App permissions by default allow to create new apps

I’m submitting a…

• [ ] Regression (a behavior that stopped working in a new release)
• [X] Bug report
• [ ] Performance issue
• [ ] Documentation issue or request

Current behavior

Currently when creating a new user and providing only a permission to access 1 or 2 apps, it can also create a new app.

image.png826×1010 35.1 KB

Result when logged in (used incoginito):

image.png2040×1146 166 KB

Expected behavior

Looking at all the roles: https://github.com/Squidex/squidex/blob/master/backend/src/Squidex.Shared/Permissions.cs
I would expect that the user does not have the option to create a new app, since I did not give the squidex.admin.apps.create permission.

Minimal reproduction of the problem

• Create a user with no permissions or a single app permission.
• Login as the user
• See the user can create apps.

Environment

• [X] Self hosted with docker
• [ ] Self hosted with IIS
• [ ] Self hosted with other version
• [ ] Cloud version
• [X] Running locally the latest master version

Version: Locally v4.4.0, specific commit: https://github.com/Squidex/squidex/commit/8590103f713d28bdb58390c811fa553d2705c9ac

Browser:

• [X] Chrome (desktop)
• [ ] Chrome (Android)
• [ ] Chrome (iOS)
• [ ] Firefox
• [ ] Safari (desktop)
• [ ] Safari (iOS)
• [ ] IE
• [ ] Edge

Others:

This is intended, but there is a setting for that, check the forum please.

Thanks:

Can be closed