Permissions

Control who can access what in your server’s configuration. Permissions are assigned to Discord roles and can be scoped broadly to an entire panel or narrowly to a specific item inside a panel.

How permissions work

• Role-scoped: You assign permissions to a Discord role (e.g., @Moderator).
• Panel-level access: Grants Create, Read, Save, and Update for the entire panel.
• Granular (item-level) access: Restricts access to a specific item inside a panel (e.g., a single Join Quest). Create/Save/Update for other items are disabled.

Examples

• Panel-level: Give @Moderator access to the Join Quests panel so they can create, edit, and save any quest.
• Granular: Give @Helper access to only the “Welcome Quest” inside Join Quests. They can view that quest; other create/save/update actions are disabled.

Important risk: misconfiguration can grant admin

Be extremely careful when granting either panel-level or granular access. A poorly configured permission can allow privilege escalation. Example:

• A staff member with granular access to one Join Quest changes its reward role to Administrator, saves, then completes and approves that quest for themselves in Discord.
• Result: they grant themselves Administrator, gaining access to the entire dashboard.

To prevent this, never allow non-admin roles to edit rewards that can grant powerful roles (e.g., Administrator).

Best practices

• Principle of least privilege: grant only what’s needed.
• Separate duties: keep Administrator role rewards and permission changes limited to trusted admins.
• Review changes: require a second person to review role-reward updates.
• Avoid admin rewards in quests: prefer intermediate roles with limited scope.
• Test with a non-staff account to confirm the effective access.

Liability notice

You are responsible for your permission setup. Misconfiguration can lead to unauthorized access, data changes, or role escalation. InfiniTea is not liable for any damage caused by your configuration choices.