Users can add permissions they don't have #279

Closed
opened 2026-02-05 17:22:24 +03:00 by OVERLORD · 1 comment
Owner

Originally created by @TigerGamer134 on GitHub (Mar 17, 2025).

Originally assigned to: @lancepioch, @Boy132 on GitHub.

Current Behavior

Currently, (although this role has update role permissions), anyone with said role can add permissions that they don't have granted from that role if the role includes "update" role permissions.

Example:
An admin has a role called Management that has view list, view, create, and update under the Role category. Anyone with this role can currently grant/remove permissions from ANY role even their own that they don't have.

This can cause issues where people with this Management role can add the delete role permission to themselves and delete roles from the system.

Expected Behavior

I believe that admins should only be able to grant/revoke permissions on roles (assuming they have the "update" permission for roles) that they have already, not all of them.

Steps to Reproduce

  1. Create a role with update permission on the Role category and assign it to a user.
  2. Login to that account and see that you can assign/revoke any permission on the system.

Panel Version

1.0.0-beta18

Wings Version

1.0.0-beta10

Games and/or Eggs Affected

No response

Docker Image

No response

Error Logs


Is there an existing issue for this?

  • I have searched the existing issues before opening this issue.
  • I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server.
  • I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.
Originally created by @TigerGamer134 on GitHub (Mar 17, 2025). Originally assigned to: @lancepioch, @Boy132 on GitHub. ### Current Behavior Currently, (although this role has update role permissions), anyone with said role can add permissions that they don't have granted from that role if the role includes "update" role permissions. Example: An admin has a role called `Management` that has `view list`, `view`, `create`, and `update` under the `Role` category. Anyone with this role can currently grant/remove permissions from **ANY** role even their own that they don't have. This can cause issues where people with this `Management` role can add the `delete` role permission to themselves and delete roles from the system. ### Expected Behavior I believe that admins should only be able to grant/revoke permissions on roles (assuming they have the "update" permission for roles) that they have already, not all of them. ### Steps to Reproduce 1. Create a role with `update` permission on the `Role` category and assign it to a user. 2. Login to that account and see that you can assign/revoke any permission on the system. ### Panel Version 1.0.0-beta18 ### Wings Version 1.0.0-beta10 ### Games and/or Eggs Affected _No response_ ### Docker Image _No response_ ### Error Logs ```bash ``` ### Is there an existing issue for this? - [x] I have searched the existing issues before opening this issue. - [x] I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server. - [x] I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.
Author
Owner

@lancepioch commented on GitHub (Apr 11, 2025):

This is intentional. Editing Roles should be restricted to (super) Administrators.

@lancepioch commented on GitHub (Apr 11, 2025): This is intentional. Editing Roles should be restricted to (super) Administrators.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/panel-pelican-dev#279