have granted from that role if the role includes "update" role permissions.
Example:
An admin has a role called
Managementthat hasview list,view,create, andupdateunder theRolecategory. Anyone with this role can currently grant/remove permissions from ANY role even their own that they don't have.This can cause issues where people with this
Managementrole can add thedeleterole permission to themselves and delete roles from the system.Expected Behavior
I believe that admins should only be able to grant/revoke permissions on roles (assuming they have the "update" permission for roles) that they have already, not all of them.
Steps to Reproduce
updatepermission on theRolecategory and assign it to a user.Panel Version
1.0.0-beta18
Wings Version
1.0.0-beta10
Games and/or Eggs Affected
No response
Docker Image
No response
Error Logs
Is there an existing issue for this?
@lancepioch commented on GitHub (Apr 11, 2025):
This is intentional. Editing Roles should be restricted to (super) Administrators.