I'm setting up advanced perms (Argument based) and I have consulted my issue with gbalint on discord. He said that I have to have luckperms.user.promote & luckperms.user.promote.<track>.<rank> & luckperms.user.promote.modify.<others/self> but even when I have luckperms.user.promote.modify.others I can promote myself to max rank in track.

There is my verbose https://luckperms.github.io/verbose/?C7TnRrOvl5
There is console https://prnt.sc/j7yr0o

I noticed that editor don't last for ever.

I'm using Sponge LP v4.1.72

Edit: Version + Editor screens

The verbose link has expired :/

https://luckperms.github.io/verbose/?GK3y7E6NwD

Try negating luckperms.user.promote.modify.self - if that's what you want to do?

I don't really understand what the issue is

My problem is that i should not be able to promote others or self to higher group than mod on staff track
default -> vip -> mod -> admin -> owner
luckperms.user.promote.staff.mod should block my promote on higher ranks

I had to borrow login for another account to test if I can promote someone to higher rank than mod and I can. That's the security risk.
https://luckperms.github.io/verbose/?PNy8hiQy0G

Why is luckperms.user.promote.staff.admin & luckperms.user.promote.staff.owner true ? I did not specify that and if I remove luckperms.user.promote than I can't promote as expected and I have luckperms.user.promote.staff.admin undefined. What I tried to say with my weird image: Why mod get inherited permissions node.

I talked to gbalint and this setup works on spigot and bungeecord. Mod can't promote others to higher rank than mod.

And I tried luckperms.user.promote.modify.self set to false it's stop promote on myself. But it's same like luckperms.user.promote.staff.admin I did not specify that in first place. I can't block every single command with false state that I don't want to give them.

I don't want to be offensive against you. English is not my native language.

Firstly - thank you for the detailed description :) It's very appreciated.

Why is luckperms.user.promote.staff.admin & luckperms.user.promote.staff.owner true ?

This happens because of the way Sponge permissions work.

When you grant luckperms.user.promote - you also grant luckperms.user.promote.staff and luckperms.user.promote.staff.admin and luckperms.user.promote.staff.admin.something and so on.

You can either disable this feature here (be aware that doing so may break other plugins which rely on this behaviour - not recommended):

https://github.com/lucko/LuckPerms/blob/d73543408ed306c457247901187424e1deb82718/sponge/src/main/resources/luckperms.conf#L399-L407

Or simply negate the luckperms.user.promote.staff.admin permission for your group.

And just to clarify, by "negate" - I mean setting the permission to false.

That's why you're experiencing issues - it's not a bug though. ;)