feat: add more group permissions (#1453)

* feat: add more group permissions * feat: restrict access with app permissions * feat: restrict access with search-engine permissions * feat: restrict access with media permissions * refactor: remove permissions for users, groups and invites * test: adjust app router tests with app permissions * fix: integration page accessible without session * fix: search for users, groups and integrations shown to unauthenticated users * chore: address pull request feedback
2026-02-26 16:30:57 +01:00 · 2024-11-17 21:31:25 +01:00
parent 879aa1152f
commit 0ee343b99e
31 changed files with 575 additions and 208 deletions
--- a/apps/nextjs/src/app/[locale]/manage/apps/edit/[id]/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/apps/edit/[id]/page.tsx
@@ -1,6 +1,8 @@
+import { notFound } from "next/navigation";
 import { Container, Stack, Title } from "@mantine/core";

 import { api } from "@homarr/api/server";
+import { auth } from "@homarr/auth/next";
 import { getI18n } from "@homarr/translation/server";

 import { DynamicBreadcrumb } from "~/components/navigation/dynamic-breadcrumb";
@@ -11,6 +13,11 @@ interface AppEditPageProps {
 }

 export default async function AppEditPage({ params }: AppEditPageProps) {
+  const session = await auth();
+
+  if (!session?.user.permissions.includes("app-modify-all")) {
+    notFound();
+  }
  const app = await api.app.byId({ id: params.id });
  const t = await getI18n();

--- a/apps/nextjs/src/app/[locale]/manage/apps/new/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/apps/new/page.tsx
@@ -1,11 +1,19 @@
+import { notFound } from "next/navigation";
 import { Container, Stack, Title } from "@mantine/core";

+import { auth } from "@homarr/auth/next";
 import { getI18n } from "@homarr/translation/server";

 import { DynamicBreadcrumb } from "~/components/navigation/dynamic-breadcrumb";
 import { AppNewForm } from "./_app-new-form";

 export default async function AppNewPage() {
+  const session = await auth();
+
+  if (!session?.user.permissions.includes("app-create")) {
+    notFound();
+  }
+
  const t = await getI18n();

  return (
--- a/apps/nextjs/src/app/[locale]/manage/apps/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/apps/page.tsx
@@ -1,9 +1,11 @@
 import Link from "next/link";
+import { redirect } from "next/navigation";
 import { ActionIcon, ActionIconGroup, Anchor, Avatar, Card, Group, Stack, Text, Title } from "@mantine/core";
 import { IconApps, IconPencil } from "@tabler/icons-react";

 import type { RouterOutputs } from "@homarr/api";
 import { api } from "@homarr/api/server";
+import { auth } from "@homarr/auth/next";
 import { parseAppHrefWithVariablesServer } from "@homarr/common/server";
 import { getI18n, getScopedI18n } from "@homarr/translation/server";

@@ -13,6 +15,12 @@ import { DynamicBreadcrumb } from "~/components/navigation/dynamic-breadcrumb";
 import { AppDeleteButton } from "./_app-delete-button";

 export default async function AppsPage() {
+  const session = await auth();
+
+  if (!session) {
+    redirect("/auth/login");
+  }
+
  const apps = await api.app.all();
  const t = await getScopedI18n("app");

@@ -22,9 +30,11 @@ export default async function AppsPage() {
      <Stack>
        <Group justify="space-between" align="center">
          <Title>{t("page.list.title")}</Title>
-          <MobileAffixButton component={Link} href="/manage/apps/new">
-            {t("page.create.title")}
-          </MobileAffixButton>
+          {session.user.permissions.includes("app-create") && (
+            <MobileAffixButton component={Link} href="/manage/apps/new">
+              {t("page.create.title")}
+            </MobileAffixButton>
+          )}
        </Group>
        {apps.length === 0 && <AppNoResults />}
        {apps.length > 0 && (
@@ -45,6 +55,7 @@ interface AppCardProps {

 const AppCard = async ({ app }: AppCardProps) => {
  const t = await getScopedI18n("app");
+  const session = await auth();

  return (
    <Card>
@@ -78,16 +89,18 @@ const AppCard = async ({ app }: AppCardProps) => {
        </Group>
        <Group>
          <ActionIconGroup>
-            <ActionIcon
-              component={Link}
-              href={`/manage/apps/edit/${app.id}`}
-              variant="subtle"
-              color="gray"
-              aria-label={t("page.edit.title")}
-            >
-              <IconPencil size={16} stroke={1.5} />
-            </ActionIcon>
-            <AppDeleteButton app={app} />
+            {session?.user.permissions.includes("app-modify-all") && (
+              <ActionIcon
+                component={Link}
+                href={`/manage/apps/edit/${app.id}`}
+                variant="subtle"
+                color="gray"
+                aria-label={t("page.edit.title")}
+              >
+                <IconPencil size={16} stroke={1.5} />
+              </ActionIcon>
+            )}
+            {session?.user.permissions.includes("app-full-all") && <AppDeleteButton app={app} />}
          </ActionIconGroup>
        </Group>
      </Group>
@@ -97,6 +110,7 @@ const AppCard = async ({ app }: AppCardProps) => {

 const AppNoResults = async () => {
  const t = await getI18n();
+  const session = await auth();

  return (
    <Card withBorder bg="transparent">
@@ -105,7 +119,9 @@ const AppNoResults = async () => {
        <Text fw={500} size="lg">
          {t("app.page.list.noResults.title")}
        </Text>
-        <Anchor href="/manage/apps/new">{t("app.page.list.noResults.action")}</Anchor>
+        {session?.user.permissions.includes("app-create") && (
+          <Anchor href="/manage/apps/new">{t("app.page.list.noResults.action")}</Anchor>
+        )}
      </Stack>
    </Card>
  );
--- a/apps/nextjs/src/app/[locale]/manage/integrations/edit/[id]/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/integrations/edit/[id]/page.tsx
@@ -6,7 +6,7 @@ import { getI18n, getScopedI18n } from "@homarr/translation/server";
 import { IntegrationAvatar } from "@homarr/ui";

 import { DynamicBreadcrumb } from "~/components/navigation/dynamic-breadcrumb";
-import { catchTrpcNotFound } from "~/errors/trpc-not-found";
+import { catchTrpcNotFound } from "~/errors/trpc-catch-error";
 import { IntegrationAccessSettings } from "../../_components/integration-access-settings";
 import { EditIntegrationForm } from "./_integration-edit-form";

--- a/apps/nextjs/src/app/[locale]/manage/integrations/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/integrations/page.tsx
@@ -1,6 +1,7 @@
 import { Fragment } from "react";
 import type { PropsWithChildren } from "react";
 import Link from "next/link";
+import { redirect } from "next/navigation";
 import {
  AccordionControl,
  AccordionItem,
@@ -50,11 +51,16 @@ interface IntegrationsPageProps {
 }

 export default async function IntegrationsPage({ searchParams }: IntegrationsPageProps) {
-  const integrations = await api.integration.all();
  const session = await auth();
+
+  if (!session) {
+    redirect("/auth/login");
+  }
+
+  const integrations = await api.integration.all();
  const t = await getScopedI18n("integration");

