team-add-users: add app-authorized guards #2758
Conversation
bcmdarroch
added
auth-team
| if (this.usersNotFiltered().length === 0) { | ||
| return ''; | ||
| } else if (this.addingUsers) { | ||
| if (this.addingUsers) { |
There was a problem hiding this comment.
this was a bonus fix. I noticed in the case of if (this.usersNotFiltered().length === 0), the Add Users button just became a shortened blank button which looked off to me. So now when there are no users left to add you'll see a disabled Add Users button
There was a problem hiding this comment.
oh was ur chef-ui-library up to date? those buttons should be totally hidden if there are no more users left to add.
There was a problem hiding this comment.
@susanev is correct; this change should not be needed.
There was a problem hiding this comment.
oh good catch thanks!
| </div> | ||
| <div id="table-container" *ngIf="usersNotFiltered()?.length > 0"> | ||
| <div id="table-controls"> | ||
| <app-authorized [anyOf]="['/iam/v2/teams/{id}/users:add', 'post', team?.id]"> | ||
| <app-authorized [allOf]="['/iam/v2/users', 'post']"> |
There was a problem hiding this comment.
While I agree that having the users permission there is good, I would suggest also include the original teams users:add as well, because that is not being checked prior to getting here. (It should be, but that looks like a bit larger can of worms to fix that.)
There was a problem hiding this comment.
I switched it because the app-authorized is only hiding the Create User button.
Started looking into how we could start guarding the Add Users buttons on the team-details page and realized it would take some refactoring of the app-user-table. I'll make an issue for that fix.
| if (this.usersNotFiltered().length === 0) { | ||
| return ''; | ||
| } else if (this.addingUsers) { | ||
| if (this.addingUsers) { |
There was a problem hiding this comment.
@susanev is correct; this change should not be needed.
to create user buttons Signed-off-by: Brenna Hewer-Darroch <brenna@chef.io>
bcmdarroch
force-pushed
the
bhd/quick-add-users-fix
branch
from
334d1b3
to
e3e1a72
Compare
🔩 Description: What code changed, and why?
Fixes a tiny issue I noticed while acceptance testing. As a project owner, I'm allowed to add users to teams in my project. However, I can't create users. On the team-add-users modal, once all users are added to a team, we show a button to create new users. But as a project owner, I get a 403 error when I try to create a user because I don't have permission to.
This PR adds an app-authorized guard to the
Create Userbuttons on the team-add-users modal so a project owner (or any user without create user permissions) can't see them.It also slightly changes the message the non-permissioned user will see.
👍 Definition of Done
Create Userbutton of the team-add-users modal👟 How to Build and Test the Change
<project name> Project Ownerspolicy✅ Checklist