Skip to content

Commit

Permalink
Add access control checks for changing roles
Browse files Browse the repository at this point in the history
  • Loading branch information
@zlwaterfield
zlwaterfield committed Dec 5, 2024
1 parent 7c1e2af commit 46718dd
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 12 deletions.
30 changes: 18 additions & 12 deletions ...layout/navigation-3000/sidepanel/panels/access_control/RolesAndResourceAccessControls.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ export function RolesAndResourceAccessControls({ noAccessControls }: RolesAndRes

function RoleDetails({ roleId }: { roleId: string }): JSX.Element | null {
const { user } = useValues(userLogic)
const { sortedMembers, roles } = useValues(roleBasedAccessControlLogic)
const { sortedMembers, roles, canEditRoleBasedAccessControls } = useValues(roleBasedAccessControlLogic)
const { addMembersToRole, removeMemberFromRole, setEditingRoleId } = useActions(roleBasedAccessControlLogic)
const [membersToAdd, setMembersToAdd] = useState<string[]>([])

Expand Down Expand Up @@ -185,6 +185,7 @@ function RoleDetails({ roleId }: { roleId: string }): JSX.Element | null {
value={membersToAdd}
onChange={(newValues: string[]) => setMembersToAdd(newValues)}
mode="multiple"
disabled={!canEditRoleBasedAccessControls}
options={usersLemonSelectOptions(
membersNotInRole.map((member) => member.user),
'uuid'
Expand All @@ -195,13 +196,23 @@ function RoleDetails({ roleId }: { roleId: string }): JSX.Element | null {
<LemonButton
type="primary"
onClick={onSubmit}
disabledReason={!onSubmit ? 'Please select members to add' : undefined}
disabledReason={
!canEditRoleBasedAccessControls
? 'You cannot edit this'
: !onSubmit
? 'Please select members to add'
: undefined
}
>
Add members
</LemonButton>
</div>
<div className="flex items-center gap-2">
<LemonButton type="secondary" onClick={() => setEditingRoleId(role.id)}>
<LemonButton
type="secondary"
onClick={() => setEditingRoleId(role.id)}
disabledReason={!canEditRoleBasedAccessControls ? 'You cannot edit this' : undefined}
>
Edit role
</LemonButton>
</div>
Expand Down Expand Up @@ -241,6 +252,9 @@ function RoleDetails({ roleId }: { roleId: string }): JSX.Element | null {
status="danger"
size="small"
type="tertiary"
disabledReason={
!canEditRoleBasedAccessControls ? 'You cannot edit this' : undefined
}
onClick={() => removeMemberFromRole(role, member.id)}
>
Remove
Expand All @@ -249,15 +263,6 @@ function RoleDetails({ roleId }: { roleId: string }): JSX.Element | null {
)
},
},
/* {isAdminOrOwner && deleteMember && (
<LemonButton
icon={<IconTrash />}
onClick={() => deleteMember(member.id)}
tooltip="Remove user from role"
type="tertiary"
size="small"
/>
)} */
]}
dataSource={role.members}
/>
Expand Down Expand Up @@ -289,6 +294,7 @@ function RoleModal(): JSX.Element {
<Form logic={roleBasedAccessControlLogic} formKey="editingRole" enableFormOnSubmit>
<LemonModal
isOpen={!!editingRoleId}
onClose={() => setEditingRoleId(null)}
title={!isEditing ? 'Create role' : `Edit role`}
footer={
<>
Expand Down
10 changes: 10 additions & 0 deletions ...src/layout/navigation-3000/sidepanel/panels/access_control/roleBasedAccessControlLogic.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ export const roleBasedAccessControlLogic = kea<roleBasedAccessControlLogicType>(
},
},
],

roles: [
null as RoleType[] | null,
{
Expand Down Expand Up @@ -180,6 +181,7 @@ export const roleBasedAccessControlLogic = kea<roleBasedAccessControlLogicType>(
return roleBasedAccessControls?.default_access_level ?? null
},
],

defaultResourceAccessControls: [
(s) => [s.roleBasedAccessControls],
(roleBasedAccessControls): RoleWithResourceAccessControls => {
Expand All @@ -199,6 +201,7 @@ export const roleBasedAccessControlLogic = kea<roleBasedAccessControlLogicType>(
return { accessControlByResource }
},
],

rolesWithResourceAccessControls: [
(s) => [s.roles, s.roleBasedAccessControls, s.defaultResourceAccessControls],
(roles, roleBasedAccessControls, defaultResourceAccessControls): RoleWithResourceAccessControls[] => {
Expand Down Expand Up @@ -234,6 +237,13 @@ export const roleBasedAccessControlLogic = kea<roleBasedAccessControlLogicType>(
return ['feature_flag', 'dashboard', 'insight', 'notebook']
},
],

canEditRoleBasedAccessControls: [
(s) => [s.roleBasedAccessControls],
(roleBasedAccessControls): boolean | null => {
return roleBasedAccessControls?.user_can_edit_access_levels ?? null
},
],
}),
afterMount(({ actions, values }) => {
if (values.hasAvailableFeature(AvailableFeature.ROLE_BASED_ACCESS)) {
Expand Down

0 comments on commit 46718dd

Please sign in to comment.