-  const canCreateIntegrations = session?.user.permissions.includes("integration-create") ?? false;
+  const canCreateIntegrations = session.user.permissions.includes("integration-create");

  return (
    <ManageContainer>
--- a/apps/nextjs/src/app/[locale]/manage/layout.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/layout.tsx
@@ -52,16 +52,19 @@ export default async function ManageLayout({ children }: PropsWithChildren) {
      icon: IconBox,
      href: "/manage/apps",
      label: t("items.apps"),
+      hidden: !session,
    },
    {
      icon: IconPlug,
      href: "/manage/integrations",
      label: t("items.integrations"),
+      hidden: !session,
    },
    {
      icon: IconSearch,
      href: "/manage/search-engines",
      label: t("items.searchEngies"),
+      hidden: !session,
    },
    {
      icon: IconPhoto,
@@ -95,27 +98,32 @@ export default async function ManageLayout({ children }: PropsWithChildren) {
    {
      label: t("items.tools.label"),
      icon: IconTool,
-      hidden: !session?.user.permissions.includes("admin"),
+      // As permissions always include there children permissions, we can check other-view-logs as admin includes it
+      hidden: !session?.user.permissions.includes("other-view-logs"),
      items: [
        {
          label: t("items.tools.items.docker"),
          icon: IconBrandDocker,
          href: "/manage/tools/docker",
+          hidden: !session?.user.permissions.includes("admin"),
        },
        {
          label: t("items.tools.items.api"),
          icon: IconPlug,
          href: "/manage/tools/api",
+          hidden: !session?.user.permissions.includes("admin"),
        },
        {
          label: t("items.tools.items.logs"),
          icon: IconLogs,
          href: "/manage/tools/logs",
+          hidden: !session?.user.permissions.includes("other-view-logs"),
        },
        {
          label: t("items.tools.items.tasks"),
          icon: IconReport,
          href: "/manage/tools/tasks",
+          hidden: !session?.user.permissions.includes("admin"),
        },
      ],
    },
--- a/apps/nextjs/src/app/[locale]/manage/medias/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/medias/page.tsx
@@ -47,7 +47,6 @@ export default async function GroupsListPage(props: MediaListPageProps) {
  const t = await getI18n();
  const searchParams = searchParamsSchema.parse(props.searchParams);
  const { items: medias, totalCount } = await api.media.getPaginated(searchParams);
-  const isAdmin = session.user.permissions.includes("admin");

  return (
    <ManageContainer size="xl">
@@ -57,10 +56,12 @@ export default async function GroupsListPage(props: MediaListPageProps) {
        <Group justify="space-between">
          <Group>
            <SearchInput placeholder={`${t("media.search")}...`} defaultValue={searchParams.search} />
-            {isAdmin && <IncludeFromAllUsersSwitch defaultChecked={searchParams.includeFromAllUsers} />}
+            {session.user.permissions.includes("media-view-all") && (
+              <IncludeFromAllUsersSwitch defaultChecked={searchParams.includeFromAllUsers} />
+            )}
          </Group>

-          <UploadMedia />
+          {session.user.permissions.includes("media-upload") && <UploadMedia />}
        </Group>
        <Table striped highlightOnHover>
          <TableThead>
@@ -91,7 +92,10 @@ interface RowProps {
  media: RouterOutputs["media"]["getPaginated"]["items"][number];
 }

-const Row = ({ media }: RowProps) => {
+const Row = async ({ media }: RowProps) => {
+  const session = await auth();
+  const canDelete = media.creatorId === session?.user.id || session?.user.permissions.includes("media-full-all");
+
  return (
    <TableTr>
      <TableTd w={64}>
@@ -120,7 +124,7 @@ const Row = ({ media }: RowProps) => {
      <TableTd w={64}>
        <Group wrap="nowrap" gap="xs">
          <CopyMedia media={media} />
-          <DeleteMedia media={media} />
+          {canDelete && <DeleteMedia media={media} />}
        </Group>
      </TableTd>
    </TableTr>
--- a/apps/nextjs/src/app/[locale]/manage/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/page.tsx
@@ -64,6 +64,7 @@ export default async function ManagementPage() {
      href: "/manage/apps",
      subtitle: t("statisticLabel.resources"),
      title: t("statistic.app"),
+      hidden: !session?.user,
    },
    {
      count: statistics.countGroups,
--- a/apps/nextjs/src/app/[locale]/manage/search-engines/edit/[id]/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/search-engines/edit/[id]/page.tsx
@@ -1,6 +1,8 @@
+import { notFound } from "next/navigation";
 import { Stack, Title } from "@mantine/core";

 import { api } from "@homarr/api/server";
+import { auth } from "@homarr/auth/next";
 import { getI18n } from "@homarr/translation/server";

 import { ManageContainer } from "~/components/manage/manage-container";
@@ -12,6 +14,12 @@ interface SearchEngineEditPageProps {
 }

 export default async function SearchEngineEditPage({ params }: SearchEngineEditPageProps) {
+  const session = await auth();
+
+  if (!session?.user.permissions.includes("search-engine-modify-all")) {
+    notFound();
+  }
+
  const searchEngine = await api.searchEngine.byId({ id: params.id });
  const t = await getI18n();

--- a/apps/nextjs/src/app/[locale]/manage/search-engines/new/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/search-engines/new/page.tsx
@@ -1,5 +1,7 @@
+import { notFound } from "next/navigation";
 import { Stack, Title } from "@mantine/core";

+import { auth } from "@homarr/auth/next";
 import { getI18n } from "@homarr/translation/server";

 import { ManageContainer } from "~/components/manage/manage-container";
@@ -7,6 +9,12 @@ import { DynamicBreadcrumb } from "~/components/navigation/dynamic-breadcrumb";
 import { SearchEngineNewForm } from "./_search-engine-new-form";

 export default async function SearchEngineNewPage() {
+  const session = await auth();
+
+  if (!session?.user.permissions.includes("search-engine-create")) {
+    notFound();
+  }
+
  const t = await getI18n();

  return (
--- a/apps/nextjs/src/app/[locale]/manage/search-engines/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/search-engines/page.tsx
@@ -1,9 +1,11 @@
 import Link from "next/link";
+import { redirect } from "next/navigation";
 import { ActionIcon, ActionIconGroup, Anchor, Avatar, Card, Group, Stack, Text, Title } from "@mantine/core";
 import { IconPencil, IconSearch } from "@tabler/icons-react";

 import type { RouterOutputs } from "@homarr/api";
 import { api } from "@homarr/api/server";
+import { auth } from "@homarr/auth/next";
 import { getI18n, getScopedI18n } from "@homarr/translation/server";
 import { SearchInput, TablePagination } from "@homarr/ui";
 import { z } from "@homarr/validation";
@@ -28,6 +30,12 @@ interface SearchEnginesPageProps {
 }

 export default async function SearchEnginesPage(props: SearchEnginesPageProps) {
+  const session = await auth();
+
+  if (!session) {
+    redirect("/auth/login");
+  }
+
  const searchParams = searchParamsSchema.parse(props.searchParams);
  const { items: searchEngines, totalCount } = await api.searchEngine.getPaginated(searchParams);

