API Authorization issues with admin users

[sorbanbela]

Background (please complete the following information):

• Panel or Daemon: Panel issue
• Version of Panel/Daemon: latest stable, 0.7.13
• Server's OS: Ubuntu 18 LTS
• Your Computer's OS & Browser: Windows10 with Chrome

Describe the bug
A clear and concise description of what the bug is.
Please provide additional information too, depending on what you have issues with:
Panel: php version: PHP 7.2.12-1+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Nov 12 2018 09:55:12)

To Reproduce
Steps to reproduce the behavior:

1. As a panel admin user go to client panel and navigate to /account/api (API keys page) then create an API key.
2. Go to the main page and check the list of servers you have access to as "ADMIN" role.
3. Execute API request for ex. with Postman to the {panel_main_uri}/api/client endpoint with a Bearer {apikey} header for proper authentication.

You'll receive the servers you have created, but not the servers you have admin access to.

NOW. Go to any server you want (and what the api response does not contains) and give yourself a subuser full permission using the /server/{server_id}/users/new endpoint and save it.

Check again the API request, and ta-daa you see the server you have subuser access to, but not the server which you already had access with the panel administrator role.

Expected behavior
I expected to have permission to all the servers i have permission to using the API, just because the subuser role gives permission.

Possible solutions

• Add an API section to subuser page to give API roles to a specific user (i don't think it would be good)
• Fix the issue and as panel administrator do not check the permission, because it would help owners to execute bulk commands to their hosted servers without limitations (just because then CAN access with the client panel)
• ** Add an API queryParam which skips the permission filters and returns all servers, in the same way as they are accessible from the client-side panel as ptero administrator.**

I think that the last option would be the easyest and best solution, but it is not my job to decide.

[notAreYouScared]

It should be noted that you can still access them, as in sending commands, seeing status, info etc. Just they don't show in the servers list. Even with out giving yourself sub user.

[sorbanbela]

Oh, thank you for sharing this information with us, I haven't tested if they are working because they were not on the list I was thinking that this permission handling is managed centrally.