search

Ctrlpanel-gg / panel

CtrlPanel offers an easy-to-use and free billing solution for all starting and experienced hosting providers that seamlessly integrates with the Pterodactyl panel.
https://ctrlpanel.gg/
GNU Affero General Public License v3.0
423 stars 146 forks source link

[Bug]: admin.user.write.credits seems not in use. (plus other role perm issues) #960

Closed kenshin133 closed 2 weeks ago

kenshin133 commented 6 months ago

What is your request about?

There are some inconsistencies and confusions on some of the role permissions I have tested.

If i add admin.users.write and admin.users.read to a role, that role can update any part of a user including credits. if i add admin.users.write.credits and admin.users.read I cant edit users at all.

thus admin.users.write.credits is kind of extra, because i need admin.users.write to edit a user, and don't need the write.credits perm to write credits.

other known issues : admin.legal.read allows reading AND editing of the legal sites there is no read/write option for the images/icons section. A normal user seems to be able to change these.

interesting behavior.. settings can be read if the write permissions are set, even if read perm is not. This makes sense but was not expected.

admin.voucher.write allows you to also create, low priority but may want creating and editing to be two perms.

admin.products.write exists in the UI, but is not in the permissions table.

Branch

development

Solution idea

for users.write and users.write.credits : I do like the idea of this perm so I would propose : admin.users.write.credits allows you to TRY to edit a user, but will only succeed if you change ONLY the credits.

Alternatively, a more granular update perm set, so a user can be allowed to update "all" or get specific perms for what fields they are allowed.. ie, a support staff might be allowed to update email, username, or pass, but not credits, limits, etc.

I see that there ARE unique perms for all the things i mentioned, but they suffer from the same issue, I cant use them on their own.

Ctrlpanel Logs

No response

I see that there ARE unique perms for all the things i mentioned, but they suffer from the same issue, I cant use them on their own.

I'm going to add other perm issues below. since they are all closely related.

No response

kenshin133 commented 6 months ago

another one admin.products.write exists in the UI, but is not in the permissions table. admin.products.disable should exist but is not in db or ui

admin.voucher.write allows you to also create, low priority but may want creating and editing to be two perms.

kenshin133 commented 6 months ago

I know this is confusing, ill try to format better later but im working through almost all these..

admin.legal.read allows reading AND editing of the legal sites there is no read/write option for the images/icons section. A normal user seems to be able to change these.

interesting behavior.. settings can be read if the write permissions are set, even if read perm is not. This makes sense but was not expected.

not sure what mollie is, dont see it but it has settings perms

S0ly commented 6 months ago

we will look into that if wen we have time :) thanks for the report

kenshin133 commented 6 months ago

I fixed up the main post to contain all the info I found, ill move on and leave it up to you!

S0ly commented 6 months ago

is that not similar to #958

kenshin133 commented 6 months ago

Its similar and both are lists of mistakes with roles, but this is a specific one with a clear cut path forward, the others are a bit more vague . If you want it merged in, i Can do that or if its easier to break specific issues out I can do that also.

1day2die commented 6 months ago

really good, thanks

1day2die commented 2 weeks ago

fixed. amazing work!