@@ -40,9 +48,11 @@ export default async function SearchEnginesPage(props: SearchEnginesPageProps) {
        <Title>{tEngine("page.list.title")}</Title>
        <Group justify="space-between" align="center">
          <SearchInput placeholder={`${tEngine("search")}...`} defaultValue={searchParams.search} />
-          <MobileAffixButton component={Link} href="/manage/search-engines/new">
-            {tEngine("page.create.title")}
-          </MobileAffixButton>
+          {session.user.permissions.includes("search-engine-create") && (
+            <MobileAffixButton component={Link} href="/manage/search-engines/new">
+              {tEngine("page.create.title")}
+            </MobileAffixButton>
+          )}
        </Group>
        {searchEngines.length === 0 && <SearchEngineNoResults />}
        {searchEngines.length > 0 && (
@@ -67,6 +77,7 @@ interface SearchEngineCardProps {

 const SearchEngineCard = async ({ searchEngine }: SearchEngineCardProps) => {
  const t = await getScopedI18n("search.engine");
+  const session = await auth();

  return (
    <Card>
@@ -105,16 +116,20 @@ const SearchEngineCard = async ({ searchEngine }: SearchEngineCardProps) => {
        </Group>
        <Group>
          <ActionIconGroup>
-            <ActionIcon
-              component={Link}
-              href={`/manage/search-engines/edit/${searchEngine.id}`}
-              variant="subtle"
-              color="gray"
-              aria-label={t("page.edit.title")}
-            >
-              <IconPencil size={16} stroke={1.5} />
-            </ActionIcon>
-            <SearchEngineDeleteButton searchEngine={searchEngine} />
+            {session?.user.permissions.includes("search-engine-modify-all") && (
+              <ActionIcon
+                component={Link}
+                href={`/manage/search-engines/edit/${searchEngine.id}`}
+                variant="subtle"
+                color="gray"
+                aria-label={t("page.edit.title")}
+              >
+                <IconPencil size={16} stroke={1.5} />
+              </ActionIcon>
+            )}
+            {session?.user.permissions.includes("search-engine-full-all") && (
+              <SearchEngineDeleteButton searchEngine={searchEngine} />
+            )}
          </ActionIconGroup>
        </Group>
      </Group>
@@ -124,6 +139,7 @@ const SearchEngineCard = async ({ searchEngine }: SearchEngineCardProps) => {

 const SearchEngineNoResults = async () => {
  const t = await getI18n();
+  const session = await auth();

  return (
    <Card withBorder bg="transparent">
@@ -132,7 +148,9 @@ const SearchEngineNoResults = async () => {
        <Text fw={500} size="lg">
          {t("search.engine.page.list.noResults.title")}
        </Text>
-        <Anchor href="/manage/search-engines/new">{t("search.engine.page.list.noResults.action")}</Anchor>
+        {session?.user.permissions.includes("search-engine-create") && (
+          <Anchor href="/manage/search-engines/new">{t("search.engine.page.list.noResults.action")}</Anchor>
+        )}
      </Stack>
    </Card>
  );
--- a/apps/nextjs/src/app/[locale]/manage/tools/logs/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/tools/logs/page.tsx
@@ -27,7 +27,7 @@ export async function generateMetadata() {

 export default async function LogsManagementPage() {
  const session = await auth();
-  if (!session?.user || !session.user.permissions.includes("admin")) {
+  if (!session?.user || !session.user.permissions.includes("other-view-logs")) {
    notFound();
  }

--- a/apps/nextjs/src/app/[locale]/manage/users/[userId]/general/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/users/[userId]/general/page.tsx
@@ -8,7 +8,7 @@ import { getI18n, getScopedI18n } from "@homarr/translation/server";

 import { CurrentLanguageCombobox } from "~/components/language/current-language-combobox";
 import { DangerZoneItem, DangerZoneRoot } from "~/components/manage/danger-zone";
-import { catchTrpcNotFound } from "~/errors/trpc-not-found";
+import { catchTrpcNotFound } from "~/errors/trpc-catch-error";
 import { createMetaTitle } from "~/metadata";
 import { canAccessUserEditPage } from "../access";
 import { ChangeHomeBoardForm } from "./_components/_change-home-board";
--- a/apps/nextjs/src/app/[locale]/manage/users/[userId]/layout.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/users/[userId]/layout.tsx
@@ -10,7 +10,7 @@ import { UserAvatar } from "@homarr/ui";

 import { ManageContainer } from "~/components/manage/manage-container";
 import { DynamicBreadcrumb } from "~/components/navigation/dynamic-breadcrumb";
-import { catchTrpcNotFound } from "~/errors/trpc-not-found";
+import { catchTrpcNotFound } from "~/errors/trpc-catch-error";
 import { NavigationLink } from "../groups/[id]/_navigation";
 import { canAccessUserEditPage } from "./access";

--- a/apps/nextjs/src/app/[locale]/manage/users/[userId]/security/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/users/[userId]/security/page.tsx
@@ -5,7 +5,7 @@ import { api } from "@homarr/api/server";
 import { auth } from "@homarr/auth/next";
 import { getScopedI18n } from "@homarr/translation/server";

-import { catchTrpcNotFound } from "~/errors/trpc-not-found";
+import { catchTrpcNotFound } from "~/errors/trpc-catch-error";
 import { canAccessUserEditPage } from "../access";
 import { ChangePasswordForm } from "./_components/_change-password-form";

--- a/apps/nextjs/src/errors/trpc-catch-error.ts
+++ b/apps/nextjs/src/errors/trpc-catch-error.ts
@@ -0,0 +1,23 @@
+import "server-only";
+
+import { notFound, redirect } from "next/navigation";
+import { TRPCError } from "@trpc/server";
+
+import { logger } from "@homarr/log";
+
+export const catchTrpcNotFound = (err: unknown) => {
+  if (err instanceof TRPCError && err.code === "NOT_FOUND") {
+    notFound();
+  }
+
+  throw err;
+};
+
+export const catchTrpcUnauthorized = (err: unknown) => {
+  if (err instanceof TRPCError && err.code === "UNAUTHORIZED") {
+    logger.info("Somebody tried to access a protected route without being authenticated, redirecting to login page");
+    redirect("/auth/login");
+  }
+
+  throw err;
+};
--- a/apps/nextjs/src/errors/trpc-not-found.ts
+++ b/apps/nextjs/src/errors/trpc-not-found.ts
@@ -1,12 +0,0 @@
-import "server-only";
-
-import { notFound } from "next/navigation";
-import { TRPCError } from "@trpc/server";
-
-export const catchTrpcNotFound = (err: unknown) => {
-  if (err instanceof TRPCError && err.code === "NOT_FOUND") {
-    notFound();
-  }
-
-  throw err;
-};
--- a/packages/api/src/router/app.ts
+++ b/packages/api/src/router/app.ts
@@ -4,10 +4,11 @@ import { asc, createId, eq, inArray, like } from "@homarr/db";
 import { apps } from "@homarr/db/schema/sqlite";
 import { validation, z } from "@homarr/validation";

