0.25.0 ACL permission excess rights

[integritas88]

After updating to version 0.25.0, the following security issues were noticed:

1. When trying to create custom access roles, we receive JS errors in AKHQ.

react-CMjgpN1I.js:40 TypeError: Cannot read properties of undefined (reading 'includes')
at Qf.render (index-Jmio8XBk.js:484:3275)
at jh (react-CMjgpN1I.js:40:6181)
at Qv (react-CMjgpN1I.js:40:5978)
at O1 (react-CMjgpN1I.js:40:44917)
at D1 (react-CMjgpN1I.js:40:39790)
at s (react-CMjgpN1I.js:40:39718)
at wc (react-CMjgpN1I.js:40:39570)
at qh (react-CMjgpN1I.js:40:35934)
at T1 (react-CMjgpN1I.js:40:34883)
at C (react-CMjgpN1I.js:25:1535)
Bh @ react-CMjgpN1I.js:40

react-CMjgpN1I.js:40 Uncaught TypeError: Cannot read properties of undefined (reading 'includes')
at Qf.render (index-Jmio8XBk.js:484:3275)
at jh (react-CMjgpN1I.js:40:6181)
at Qv (react-CMjgpN1I.js:40:5978)
at O1 (react-CMjgpN1I.js:40:44917)
at D1 (react-CMjgpN1I.js:40:39790)
at s_ (react-CMjgpN1I.js:40:39718)
at wc (react-CMjgpN1I.js:40:39570)
at qh (react-CMjgpN1I.js:40:35934)
at T1 (react-CMjgpN1I.js:40:34883)
at C (react-CMjgpN1I.js:25:1535)_

If I try to edit a role from https://github.com/tchiotludo/akhq/blob/master/application.example.yml
For example:
roles:
topic-read:
- resources: [ "TOPIC", "TOPIC_DATA" ]
actions: [ "READ" ]
- resources: [ "TOPIC" ]
actions: [ "READ_CONFIG" ]

If i delete TOPIC_DATA:
roles:
topic-read:
- resources: [ "TOPIC" ]
actions: [ "READ" ]
- resources: [ "TOPIC" ]
actions: [ "READ_CONFIG" ]

When user have only ReadOnly access. We receive JS errors in AKHQ

react-CMjgpN1I.js:40 TypeError: Cannot read properties of undefined (reading 'includes')
at Qf.render (index-Jmio8XBk.js:484:3275)
at jh (react-CMjgpN1I.js:40:6181)
at Qv (react-CMjgpN1I.js:40:5978)
at O1 (react-CMjgpN1I.js:40:44917)
at D1 (react-CMjgpN1I.js:40:39790)
at s (react-CMjgpN1I.js:40:39718)
at wc (react-CMjgpN1I.js:40:39570)
at qh (react-CMjgpN1I.js:40:35934)
at T1 (react-CMjgpN1I.js:40:34883)
at C (react-CMjgpN1I.js:25:1535)
Bh @ react-CMjgpN1I.js:40

react-CMjgpN1I.js:40 Uncaught TypeError: Cannot read properties of undefined (reading 'includes')
at Qf.render (index-Jmio8XBk.js:484:3275)
at jh (react-CMjgpN1I.js:40:6181)
at Qv (react-CMjgpN1I.js:40:5978)
at O1 (react-CMjgpN1I.js:40:44917)
at D1 (react-CMjgpN1I.js:40:39790)
at s_ (react-CMjgpN1I.js:40:39718)
at wc (react-CMjgpN1I.js:40:39570)
at qh (react-CMjgpN1I.js:40:35934)
at T1 (react-CMjgpN1I.js:40:34883)
at C (react-CMjgpN1I.js:25:1535)_

2. If a user has different types of rights to different topics (ro and rw), then in the topics for which the type of rights is RO, buttons for “Update config” the topic will appear for him.

3. If the conditions from clause 2 are met(user has different types of rights to different topics (ro and rw)), if the user also has ReadOnly access to consumer groups in AKHQ, the following buttons become available: Delete/Update offset.

[AlexisSouquiere]

Please give us more information about your setup: the entire roles / groups configuration, if you use basic/ldap/oauth, the user and the permissions it should have, screenshots...
You are mentioning a custom access role but we don't know which one you are trying to create