panel
panel copied to clipboard
pelican-dev
Schedules can be deleted by users without delete permissions
Current Behavior
A user that does not have Delete permissions for schedules is able to delete existing schedules.
Expected Behavior
A user without Delete permissions for schedules will be unable to delete existing schedules.
Steps to Reproduce
- Create a schedule on a server.
- Invite a user to that server with the following permissions:
- Note that
Deleteis not checked. -
- Log in to the panel with that user.
- Navigate to the server schedules.
- Click
Deleteon a schedule. - Notice that the schedule was deleted.
Note: create and edit actions on the schedules are correctly returning 403 responses.
Panel Version
v1.0.0-beta28
Wings Version
v1.0.0-beta19
Games and/or Eggs Affected
No response
Docker Image
No response
Error Logs
Panel and wings are running in Docker. No error logs to stdout/stderr when deleting the schedule.
Is there an existing issue for this?
- [x] I have searched the existing issues before opening this issue.
- [x] I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server.
- [x] I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.
Upon further testing, I've identified the same problem with backups as well. The user does not have Delete permissions on backups, but can delete existing backups from a server.
This problem may not be isolated to just the schedules page, but for all delete permissions.