-import { createTRPCRouter, protectedProcedure, publicProcedure } from "../trpc";
+import { createTRPCRouter, permissionRequiredProcedure, protectedProcedure, publicProcedure } from "../trpc";
+import { canUserSeeAppAsync } from "./app/app-access-control";

 export const appRouter = createTRPCRouter({
-  all: publicProcedure
+  all: protectedProcedure
    .input(z.void())
    .output(
      z.array(
@@ -26,7 +27,7 @@ export const appRouter = createTRPCRouter({
        orderBy: asc(apps.name),
      });
    }),
-  search: publicProcedure
+  search: protectedProcedure
    .input(z.object({ query: z.string(), limit: z.number().min(1).max(100).default(10) }))
    .output(
      z.array(
@@ -47,7 +48,7 @@ export const appRouter = createTRPCRouter({
        limit: input.limit,
      });
    }),
-  selectable: publicProcedure
+  selectable: protectedProcedure
    .input(z.void())
    .output(
      z.array(
@@ -104,14 +105,23 @@ export const appRouter = createTRPCRouter({
        });
      }

+      const canUserSeeApp = await canUserSeeAppAsync(ctx.session?.user ?? null, app.id);
+      if (!canUserSeeApp) {
+        throw new TRPCError({
+          code: "NOT_FOUND",
+          message: "App not found",
+        });
+      }
+
      return app;
    }),
-  byIds: publicProcedure.input(z.array(z.string())).query(async ({ ctx, input }) => {
+  byIds: protectedProcedure.input(z.array(z.string())).query(async ({ ctx, input }) => {
    return await ctx.db.query.apps.findMany({
      where: inArray(apps.id, input),
    });
  }),
-  create: protectedProcedure
+  create: permissionRequiredProcedure
+    .requiresPermission("app-create")
    .input(validation.app.manage)
    .output(z.void())
    .meta({ openapi: { method: "POST", path: "/api/apps", tags: ["apps"], protect: true } })
@@ -124,29 +134,33 @@ export const appRouter = createTRPCRouter({
        href: input.href,
      });
    }),
-  update: protectedProcedure.input(validation.app.edit).mutation(async ({ ctx, input }) => {
-    const app = await ctx.db.query.apps.findFirst({
-      where: eq(apps.id, input.id),
-    });
-
-    if (!app) {
-      throw new TRPCError({
-        code: "NOT_FOUND",
-        message: "App not found",
+  update: permissionRequiredProcedure
+    .requiresPermission("app-modify-all")
+    .input(validation.app.edit)
+    .mutation(async ({ ctx, input }) => {
+      const app = await ctx.db.query.apps.findFirst({
+        where: eq(apps.id, input.id),
      });
-    }

-    await ctx.db
-      .update(apps)
-      .set({
-        name: input.name,
-        description: input.description,
-        iconUrl: input.iconUrl,
-        href: input.href,
-      })
-      .where(eq(apps.id, input.id));
-  }),
-  delete: protectedProcedure
+      if (!app) {
+        throw new TRPCError({
+          code: "NOT_FOUND",
+          message: "App not found",
+        });
+      }
+
+      await ctx.db
+        .update(apps)
+        .set({
+          name: input.name,
+          description: input.description,
+          iconUrl: input.iconUrl,
+          href: input.href,
+        })
+        .where(eq(apps.id, input.id));
+    }),
+  delete: permissionRequiredProcedure
+    .requiresPermission("app-full-all")
    .output(z.void())
    .meta({ openapi: { method: "DELETE", path: "/api/apps/{id}", tags: ["apps"], protect: true } })
    .input(validation.common.byId)
--- a/packages/api/src/router/app/app-access-control.ts
+++ b/packages/api/src/router/app/app-access-control.ts
@@ -0,0 +1,50 @@
+import SuperJSON from "superjson";
+
+import type { Session } from "@homarr/auth";
+import { db, eq, or } from "@homarr/db";
+import { items } from "@homarr/db/schema/sqlite";
+
+import type { WidgetComponentProps } from "../../../../widgets/src";
+
+export const canUserSeeAppAsync = async (user: Session["user"] | null, appId: string) => {
+  return await canUserSeeAppsAsync(user, [appId]);
+};
+
+export const canUserSeeAppsAsync = async (user: Session["user"] | null, appIds: string[]) => {
+  if (user) return true;
+
+  const appIdsOnPublicBoards = await getAllAppIdsOnPublicBoardsAsync();
+  return appIds.every((appId) => appIdsOnPublicBoards.includes(appId));
+};
+
+const getAllAppIdsOnPublicBoardsAsync = async () => {
+  const itemsWithApps = await db.query.items.findMany({
+    where: or(eq(items.kind, "app"), eq(items.kind, "bookmarks")),
+    with: {
+      section: {
+        columns: {}, // Nothing
+        with: {
+          board: {
+            columns: {
+              isPublic: true,
+            },
+          },
+        },
+      },
+    },
+  });
+
+  return itemsWithApps
+    .filter((item) => item.section.board.isPublic)
+    .flatMap((item) => {
+      if (item.kind === "app") {
+        const parsedOptions = SuperJSON.parse<WidgetComponentProps<"app">["options"]>(item.options);
+        return [parsedOptions.appId];
+      } else if (item.kind === "bookmarks") {
+        const parsedOptions = SuperJSON.parse<WidgetComponentProps<"bookmarks">["options"]>(item.options);
+        return parsedOptions.items;
+      }
+
+      throw new Error("Failed to get app ids from board. Invalid item kind: 'test'");
+    });
+};
--- a/packages/api/src/router/log.ts
+++ b/packages/api/src/router/log.ts
@@ -7,7 +7,7 @@ import { loggingChannel } from "@homarr/redis";
 import { createTRPCRouter, permissionRequiredProcedure } from "../trpc";

 export const logRouter = createTRPCRouter({
-  subscribe: permissionRequiredProcedure.requiresPermission("admin").subscription(() => {
+  subscribe: permissionRequiredProcedure.requiresPermission("other-view-logs").subscription(() => {
    return observable<LoggerMessage>((emit) => {
      const unsubscribe = loggingChannel.subscribe((data) => {
        emit.next(data);
--- a/packages/api/src/router/medias/media-router.ts
+++ b/packages/api/src/router/medias/media-router.ts
@@ -4,7 +4,7 @@ import { and, createId, desc, eq, like } from "@homarr/db";
 import { medias } from "@homarr/db/schema/sqlite";
 import { validation, z } from "@homarr/validation";

