Describe the bug

We have to invite external collaborators to our MeshCentral. At the moment they should have as limited access as possible. They just need to see, what's on the screen and drop a note.

The following permissions are set:

• Remote Control & Relay
  • Remote View Only
  • No Terminal Access
  • No File Access
  • No Intel® AMT
• Edit Device Notes
• Show Only Own Events

The target devices are running on Windows 10 Embedded with RDP snd SSH. Also, the have two VNC server instances running, full-access on 5900/tcp on the loopback interface running as service and view-only on 5901/tcp on the wildcard interface in application mode in the Console session.

Problems/vulnerabilities:

• By clicking the Web-VNC-Link the user gets access to the machine.
• By clicking the Web-RDP-Link the user gets access to the machine.
• By clicking the Web-SSH-Link the user gets access to the machine.
• By clicking the RDP Connect-Button the user can sign-in to a view-only session (in (almost) any case, this makes no sense).
• By clicking the Connect-Button the user can choose to observe a RDP session.

To Reproduce

As described above.

Expected behavior

• No Connect to RDP sessions if not granted.
• No RDP Connect if view-only is set.
• No Web-RDP if view-only is set, it's out of control
• No Web-SSH if terminal access is denied
• Redirect Web-VNC to view-only port if view-only is set and start noVNC in view-only mode

A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Server Software (please complete the following information):
irrelevant

Client Device (please complete the following information):
irrelevant

Remote Device (please complete the following information):
irrelevant

Additional context

• Disabling novnc and mstsc in the config is no option.
• Setting up another domain is not so easy.
• PR with the expected behaviour (UI, backend) is underway.