MinePanel v1.3.0 — User Permissions Update
This update introduces a complete fixed role-based permission system for MinePanel.

MinePanel can now be used more safely by server teams with different staff permission levels.

New Role-Based Permission System
Added 4 fixed roles:

• Owner
  
• Admin
  
• Moderator
  
• Viewer

Each role has different access permissions across the panel.

Permission Roles
Owner
Full access to everything.

Owner can:

• View dashboard
  
• View and execute console commands
  
• View and manage players
  
• Kick and ban players
  
• Manage whitelist
  
• Manage bans
  
• Use weather and time controls
  
• Save, reload, and stop the server
  
• View and manage users

Admin
Administrative server access without user or server control access.

Admin can:

• View dashboard
  
• View and execute console commands
  
• View and manage players
  
• Kick and ban players
  
• Manage whitelist
  
• Manage bans
  
• Use weather and time controls

Admin cannot:

• Manage users
  
• Reload or stop the server

Moderator
Basic moderation access.

Moderator can:

• View dashboard
  
• View console
  
• View player list
  
• Kick players

Moderator cannot:

• Execute console commands
  
• Ban players
  
• Manage whitelist
  
• Use player admin actions
  
• Manage users
  
• Reload or stop the server

Viewer
Read-only access.

Viewer can:

• View dashboard
  
• View players

Viewer cannot perform any server actions.

3-Layer Permission Protection
MinePanel now protects restricted actions in 3 layers.

Layer 1 — Sidebar Protection
Navigation items are hidden if the user does not have permission.

Layer 2 — Page Access Protection
If a user tries to open a restricted page, MinePanel blocks access and displays:

You are not able to see this

Layer 3 — Backend API Protection
All protected API endpoints now check permissions on the server side.

Direct API calls using tools such as curl or Postman will return:

Frontend Permission Behavior
The interface now automatically hides unavailable actions.

Examples:

• Users without player.kick will not see the Kick button
  
• Users without server.reload will not see Reload controls
  
• Users without users.* will not see User Management
  
• Users without console access cannot open the Console page
  
• Restricted player actions are hidden automatically

This makes the panel cleaner and safer for staff members.

Default Account Change
The default account has been changed.

Before:

Now:

The default account is created with:

Users are still required to change the default password after first login.

User Management Security Rules
Added several protections to prevent account lockout or privilege mistakes.

Security rules:

• Owner account cannot be deleted
  
• Owner cannot change its own role
  
• Owner account cannot be created from the UI
  
• Only Owner can manage users
  
• Admin, Moderator, and Viewer cannot manage users

Permission Matrix

Code (Text):

| Feature | Owner | Admin | Moderator | Viewer |
|----------|------|------|------------|--------|
| Dashboard | ✅ | ✅ | ✅ | ✅ |
| Players List | ✅ | ✅ | ✅ | ✅ |
| Console View | ✅ | ✅ | ✅ | ❌ |
| Console Commands | ✅ | ✅ | ❌ | ❌ |
| Bans List | ✅ | ✅ | ❌ | ❌ |
| Whitelist View | ✅ | ✅ | ❌ | ❌ |
| Whitelist Add/Remove | ✅ | ✅ | ❌ | ❌ |
| Weather / Time Controls | ✅ | ✅ | ❌ | ❌ |
| Kick Player | ✅ | ✅ | ✅ | ❌ |
| Ban / Heal / Feed / Kill / Gamemode / TP | ✅ | ✅ | ❌ | ❌ |
| Save Server | ✅ | ❌ | ❌ | ❌ |
| Reload Server | ✅ | ❌ | ❌ | ❌ |
| Stop Server | ✅ | ❌ | ❌ | ❌ |
| User Management | ✅ | ❌ | ❌ | ❌ |
 

Internal Improvements

• Added centralized permissions map
  
• Added backend hasPermission() checks
  
• Added frontend permission-based UI rendering
  
• Added 403 handling for unauthorized API requests
  
• Updated user account structure to support roles
  
• Updated default user creation flow

Notes
This update uses fixed roles only.

Custom role creation is not included in this version. This keeps the permission system simple, stable, and easy to maintain.

Custom roles may be considered in a future version based on community feedback.

Thank you to the community for the feedback that helped shape this update.