-import { createTRPCRouter, protectedProcedure } from "../../trpc";
+import { createTRPCRouter, permissionRequiredProcedure, protectedProcedure } from "../../trpc";

 export const mediaRouter = createTRPCRouter({
  getPaginated: protectedProcedure
@@ -14,7 +14,7 @@ export const mediaRouter = createTRPCRouter({
      ),
    )
    .query(async ({ ctx, input }) => {
-      const includeFromAllUsers = ctx.session.user.permissions.includes("admin") && input.includeFromAllUsers;
+      const includeFromAllUsers = ctx.session.user.permissions.includes("media-view-all") && input.includeFromAllUsers;

      const where = and(
        input.search.length >= 1 ? like(medias.name, `%${input.search}%`) : undefined,
@@ -46,20 +46,23 @@ export const mediaRouter = createTRPCRouter({
        totalCount,
      };
    }),
-  uploadMedia: protectedProcedure.input(validation.media.uploadMedia).mutation(async ({ ctx, input }) => {
-    const content = Buffer.from(await input.file.arrayBuffer());
-    const id = createId();
-    await ctx.db.insert(medias).values({
-      id,
-      creatorId: ctx.session.user.id,
-      content,
-      size: input.file.size,
-      contentType: input.file.type,
-      name: input.file.name,
-    });
+  uploadMedia: permissionRequiredProcedure
+    .requiresPermission("media-upload")
+    .input(validation.media.uploadMedia)
+    .mutation(async ({ ctx, input }) => {
+      const content = Buffer.from(await input.file.arrayBuffer());
+      const id = createId();
+      await ctx.db.insert(medias).values({
+        id,
+        creatorId: ctx.session.user.id,
+        content,
+        size: input.file.size,
+        contentType: input.file.type,
+        name: input.file.name,
+      });

-    return id;
-  }),
+      return id;
+    }),
  deleteMedia: protectedProcedure.input(validation.common.byId).mutation(async ({ ctx, input }) => {
    const dbMedia = await ctx.db.query.medias.findFirst({
      where: eq(medias.id, input.id),
@@ -75,8 +78,8 @@ export const mediaRouter = createTRPCRouter({
      });
    }

-    // Only allow admins and the creator of the media to delete it
-    if (!ctx.session.user.permissions.includes("admin") && ctx.session.user.id !== dbMedia.creatorId) {
+    // Only allow users with media-full-all permission and the creator of the media to delete it
+    if (!ctx.session.user.permissions.includes("media-full-all") && ctx.session.user.id !== dbMedia.creatorId) {
      throw new TRPCError({
        code: "FORBIDDEN",
        message: "You don't have permission to delete this media",
--- a/packages/api/src/router/search-engine/search-engine-router.ts
+++ b/packages/api/src/router/search-engine/search-engine-router.ts
@@ -4,7 +4,7 @@ import { createId, eq, like, sql } from "@homarr/db";
 import { searchEngines } from "@homarr/db/schema/sqlite";
 import { validation } from "@homarr/validation";

-import { createTRPCRouter, protectedProcedure } from "../../trpc";
+import { createTRPCRouter, permissionRequiredProcedure, protectedProcedure } from "../../trpc";

 export const searchEngineRouter = createTRPCRouter({
  getPaginated: protectedProcedure.input(validation.common.paginated).query(async ({ input, ctx }) => {
@@ -59,43 +59,52 @@ export const searchEngineRouter = createTRPCRouter({
      limit: input.limit,
    });
  }),
-  create: protectedProcedure.input(validation.searchEngine.manage).mutation(async ({ ctx, input }) => {
-    await ctx.db.insert(searchEngines).values({
-      id: createId(),
-      name: input.name,
-      short: input.short.toLowerCase(),
-      iconUrl: input.iconUrl,
-      urlTemplate: "urlTemplate" in input ? input.urlTemplate : null,
-      description: input.description,
-      type: input.type,
-      integrationId: "integrationId" in input ? input.integrationId : null,
-    });
-  }),
-  update: protectedProcedure.input(validation.searchEngine.edit).mutation(async ({ ctx, input }) => {
-    const searchEngine = await ctx.db.query.searchEngines.findFirst({
-      where: eq(searchEngines.id, input.id),
-    });
-
-    if (!searchEngine) {
-      throw new TRPCError({
-        code: "NOT_FOUND",
-        message: "Search engine not found",
-      });
-    }
-
-    await ctx.db
-      .update(searchEngines)
-      .set({
+  create: permissionRequiredProcedure
+    .requiresPermission("search-engine-create")
+    .input(validation.searchEngine.manage)
+    .mutation(async ({ ctx, input }) => {
+      await ctx.db.insert(searchEngines).values({
+        id: createId(),
        name: input.name,
+        short: input.short.toLowerCase(),
        iconUrl: input.iconUrl,
        urlTemplate: "urlTemplate" in input ? input.urlTemplate : null,
        description: input.description,
-        integrationId: "integrationId" in input ? input.integrationId : null,
        type: input.type,
-      })
-      .where(eq(searchEngines.id, input.id));
-  }),
-  delete: protectedProcedure.input(validation.common.byId).mutation(async ({ ctx, input }) => {
-    await ctx.db.delete(searchEngines).where(eq(searchEngines.id, input.id));
-  }),
+        integrationId: "integrationId" in input ? input.integrationId : null,
+      });
+    }),
+  update: permissionRequiredProcedure
+    .requiresPermission("search-engine-modify-all")
+    .input(validation.searchEngine.edit)
+    .mutation(async ({ ctx, input }) => {
+      const searchEngine = await ctx.db.query.searchEngines.findFirst({
+        where: eq(searchEngines.id, input.id),
+      });
+
+      if (!searchEngine) {
+        throw new TRPCError({
+          code: "NOT_FOUND",
+          message: "Search engine not found",
+        });
+      }
+
+      await ctx.db
+        .update(searchEngines)
+        .set({
+          name: input.name,
+          iconUrl: input.iconUrl,
+          urlTemplate: "urlTemplate" in input ? input.urlTemplate : null,
+          description: input.description,
+          integrationId: "integrationId" in input ? input.integrationId : null,
+          type: input.type,
+        })
+        .where(eq(searchEngines.id, input.id));
+    }),
+  delete: permissionRequiredProcedure
+    .requiresPermission("search-engine-full-all")
+    .input(validation.common.byId)
+    .mutation(async ({ ctx, input }) => {
+      await ctx.db.delete(searchEngines).where(eq(searchEngines.id, input.id));
+    }),
 });
--- a/packages/api/src/router/test/app.spec.ts
+++ b/packages/api/src/router/test/app.spec.ts
@@ -5,23 +5,26 @@ import type { Session } from "@homarr/auth";
 import { createId } from "@homarr/db";
 import { apps } from "@homarr/db/schema/sqlite";
 import { createDb } from "@homarr/db/test";
+import type { GroupPermissionKey } from "@homarr/definitions";

 import { appRouter } from "../app";
+import * as appAccessControl from "../app/app-access-control";

