Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Application API - Not showing API keys created by other admins #5175

Open
3 tasks done
JustinPooters opened this issue Jul 31, 2024 · 3 comments
Open
3 tasks done

Application API - Not showing API keys created by other admins #5175

JustinPooters opened this issue Jul 31, 2024 · 3 comments
Labels
not confirmed Report seems plausible but requires additional testing or 3rd part confirmation.

Comments

@JustinPooters
Copy link

Current Behavior

When I create an Application API key from the Admin dashboard, other admin's can't see the keys I made (and I can't see theirs). I've also confirmed this on another server. Same issue.

Expected Behavior

I'd expect on the application api page every admin sees all API keys.

Steps to Reproduce

Create an Application API key.
Login with another user
It's not there.

Panel Version

1.11.7

Wings Version

1.11.13

Games and/or Eggs Affected

None

Docker Image

None

Error Logs

Not relevant.

Is there an existing issue for this?

  • I have searched the existing issues before opening this issue.
  • I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server.
  • I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.
@JustinPooters JustinPooters added the not confirmed Report seems plausible but requires additional testing or 3rd part confirmation. label Jul 31, 2024
@MackenzieMolloy
Copy link

I believe this is intentional however I agree that all Application API keys should be visible to all Admins since it does pose the potential for malicious users to generate keys without other panel admins noticing.

In the meantime, you can view the api_keys table to see all API Keys - this table does also include normal User API Keys.

@JustinPooters
Copy link
Author

That was exactly my worry. We use Pterodactyl for our game servers. If we dismiss someone who had admin rights and they still have an active API key, it could be exploited for malicious purposes.

@MackenzieMolloy
Copy link

MackenzieMolloy commented Jul 31, 2024

I'll make a PR later today to adjust this behaviour for you.

I'm not sure if the Pterodactyl team will merge it as, like I said, I think the current functionality is intentional.

If you don't know how to build the source files, feel free to reach out to me on Discord ('wackenzie' is my tag).

Happy to help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
not confirmed Report seems plausible but requires additional testing or 3rd part confirmation.
Projects
None yet
Development

No branches or pull requests

2 participants