To clarify a few things:
- You do not *need* the WebDashboardUrl - as per comment in the config it's only if the webserver is not available through its public IP (e.g. because you have it firewalled and behind a reverse proxy, which is actually recommended)
- For the map to work at all it needs to be enabled in the serverconfig
- No need to restart the server for permission changes to apply (no matter if done manually in the file or through console commands)
- The default permissions allow users with permission level 0 full access to everything, other users (no matter if logged in or not) will not be able to do anything
- You should not touch the "webapi.map" permission. This is about the *API* providing the frontend information about the map setup, it's not the map
- If you want users with permission level > 0 see the map you need to change the permission level of the module "web.map". Either 2000 so it becomes visible even to users not logged in to the dashboard at all, 1000 so it becomes visible to those logged in only or any other value so it's only visible to those with that permission level (and above).
- The console API does not have to be protected any further, the actual console commands define who can access what
- If you do not *want* the console to show at all though you can set "webapi.command" method GET to level 0 (or 1000 if you want it to be available to all logged in users only). Currently this permission also controls the visibility of the settings page.
- "Mods" menu entry is controlled by "webapi.mods" method GET.