 // Mock the auth module to return an empty session
 vi.mock("@homarr/auth", () => ({ auth: () => ({}) as Session }));

-const defaultSession: Session = {
-  user: { id: createId(), permissions: [], colorScheme: "light" },
+const createDefaultSession = (permissions: GroupPermissionKey[] = []): Session => ({
+  user: { id: createId(), permissions, colorScheme: "light" },
  expires: new Date().toISOString(),
-};
+});

 describe("all should return all apps", () => {
-  test("should return all apps", async () => {
+  test("should return all apps with session", async () => {
+    // Arrange
    const db = createDb();
    const caller = appRouter.createCaller({
      db,
-      session: null,
+      session: createDefaultSession(),
    });

    await db.insert(apps).values([
@@ -48,15 +51,30 @@ describe("all should return all apps", () => {
    expect(result[1]!.href).toBeNull();
    expect(result[1]!.description).toBeNull();
  });
+  test("should throw UNAUTHORIZED if the user is not authenticated", async () => {
+    // Arrange
+    const caller = appRouter.createCaller({
+      db: createDb(),
+      session: null,
+    });
+
+    // Act
+    const actAsync = async () => await caller.all();
+
+    // Assert
+    await expect(actAsync()).rejects.toThrow("UNAUTHORIZED");
+  });
 });

 describe("byId should return an app by id", () => {
-  test("should return an app by id", async () => {
+  test("should return an app by id when canUserSeeAppAsync returns true", async () => {
+    // Arrange
    const db = createDb();
    const caller = appRouter.createCaller({
      db,
      session: null,
    });
+    vi.spyOn(appAccessControl, "canUserSeeAppAsync").mockReturnValue(Promise.resolve(true));

    await db.insert(apps).values([
      {
@@ -73,28 +91,61 @@ describe("byId should return an app by id", () => {
      },
    ]);

+    // Act
    const result = await caller.byId({ id: "2" });
+
+    // Assert
    expect(result.name).toBe("Mantine");
  });

+  test("should throw NOT_FOUND error when canUserSeeAppAsync returns false", async () => {
+    // Arrange
+    const db = createDb();
+    const caller = appRouter.createCaller({
+      db,
+      session: null,
+    });
+    await db.insert(apps).values([
+      {
+        id: "2",
+        name: "Mantine",
+        description: "React components and hooks library",
+        iconUrl: "https://mantine.dev/favicon.svg",
+        href: "https://mantine.dev",
+      },
+    ]);
+    vi.spyOn(appAccessControl, "canUserSeeAppAsync").mockReturnValue(Promise.resolve(false));
+
+    // Act
+    const actAsync = async () => await caller.byId({ id: "2" });
+
+    // Assert
+    await expect(actAsync()).rejects.toThrow("App not found");
+  });
+
  test("should throw an error if the app does not exist", async () => {
+    // Arrange
    const db = createDb();
    const caller = appRouter.createCaller({
      db,
      session: null,
    });

+    // Act
    const actAsync = async () => await caller.byId({ id: "2" });
+
+    // Assert
    await expect(actAsync()).rejects.toThrow("App not found");
  });
 });

 describe("create should create a new app with all arguments", () => {
  test("should create a new app", async () => {
+    // Arrange
    const db = createDb();
    const caller = appRouter.createCaller({
      db,
-      session: defaultSession,
+      session: createDefaultSession(["app-create"]),
    });
    const input = {
      name: "Mantine",
@@ -103,8 +154,10 @@ describe("create should create a new app with all arguments", () => {
      href: "https://mantine.dev",
    };

+    // Act
    await caller.create(input);

+    // Assert
    const dbApp = await db.query.apps.findFirst();
    expect(dbApp).toBeDefined();
    expect(dbApp!.name).toBe(input.name);
@@ -114,10 +167,11 @@ describe("create should create a new app with all arguments", () => {
  });

  test("should create a new app only with required arguments", async () => {
+    // Arrange
    const db = createDb();
    const caller = appRouter.createCaller({
      db,
-      session: defaultSession,
+      session: createDefaultSession(["app-create"]),
    });
    const input = {
      name: "Mantine",
@@ -126,8 +180,10 @@ describe("create should create a new app with all arguments", () => {
      href: null,
    };

+    // Act
    await caller.create(input);

+    // Assert
    const dbApp = await db.query.apps.findFirst();
    expect(dbApp).toBeDefined();
    expect(dbApp!.name).toBe(input.name);
@@ -139,10 +195,11 @@ describe("create should create a new app with all arguments", () => {

 describe("update should update an app", () => {
  test("should update an app", async () => {
+    // Arrange
    const db = createDb();
    const caller = appRouter.createCaller({
      db,
-      session: defaultSession,
+      session: createDefaultSession(["app-modify-all"]),
    });

    const appId = createId();
@@ -162,8 +219,10 @@ describe("update should update an app", () => {
      href: "https://mantine.dev",
    };

+    // Act
    await caller.update(input);

+    // Assert
    const dbApp = await db.query.apps.findFirst();

    expect(dbApp).toBeDefined();
@@ -174,12 +233,14 @@ describe("update should update an app", () => {
  });

  test("should throw an error if the app does not exist", async () => {
+    // Arrange
    const db = createDb();
    const caller = appRouter.createCaller({
      db,
-      session: defaultSession,
+      session: createDefaultSession(["app-modify-all"]),
    });

+    // Act
    const actAsync = async () =>
      await caller.update({
        id: createId(),
@@ -188,16 +249,19 @@ describe("update should update an app", () => {
        description: null,
        href: null,
      });
+
+    // Assert
    await expect(actAsync()).rejects.toThrow("App not found");
  });
 });

 describe("delete should delete an app", () => {
  test("should delete an app", async () => {
+    // Arrange
    const db = createDb();
    const caller = appRouter.createCaller({
      db,
-      session: defaultSession,
+      session: createDefaultSession(["app-full-all"]),
    });

    const appId = createId();
@@ -207,8 +271,10 @@ describe("delete should delete an app", () => {
      iconUrl: "https://mantine.dev/favicon.svg",
    });

+    // Act
    await caller.delete({ id: appId });

+    // Assert
    const dbApp = await db.query.apps.findFirst();
    expect(dbApp).toBeUndefined();
  });
--- a/packages/definitions/src/permissions.ts
+++ b/packages/definitions/src/permissions.ts
@@ -36,8 +36,13 @@ export type IntegrationPermission = (typeof integrationPermissions)[number];
 * For example "board-create" is a generated key
 */
 export const groupPermissions = {
+  // Order is the same in the UI, inspired from order in navigation here
  board: ["create", "view-all", "modify-all", "full-all"],
+  app: ["create", "use-all", "modify-all", "full-all"],
  integration: ["create", "use-all", "interact-all", "full-all"],
+  "search-engine": ["create", "modify-all", "full-all"],
+  media: ["upload", "view-all", "full-all"],
+  other: ["view-logs"],
  admin: true,
 } as const;

