Permission of alias

[Scrounger]

Describe the bug
changed permission of an alias will be ignored. You have to set the needed permission to the source.

To Reproduce
Steps to reproduce the behavior:

1. create an alias and set the source
2. change permission of the alias e.g. changing owner group
3. try to access the alias e.g. with simple api and an user of the owner group configured. Access is not possible, You will get a warning like this simple-api.0 (1023) Permission error for user "system.user.proxmox" on "sureflap.0.Wir.pets.Mojo.inside": setState

Expected behavior
changing permission of an alias independent from the source.

Versions:

• Adapter version: 6.8.0
• JS-Controller version: 4.0.24
• Node version: 16.x
• Operating system: ubuntu 22.04.

Additional context
Don't know if this is really a bug, but i expected an other behaviour. Also don't know if this is a topic for admin or js-controller

[Diginix]

I'm with you and would expect that only the alias would need the permission and not the source object. But maybe it is per design not possible. At the moment all alias objects that I want to write with simple-api have the needed group and the source object as well. I don't see a security issue if it keeps as it is compared to have the permission only on the alias.

[klein0r]

Sounds like an issue for the js-controller repository (@foxriver76)

[foxriver76]

We would need to discuss, what we want as intended behavior, currently as you already noticed, both objects are checked for permissions.

[Scrounger]

any news on this?

[foxriver76]

No will be topic for next controller

[foxriver76]

We decided that the alias permissions should be the only permissions that matter when interacting with alias states/objects, hence next controller will respect this.

https://github.com/ioBroker/ioBroker.js-controller/pull/2666