#2 user permission issue #90
Description
I analyzed the current logic using Claude Code several times, then tested some it myself, and can now tell the following.
There are user-level limits and token-level limits.
When an administrators creates a user, they create their primary API token, which defines the user group, supplier, turnover, and, IMPORTANT, the daily spending limit
These are called user-level limits. They really can't be changed by the user, only the administrator.
Now let's move on to token limits. When a user logs in, he CAN create other token keys that WILL be subject to user-level limits. And that's perfectly fine.
But at the same time, the user can edit each of their tokens, and, mind you, they can independently change or set limits on each of their tokens as they wish. These are limit5hUsd, limitWeeklyUsd, limitMonthlyUsd, limitConcurrentSessions
That is, admin create 1 user token with limit 100$ per day (user level limit) and total month $100 (token level limit)
- The user can create 10 keys, each with a limit of $200/month
- Total: $2000/month instead of the expected $100
- user.dailyQuota will only limit daily spending, NOT monthly!
or he can just change his token and make 3000$ month spend limit
In other words, token-level limits are not limited in any way, and the user can spend ANY budget; they will only be limited by daily spending, if any, in the account.
This is illogical, in my opinion.
Or for example, the administrator does not want to limit the daily limit, but wants to limit the monthly or weekly limit. But user can change and set any monthly budget in his token setting.
The same problem applies to the token expiration date. It is controlled by the user and can be changed. This applies to both their primary token and other tokens they have created. They can delete the date and make the token infinite, even though the administrator wouldn't want this.
In other words, token-level includes limits that logically should be at the user level and apply to the entire account, and the user shouldn't have access to edit these limits.
or the limits of other tokens should be inherited from the limits of the main token (user), and the user could not change the limits of his main token himself