@@ -49,9 +54,21 @@ export const groupPermissions = {
 const groupPermissionParents = {
  "board-modify-all": ["board-view-all"],
  "board-full-all": ["board-modify-all", "board-create"],
+  "app-modify-all": ["app-create"],
+  "app-full-all": ["app-modify-all", "app-use-all"],
  "integration-interact-all": ["integration-use-all"],
  "integration-full-all": ["integration-interact-all", "integration-create"],
-  admin: ["board-full-all", "integration-full-all"],
+  "search-engine-modify-all": ["search-engine-create"],
+  "search-engine-full-all": ["search-engine-modify-all"],
+  "media-full-all": ["media-upload", "media-view-all"],
+  admin: [
+    "board-full-all",
+    "app-full-all",
+    "integration-full-all",
+    "search-engine-full-all",
+    "media-full-all",
+    "other-view-logs",
+  ],
 } satisfies Partial<Record<GroupPermissionKey, GroupPermissionKey[]>>;

 export const getPermissionsWithParents = (permissions: GroupPermissionKey[]): GroupPermissionKey[] => {
--- a/packages/spotlight/src/components/spotlight.tsx
+++ b/packages/spotlight/src/components/spotlight.tsx
@@ -1,5 +1,6 @@
 "use client";

+import type { Dispatch, SetStateAction } from "react";
 import { useMemo, useRef, useState } from "react";
 import { ActionIcon, Center, Group, Kbd } from "@mantine/core";
 import { Spotlight as MantineSpotlight } from "@mantine/spotlight";
@@ -9,23 +10,42 @@ import type { TranslationObject } from "@homarr/translation";
 import { useI18n } from "@homarr/translation/client";

 import type { inferSearchInteractionOptions } from "../lib/interaction";
+import type { SearchMode } from "../lib/mode";
 import { searchModes } from "../modes";
 import { selectAction, spotlightStore } from "../spotlight-store";
 import { SpotlightChildrenActions } from "./actions/children-actions";
 import { SpotlightActionGroups } from "./actions/groups/action-group";

+type SearchModeKey = keyof TranslationObject["search"]["mode"];
+
 export const Spotlight = () => {
-  const [query, setQuery] = useState("");
-  const [mode, setMode] = useState<keyof TranslationObject["search"]["mode"]>("help");
-  const [childrenOptions, setChildrenOptions] = useState<inferSearchInteractionOptions<"children"> | null>(null);
-  const t = useI18n();
-  const inputRef = useRef<HTMLInputElement>(null);
+  const searchModeState = useState<SearchModeKey>("help");
+  const mode = searchModeState[0];
  const activeMode = useMemo(() => searchModes.find((searchMode) => searchMode.modeKey === mode), [mode]);

  if (!activeMode) {
    return null;
  }

+  // We use the "key" below to prevent the 'Different amounts of hooks' error
+  return <SpotlightWithActiveMode key={mode} modeState={searchModeState} activeMode={activeMode} />;
+};
+
+interface SpotlightWithActiveModeProps {
+  modeState: [SearchModeKey, Dispatch<SetStateAction<SearchModeKey>>];
+  activeMode: SearchMode;
+}
+
+const SpotlightWithActiveMode = ({ modeState, activeMode }: SpotlightWithActiveModeProps) => {
+  const [query, setQuery] = useState("");
+  const [mode, setMode] = modeState;
+  const [childrenOptions, setChildrenOptions] = useState<inferSearchInteractionOptions<"children"> | null>(null);
+  const t = useI18n();
+  const inputRef = useRef<HTMLInputElement>(null);
+  // Works as always the same amount of hooks are executed
+  const useGroups = "groups" in activeMode ? () => activeMode.groups : activeMode.useGroups;
+  const groups = useGroups();
+
  return (
    <MantineSpotlight.Root
      yOffset={8}
@@ -115,7 +135,7 @@ export const Spotlight = () => {
              });
            }}
            query={query}
-            groups={activeMode.groups}
+            groups={groups}
          />
        )}
      </MantineSpotlight.ActionsList>
--- a/packages/spotlight/src/lib/mode.ts
+++ b/packages/spotlight/src/lib/mode.ts
@@ -2,8 +2,14 @@ import type { TranslationObject } from "@homarr/translation";

 import type { SearchGroup } from "./group";

-export interface SearchMode {
+export type SearchMode = {
  modeKey: keyof TranslationObject["search"]["mode"];
  character: string;
-  groups: SearchGroup[];
-}
+} & (
+  | {
+      groups: SearchGroup[];
+    }
+  | {
+      useGroups: () => SearchGroup[];
+    }
+);
--- a/packages/spotlight/src/modes/app-integration-board/index.tsx
+++ b/packages/spotlight/src/modes/app-integration-board/index.tsx
@@ -1,3 +1,6 @@
+import { useSession } from "@homarr/auth/client";
+
+import type { SearchGroup } from "../../lib/group";
 import type { SearchMode } from "../../lib/mode";
 import { appsSearchGroup } from "./apps-search-group";
 import { boardsSearchGroup } from "./boards-search-group";
@@ -6,5 +9,14 @@ import { integrationsSearchGroup } from "./integrations-search-group";
 export const appIntegrationBoardMode = {
  modeKey: "appIntegrationBoard",
  character: "#",
-  groups: [appsSearchGroup, integrationsSearchGroup, boardsSearchGroup],
+  useGroups() {
+    const { data: session } = useSession();
+    const groups: SearchGroup[] = [boardsSearchGroup];
+
+    if (!session?.user) {
+      return groups;
+    }
+
+    return groups.concat([appsSearchGroup, integrationsSearchGroup]);
+  },
 } satisfies SearchMode;
--- a/packages/spotlight/src/modes/command/index.tsx
+++ b/packages/spotlight/src/modes/command/index.tsx
@@ -1,11 +1,11 @@
 import { Group, Text, useMantineColorScheme } from "@mantine/core";
 import {
+  IconBox,
  IconCategoryPlus,
  IconFileImport,
  IconLanguage,
  IconMailForward,
  IconMoon,
-  IconPackage,
  IconPlug,
  IconSun,
  IconUserPlus,
@@ -113,9 +113,10 @@ export const commandMode = {
          },
          {
            commandKey: "newApp",
-            icon: IconPackage,
+            icon: IconBox,
            name: tOption("newApp.label"),
            useInteraction: interaction.link(() => ({ href: "/manage/apps/new" })),
+            hidden: !session?.user.permissions.includes("app-create"),
          },
          {
            commandKey: "newIntegration",
--- a/packages/spotlight/src/modes/index.tsx
+++ b/packages/spotlight/src/modes/index.tsx
@@ -1,6 +1,7 @@
 import { Group, Kbd, Text } from "@mantine/core";
 import { IconBook2, IconBrandDiscord, IconBrandGithub } from "@tabler/icons-react";

