fix(core): restrict master actions page to the master account only

Previously, admins with all_permissions used to be able to.
The same also applies to setup and deployer pages, but that's not much
of a problem.

core/components/WebServer/ctxUtils.js

@@ -171,6 +171,9 @@ function logAction(ctx, action) {
 function hasPermission(ctx, perm) {
     try {
         const sess = ctx.nuiSession ?? ctx.session;
+        if (perm === 'master') {
+            return sess.auth.master === true;
+        }
         return (
             sess.auth.master === true
             || sess.auth.permissions.includes('all_permissions')

docs/dev_notes.md

@@ -2,8 +2,8 @@
 - [ ] downgrade discord.js to v14.7.1
 - [ ] improve timeout handling of discord bot save
 - [ ] improve the bot with dangerous permissions message
-- [ ] xxxxx
-- [ ] xxxxx
+- [ ] update libs
+- [ ] merge PRs
 - [ ] disable whitelist page when server is not on license whitelist mode
 
 > next up