[Bug] Casdoor的注册用户可以删除其他用户

[AreChen]

📦 部署环境

Docker

📌 软件版本

1.35.13

💻 系统环境

Ubuntu

🌐 浏览器

Chrome, Edge

🐛 问题描述

通过使用Casdoor作为用户管理的 服务器部署,经过使用发现,注册后的用户可以登录casdoor后台对各种设置进行操作,甚至删除用户,有没有办法可以进行权限配置阻止这样的行为呢?

📷 复现步骤

1.通过Casdoor注册一个账户
2.登录Casdoor后台UI页面
3.进入用户管理-用户
4.可以看到除了自身账户和管理员账户无法删除其他账户都可以进行修改和删除

🚦 期望结果

因为是第一次使用Casdoor
所以想问一下有没有可能对用户权限行为做约束?
或者限制除管理员其他用户访问管理后台

📝 补充信息

No response

[lobehubbot]

👀 @AreChen

Thank you for raising an issue. We will investigate into the matter and get back to you as soon as possible.
Please make sure you have given us as much context as possible.
非常感谢您提交 issue。我们会尽快调查此事，并尽快回复您。 请确保您已经提供了尽可能多的背景信息。

[lobehubbot]

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

---

📦 Deployment environment

Docker

📌 Software version

1.35.13

💻 System environment

Ubuntu

🌐 Browser

Chrome, Edge

🐛 Problem description

By using Casdoor as a user-managed server deployment, we found that registered users can log in to the Casdoor backend to operate various settings or even delete users. Is there a way to configure permissions to prevent such behavior?

📷 Steps to reproduce

1. Register an account through Casdoor
2. Log in to the Casdoor backend UI page
3. Enter user management-user
4. You can see that except for your own account and the administrator account, other accounts can be modified and deleted.
   

🚦 Expected results

Because this is my first time using Casdoor
So I would like to ask if it is possible to restrict user permission behavior?
Or restrict other users except administrators from accessing the management backend.

📝 Supplementary information

No response

[dosubot[bot]]

@AreChen 你好！我是Dosu，一个可以帮助你解决bug、回答问题，甚至成为贡献者的机器人。我会在等待人类维护者的过程中帮助你。期待和你一起解决问题！🤖

To restrict user permissions in Casdoor and prevent registered users from deleting other users, you can configure user roles and permissions. In the docker-compose/local/init_data.json file, you can define permissions for different user roles. This file contains a "permissions" section where you can specify which actions users are allowed to perform on certain resources.

For example, you can set permissions to allow only administrators to perform actions like deleting users. Here's a basic structure of how permissions are defined:

"permissions": [
    {
      "owner": "built-in",
      "name": "permission-built-in",
      "users": ["admin/*"],  // Only admin users
      "actions": ["Read", "Write", "Admin"],  // Define allowed actions
      "effect": "Allow",
      "isEnabled": true
    }
  ]

Make sure to adjust the "users" and "actions" fields to fit your needs, ensuring that only the appropriate roles have the necessary permissions to manage users ^[1].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[arvinxx]

这个不属于 LobeChat 的问题哈，建议去 casdoor 社区咨询下

[hsluoyz]

@AreChen see docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself , if you are a Casdoor org admin, you can delete org users. A normal user in the org cannot delete user.