[Solved] Client Permission Issue

[Alcazar]

According to a question on german TS forum.
To set permissions you normally need (amongst others) a "i_group_modify_power" value >= than "i_group_needed_modify_power" value.
But it seems to be valid only for servergroups, channelgroups and channelpermissions.
So, i. e. if you create a server group "Owner" that has a "i_client_needed_ban_power" value of 100 (so that they cannot be banned except by ServerQuery), a normal ServerAdmin can edit this by setting "i_client_needed_ban_power" in clientpermissions for this user to 75 and therefore ban him.
Even if the user is member of Admin Server Query group, his permissions can be overwritten in client permissions by ServerAdmin (or whoever has permission to do so).
So, is there any other way to prevent users to edit specific users except by removing "b_virtualserver_client_permission_list" permission from them?
Maybe Devs can set it, that "i_group_needed_modify_power" is also checked for client permissions?
Thanks in advance.

[florian_fr40]

Hello,

In the server folder see "permissionsdoc.txt" and specialy skip and negate flag

[borstenwolf]

"i_group_needed_modify_power" only prevents modification of a server group, so client rights may still be changed. By setting "i_client_needed_ban_power" to 100 for a servergroup and activating "skip" further checks will be skipped. This way channel and client rights won't overwrite the rights already set in server group.

[Alcazar]

Setting Skip and/or Negate wont work.
Negate flag means that the lowest value will be set as permission.
Skip is only set to prevent that channelgroups override permissions.

Since Server Groups are the first Tier of permission layers, it is possible that they will be overwritten by a higher tier permission.
Since it is sometimes desirable to prevent Channel Groups (Tier 4) to overwrite permissions that you received through your Server Group
there is the "Skip" flag. If a permission in either Server Group (Tier 1) or Client Specific Permissions (Tier 2) has the skip flag set,
this permission will not be altered by any overlapping permission in the Channel Groups (Tier 4) layer.

[borstenwolf]

if you set the skip flag in server group, that permission cant be overwritten by any of the following groups (including client permissions).

The way a client receives his permissions is determined through a 5 layer system. Each layer can overwrite permissions
from the previous layer. If a permission is not granted on any of these 5 layers, it will be assumed to be of zero or false
value. These are the 5 Layers:

Tier 1: Server Groups
Tier 2: Client Specific Permissions
Tier 3: Channel Specific Permissions
Tier 4: Channel Groups
Tier 5: Channel and Client Specific Permissions

So, if you set i_client_needed_ban_power 100 with skip for the server group "Owner" and also set i_client_needed_ban_power 75 for a specific client a normal server admin wont be able to ban this user in the "Owner" group. I'm not sure if you can override that permission if b_permission_modify_power_ignore is set for server admins.
Also i_group_needed_modify_power of the "Owner" group should be higher than i_group_modify_power of server admin group, otherwise those could just remove "skip" or change the "Owner" group directly.

If I misunderstood your problem, maybe send a pm in german.

[Alcazar]

Dont know where this misbelief comes from.
Skip Flag is only for skipping ChannelGroup Permissions.
Try the following: Set i. e. the skip flag for "i_client_needed_kick_power" on your servergroup.
Go into Client Permissions and set this permission for your user to a lower value, then check in the permission overview if it has been skipped...
The "Owner"-Group (on main server called "Direktorium" on others "Support") is set so, that only the Query Admin Group can edit them (including adding/removing users), so there is no edit for SA or any other servergroup.

[borstenwolf]

ok, you are right. This behaviour is not supposed to be like that ?? Probably a bug. Permissions set in "client rights" and "channel client rights" will overwrite permissions set in "server group" regardless of the skip flag. So permissions are NOT strictly checked from tier 1 to tier 5 right now.

[Alcazar]

Since the new release this is solved.
dante, please mark it as "Solved" and close it.
Thanks.