+import { useSession } from "@homarr/auth/client";
 import { createDocumentationLink } from "@homarr/definitions";
 import { useScopedI18n } from "@homarr/translation/client";

@@ -18,58 +19,67 @@ const searchModesWithoutHelp = [userGroupMode, appIntegrationBoardMode, external
 const helpMode = {
  modeKey: "help",
  character: "?",
-  groups: [
-    createGroup({
-      keyPath: "character",
-      title: (t) => t("search.mode.help.group.mode.title"),
-      options: searchModesWithoutHelp.map(({ character, modeKey }) => ({ character, modeKey })),
-      Component: ({ modeKey, character }) => {
-        const t = useScopedI18n(`search.mode.${modeKey}`);
+  useGroups() {
+    const { data: session } = useSession();
+    const visibleSearchModes: SearchMode[] = [appIntegrationBoardMode, externalMode, commandMode, pageMode];

-        return (
-          <Group px="md" py="xs" w="100%" wrap="nowrap" align="center" justify="space-between">
-            <Text>{t("help")}</Text>
-            <Kbd size="sm">{character}</Kbd>
+    if (session?.user.permissions.includes("admin")) {
+      visibleSearchModes.unshift(userGroupMode);
+    }
+
+    return [
+      createGroup({
+        keyPath: "character",
+        title: (t) => t("search.mode.help.group.mode.title"),
+        options: visibleSearchModes.map(({ character, modeKey }) => ({ character, modeKey })),
+        Component: ({ modeKey, character }) => {
+          const t = useScopedI18n(`search.mode.${modeKey}`);
+
+          return (
+            <Group px="md" py="xs" w="100%" wrap="nowrap" align="center" justify="space-between">
+              <Text>{t("help")}</Text>
+              <Kbd size="sm">{character}</Kbd>
+            </Group>
+          );
+        },
+        filter: () => true,
+        useInteraction: interaction.mode(({ modeKey }) => ({ mode: modeKey })),
+      }),
+      createGroup({
+        keyPath: "href",
+        title: (t) => t("search.mode.help.group.help.title"),
+        useOptions() {
+          const t = useScopedI18n("search.mode.help.group.help.option");
+
+          return [
+            {
+              label: t("documentation.label"),
+              icon: IconBook2,
+              href: createDocumentationLink("/docs/getting-started"),
+            },
+            {
+              label: t("submitIssue.label"),
+              icon: IconBrandGithub,
+              href: "https://github.com/ajnart/homarr/issues/new/choose",
+            },
+            {
+              label: t("discord.label"),
+              icon: IconBrandDiscord,
+              href: "https://discord.com/invite/aCsmEV5RgA",
+            },
+          ];
+        },
+        Component: (props) => (
+          <Group px="md" py="xs" w="100%" wrap="nowrap" align="center">
+            <props.icon />
+            <Text>{props.label}</Text>
          </Group>
-        );
-      },
-      filter: () => true,
-      useInteraction: interaction.mode(({ modeKey }) => ({ mode: modeKey })),
-    }),
-    createGroup({
-      keyPath: "href",
-      title: (t) => t("search.mode.help.group.help.title"),
-      useOptions() {
-        const t = useScopedI18n("search.mode.help.group.help.option");
-
-        return [
-          {
-            label: t("documentation.label"),
-            icon: IconBook2,
-            href: createDocumentationLink("/docs/getting-started"),
-          },
-          {
-            label: t("submitIssue.label"),
-            icon: IconBrandGithub,
-            href: "https://github.com/ajnart/homarr/issues/new/choose",
-          },
-          {
-            label: t("discord.label"),
-            icon: IconBrandDiscord,
-            href: "https://discord.com/invite/aCsmEV5RgA",
-          },
-        ];
-      },
-      Component: (props) => (
-        <Group px="md" py="xs" w="100%" wrap="nowrap" align="center">
-          <props.icon />
-          <Text>{props.label}</Text>
-        </Group>
-      ),
-      filter: () => true,
-      useInteraction: interaction.link(({ href }) => ({ href, newTab: true })),
-    }),
-  ],
+        ),
+        filter: () => true,
+        useInteraction: interaction.link(({ href }) => ({ href, newTab: true })),
+      }),
+    ];
+  },
 } satisfies SearchMode;

 export const searchModes = [...searchModesWithoutHelp, helpMode] as const;
--- a/packages/spotlight/src/modes/page/pages-search-group.tsx
+++ b/packages/spotlight/src/modes/page/pages-search-group.tsx
@@ -130,7 +130,7 @@ export const pagesSearchGroup = createGroup<{
        icon: IconLogs,
        path: "/manage/tools/logs",
        name: t("manageLog.label"),
-        hidden: !session?.user.permissions.includes("admin"),
+        hidden: !session?.user.permissions.includes("other-view-logs"),
      },
      {
        icon: IconReport,
--- a/packages/translation/src/lang/en.json
+++ b/packages/translation/src/lang/en.json
@@ -196,6 +196,27 @@
          }
        }
      },
+      "app": {
+        "title": "Apps",
+        "item": {
+          "create": {
+            "label": "Create apps",
+            "description": "Allow members to create apps"
+          },
+          "use-all": {
+            "label": "Use all apps",
+            "description": "Allow members to add any apps to their boards"
+          },
+          "modify-all": {
+            "label": "Modify all apps",
+            "description": "Allow members to modify all apps"
+          },
+          "full-all": {
+            "label": "Full app access",
+            "description": "Allow members to manage, use and delete any app"
+          }
+        }
+      },
      "board": {
        "title": "Boards",
        "item": {
@@ -237,6 +258,49 @@
            "description": "Allow members to manage, use and interact with any integration"
          }
        }
+      },
+      "media": {
+        "title": "Medias",
+        "item": {
+          "upload": {
+            "label": "Upload medias",
+            "description": "Allow members to upload medias"
+          },
+          "view-all": {
+            "label": "View all medias",
+            "description": "Allow members to view all medias"
+          },
+          "full-all": {
+            "label": "Full media access",
+            "description": "Allow members to manage and delete any media"
+          }
+        }
+      },
+      "other": {
+        "title": "Other",
+        "item": {
+          "view-logs": {
+            "label": "View logs",
+            "description": "Allow members to view logs"
+          }
+        }
+      },
+      "search-engine": {
+        "title": "Search engines",
+        "item": {
+          "create": {
+            "label": "Create search engines",
+            "description": "Allow members to create search engines"
+          },
+          "modify-all": {
+            "label": "Modify all search engines",
+            "description": "Allow members to modify all search engines"
+          },
+          "full-all": {
+            "label": "Full search engine access",
+            "description": "Allow members to manage and delete any search engine"
+          }
+        }
      }
    },
    "memberNotice": {