App permissions by default allow to create new apps

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [X] Bug report
  • [ ] Performance issue
  • [ ] Documentation issue or request

Current behavior

Currently when creating a new user and providing only a permission to access 1 or 2 apps, it can also create a new app.

Result when logged in (used incoginito):

Expected behavior

Looking at all the roles: https://github.com/Squidex/squidex/blob/master/backend/src/Squidex.Shared/Permissions.cs
I would expect that the user does not have the option to create a new app, since I did not give the squidex.admin.apps.create permission.

Minimal reproduction of the problem

  • Create a user with no permissions or a single app permission.
  • Login as the user
  • See the user can create apps.

Environment

  • [X] Self hosted with docker
  • [ ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [ ] Cloud version
  • [X] Running locally the latest master version

Version: Locally v4.4.0, specific commit: https://github.com/Squidex/squidex/commit/8590103f713d28bdb58390c811fa553d2705c9ac

Browser:

  • [X] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ ] Edge

Others:

This is intended, but there is a setting for that, check the forum please.

Thanks:

Can be closed