From c21a7147b78530d174a418524d2fc7626b91f9c9 Mon Sep 17 00:00:00 2001
From: tabarra <tabarra@vexguard.net>
Date: Fri, 9 Jun 2023 20:17:35 -0300
Subject: [PATCH] fix(core): restrict master actions page to the master account
 only

Previously, admins with all_permissions used to be able to.
The same also applies to setup and deployer pages, but that's not much
of a problem.
---
 core/components/WebServer/ctxUtils.js | 3 +++
 docs/dev_notes.md                     | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/core/components/WebServer/ctxUtils.js b/core/components/WebServer/ctxUtils.js
index e1e62ba74..ba44c00a3 100644
--- a/core/components/WebServer/ctxUtils.js
+++ b/core/components/WebServer/ctxUtils.js
@@ -171,6 +171,9 @@ function logAction(ctx, action) {
 function hasPermission(ctx, perm) {
     try {
         const sess = ctx.nuiSession ?? ctx.session;
+        if (perm === 'master') {
+            return sess.auth.master === true;
+        }
         return (
             sess.auth.master === true
             || sess.auth.permissions.includes('all_permissions')
diff --git a/docs/dev_notes.md b/docs/dev_notes.md
index bbd0084c1..98470beb2 100644
--- a/docs/dev_notes.md
+++ b/docs/dev_notes.md
@@ -2,8 +2,8 @@
 - [ ] downgrade discord.js to v14.7.1
 - [ ] improve timeout handling of discord bot save
 - [ ] improve the bot with dangerous permissions message
-- [ ] xxxxx
-- [ ] xxxxx
+- [ ] update libs
+- [ ] merge PRs
 - [ ] disable whitelist page when server is not on license whitelist mode
 
 > next up