Permissions Issue: File Manager

[Cidvond]

Bug Report

System Information

• Operating System | AlmaLinux 9.3 (Shamrock Pampas Cat)
• AMP version | 2.4.8 - 20240129.1
• Which AMP release | Mainline

I confirm:

• [x] that I have searched for an existing bug report for this issue.
• [x] that I am using the latest available version of AMP.
• [x] that my operating system is up-to-date.

• [x] that my checkboxes above look exactly like the one on the left with no extra spaces. Remove this line to confirm you can follow instructions - if this line shows up in the bug report then the whole report will be ignored

Symptoms

• What are you trying to do? -I am trying to create a template role and add FileManager permissions to an application instance

• What are you expecting to happen?

  • File Manager options to only show up when clicking into the application instance and for the assigned user to only see directories they have access to

• What is actually happening? ('Nothing' is not an acceptable answer!)

  • File Manager shows up in ADS and in the Application instance. Any permissions assigned via application instance the user can do to the whole ADS.

Reproduction

1) This is a fresh install of AMP
2) I created a template role
3) I deployed an application instance of Palworld
4) Go into the application instance
5) click configruation -> role managment -> and clicked create Template Role
6) Clicked on the new template role in the application instance -> File Manager -> assigned the following as green check marks:
    *Browse Files (FileManager.FileManager.BrowseFiles)
    *Download Files (FileManager.FileManager.DownloadFiles)
    *Upload Files (FileManager.FileManager.UploadFiles)
    *Rename Files (FileManager.FileManager.RenameFiles)
    *Copy Files (FileManager.FileManager.CopyFiles)
    *Trash Files (FileManager.FileManager.TrashFiles)
7) I then created a template for Palworld with the following settings:
    *Base Application = Palworld
    *Template Role = The one I just created 
    *Start Instance on Boot = Enabled
    *Clone Role Into User = disabled
    *Match datastore tags = disabled
8) apply changes
9) Deploy this Template
    *Deployment Type = Create New User
    *Select Template = Palworld
    *New Username = TheOldMan
    *Password = something random I make
    *Friendly Name = Palworld-ID (ID = numbers that count up starting at 1000)
    *Post creation = Do Nothing
10) Click Deploy Template
11) log in as the user TheOldMan and it shows the file manager on the left right after logging in. If I click on it, the File Manager will show all the files in the ADS including the ADS folder.
12) I have tried to reject(Red X)the following permissions in ADS -> Configuration -> Role Management -> Template Role I created, while keeping the template role permissions how they are to allow the instance application to still have File Manager. This had no change on anything and still allowed the user to have the assigned permissions outside of the Application Instance.
    *File Manager (FileManager.*)

[Cidvond]

[IceOfWraith]

Marked this one as a security issue like we discussed. Thanks for posting the bug.

[PhonicUK]

What happens if you explicitly deny access to the file manager at the ADS level?