Users with the "Manage Roles" permission should not be able to change the per-channel permissions of other users with the same role or higher
On my server, the Staff members have the "Manage Roles" global permission, which they need to revoke users' ability to post in case someone starts making a stink. However, this also grants them the ability to change the per-channel permissions, which in most cases would also be fine.
The problem is that this allows any Staff member to exclude any other Staff member from channels, just by adding the other user to the per-channel permissions list and subsequently revoking their ability to see that channel. This has even let them kick Admins out of channels, since my Admins do not have the "Administrator" global permission for various reasons.
This could easily lead to abuse and I hope this is something you will address.
-
Bumping this; privilege escalation is definitely not a thing which should be allowed. Manage Channel should give this permission, not Manage Roles, because you can give yourself Manage Channel for that channel with this exploit.
1 -
I agree. I would like to see the permissions be more granular.
0
Please sign in to leave a comment.
Comments
2 comments