starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🐛 Bug Report: Clicking on edit app, kicks the user out of the session #75

New Issue
Closed
opened 2025-10-07 00:00:41 +03:00 by OVERLORD · 1 comment
OVERLORD commented 2025-10-07 00:00:41 +03:00
Owner
Copy Link

Originally created by @Metzlmane on GitHub.

Reproduction steps

Hi,

found a small UI inconvenience
i have set everything via the .env and set
ALLOW_OWN_ACCOUNT_EDIT=false
UI_CONFIG_DISABLED=true

if a normal user goes to his apps, the 3 dots appear where they can be edited. If i try that as normal user, I get immediately kicked out of the login session and have to re-login.

Image

Expected behavior

A message should appear like
"not allowed" before kicking the user out of his session
or the 3 dots should not show up, if
ALLOW_OWN_ACCOUNT_EDIT=false
or if not admin

Actual Behavior

"something went wrong"

Image

Version and Environment

1.7.0
# app runs behind a reverse proxy
TRUST_PROXY=true
#base app url
APP_URL=https://bla.com

ENCRYPTION_KEY=*
KEYS_STORAGE=database
DB_PROVIDER=postgres
DB_CONNECTION_STRING=postgres://pocketid:*@pocketidpsql:5432/pocketid

#disable analytics, fucking opt out
ANALYTICS_DISABLED=true

PUID=1000
PGID=1000

MAXMIND_LICENSE_KEY=*

#one week session duration
SESSION_DURATION=10080

ALLOW_OWN_ACCOUNT_EDIT=false
UI_CONFIG_DISABLED=true
ALLOW_USER_SIGNUPS=withToken

EMAIL_LOGIN_NOTIFICATION_ENABLED=true
EMAIL_ONE_TIME_ACCESS_AS_ADMIN_ENABLED=true
EMAIL_API_KEY_EXPIRATION_ENABLED=true

# Email config
SMTP_HOST=
SMTP_PORT=
SMTP_FROM=
SMTP_USER=
SMTP_PASSWORD=
SMTP_TLS=starttls

METRICS_ENABLED=true
OTEL_METRICS_EXPORTER=prometheus

Log Output

level=INFO msg="Error #01: You don't have permission to perform this action" app=pocket-id version=1.7.0 request.time=2025-08-21T04:04:30.329Z request.method=GET request.host=bla.com request.path=/api/oidc/clients/59bd0c74-3a7a-4537-9156-2c57643f3900 request.query="" request.params=map[id:59bd0c74-3a7a-4537-9156-2c57643f3900] request.route=/api/oidc/clients/:id request.ip=x.x.x.xrequest.referer=https://bla.com/settings/apps request.length=0 response.time=2025-08-21T04:04:30.332Z response.latency=2.493773ms response.status=403 response.length=60

Originally created by @Metzlmane on GitHub. ### Reproduction steps Hi, found a small UI inconvenience i have set everything via the .env and set ALLOW_OWN_ACCOUNT_EDIT=false UI_CONFIG_DISABLED=true if a normal user goes to his apps, the 3 dots appear where they can be edited. If i try that as normal user, I get immediately kicked out of the login session and have to re-login. <img width="737" height="345" alt="Image" src="https://github.com/user-attachments/assets/7a6e69d4-5d51-4d4b-982a-8b35e67e0fbf" /> ### Expected behavior A message should appear like "not allowed" before kicking the user out of his session or the 3 dots should not show up, if ALLOW_OWN_ACCOUNT_EDIT=false or if not admin ### Actual Behavior "something went wrong" <img width="420" height="240" alt="Image" src="https://github.com/user-attachments/assets/4af865eb-ad42-4d5b-a50d-02436a4566b9" /> ### Version and Environment ``` 1.7.0 # app runs behind a reverse proxy TRUST_PROXY=true #base app url APP_URL=https://bla.com ENCRYPTION_KEY=* KEYS_STORAGE=database DB_PROVIDER=postgres DB_CONNECTION_STRING=postgres://pocketid:*@pocketidpsql:5432/pocketid #disable analytics, fucking opt out ANALYTICS_DISABLED=true PUID=1000 PGID=1000 MAXMIND_LICENSE_KEY=* #one week session duration SESSION_DURATION=10080 ALLOW_OWN_ACCOUNT_EDIT=false UI_CONFIG_DISABLED=true ALLOW_USER_SIGNUPS=withToken EMAIL_LOGIN_NOTIFICATION_ENABLED=true EMAIL_ONE_TIME_ACCESS_AS_ADMIN_ENABLED=true EMAIL_API_KEY_EXPIRATION_ENABLED=true # Email config SMTP_HOST= SMTP_PORT= SMTP_FROM= SMTP_USER= SMTP_PASSWORD= SMTP_TLS=starttls METRICS_ENABLED=true OTEL_METRICS_EXPORTER=prometheus ``` ### Log Output level=INFO msg="Error #01: You don't have permission to perform this action" app=pocket-id version=1.7.0 request.time=2025-08-21T04:04:30.329Z request.method=GET request.host=bla.com request.path=/api/oidc/clients/59bd0c74-3a7a-4537-9156-2c57643f3900 request.query="" request.params=map[id:59bd0c74-3a7a-4537-9156-2c57643f3900] request.route=/api/oidc/clients/:id request.ip=x.x.x.xrequest.referer=https://bla.com/settings/apps request.length=0 response.time=2025-08-21T04:04:30.332Z response.latency=2.493773ms response.status=403 response.length=60
OVERLORD commented 2025-10-07 00:00:45 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

This should be fixed with #832 and will be available in the next release. Thanks for reporting :)

@stonith404 commented on GitHub: This should be fixed with #832 and will be available in the next release. Thanks for reporting :)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#75
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?