$amp_default_role appears to override $amp_role_assignment

[oskapt]

I've spent several hours with this, and it's possible I'm misunderstanding something.

I run YOURLS as a container under Kubernetes, with configuration handled via env vars or Secrets stored as JSON and then parsed with json_decode in config.php. That all works fine, but it's the reason I'm including JSON here.

I have this:

{
    "administrator": [
        "oskapt",
    ],
    "editor": [
        "weasel"
    ],
    "contributor": [
    ]
}

I also have $amp_default_role set to Contributor.

The "oskapt" user is correctly assigned as an administrator. The "weasel" user is assigned as an Editor. All is good.

If I switch it to this:

{
   "administrator": [
       "oskapt",
   ],
   "editor": [
   ],
   "contributor": [
       "weasel"
   ]
}

and set $amp_default_role to Editor then the "weasel" user can see entries made by other people as an Editor.

If I remove support for $amp_default_role entirely, then "weasel" is correctly assigned the Contributor or Editor role according to roles.json.

It looks a lot like $amp_default_role is not being limited to non-configured users but is instead acting as a floor, beneath which all users receive elevated privileges.

[joshp23]

the issue would be in this logic

YOURLS-AuthMgrPlus/authMgrPlus/plugin.php

Lines 290 to 295 in 475417f

	if( !$return ) {
	if ( isset( $amp_default_role ) && in_array ($amp_default_role, array_keys( $amp_role_capabilities ) ) ) {
	$default_caps = $amp_role_capabilities [ $amp_default_role ];
	$return = in_array( $capability, $default_caps );
	}
	}

and reading it over, it is clearly in error. I would just comment this section out for now unless you are capable of fixing the error.

[joshp23]

latest commit should fix this