I’m encountering an issue with project permissions in Kanboard and would appreciate your insights.
In my project, I have several groups with different permission levels assigned. However, when a user is a member of more than one group, Kanboard seems to apply the lowest permission level from those groups to that user. For example, if Group A has “Manager” permissions and Group B has “Viewer” permissions, a user in both groups ends up with only “Viewer” access.
This behavior feels counterintuitive, as I would expect the user to receive the highest permission level from any of their groups. I have double-checked my configuration and tested this with a clean setup, and the result is consistent.
Is this the intended behavior in Kanboard, or could it be a bug or misconfiguration? If it is by design, are there recommended best practices or workarounds to manage permissions effectively when users belong to multiple groups?
Update: I need to clarify my previous post after further investigation.
The issue I described above actually occurs specifically when using custom roles, not with the standard permission types (Manager, Member, Viewer). The standard permission levels work correctly and do grant the highest permission level when a user belongs to multiple groups.
However, when I create and assign custom roles to groups, these custom roles seem to overwrite all other permissions, even among themselves. When a user is a member of multiple groups that have different custom roles assigned, instead of receiving the most permissive access, the user ends up with the most restrictive permissions from all the custom roles combined.
For example:
Group A has Custom Role 1 (with specific permissions set)
Group B has Custom Role 2 (with different permissions)
A user in both groups gets the restrictions from both roles rather than the combined permissions
This suggests the custom role system may be handling permission inheritance differently than the standard role system. Has anyone else experienced this behavior with custom roles specifically? Any insights on how custom role permissions are meant to be resolved when users have multiple group memberships would be greatly appreciated.
I’m in the same predicament. Have you found solution or work around?
So far it’s only a problem if the user is part of groups only. If a specific user is added individually as allowed users, then the most permissible setting kicks in.
Yes, I was able to find a solution to the problem and it’s working well in Kanboard v1.2.44, though I haven’t tested it in more recent versions.
The issue was in how the getHighestRole() function was calculating role hierarchy. I modified app/Core/Security/AccessMap.php to use an explicit priority system instead of the role hierarchy count method.
I added a priority mapping array with values for each role (standard and custom), then created a helper method getRolePriority() to retrieve them. Finally, I replaced the getHighestRole() function to iterate through roles and select whichever has the highest priority value.
After this change, users in multiple groups now correctly receive the most permissive role instead of the most restrictive one.