Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hide the Delete User button for users who don't have access to do it #6660

Closed
AshrafMd-1 opened this issue Nov 17, 2023 · 4 comments · Fixed by #6663
Closed

Hide the Delete User button for users who don't have access to do it #6660

AshrafMd-1 opened this issue Nov 17, 2023 · 4 comments · Fixed by #6663
Assignees
@ayush-seth
Labels
good first issue Good for newcomers

Comments

@AshrafMd-1
Copy link
Contributor

Describe the bug
Currently district admin and above have a delete user button shown in the view users in facilities, even though they don't have permission to delete it

To Reproduce
Steps to reproduce the behavior:

  1. Go to Facility
  2. Click on Manage facilities
  3. Click on View users
  4. See error

Expected behavior
Hide the delete user button for users, who don't have permission to do it

Screenshots
If applicable, add screenshots to help explain your problem.
image
image
image
image

Desktop (please complete the following information):

  • OS: [e.g. iOS]
  • Browser [e.g. chrome, safari]
  • Version [e.g. 22]

Smartphone (please complete the following information):

  • Device: [e.g. iPhone6]
  • OS: [e.g. iOS8.1]
  • Browser [e.g. stock browser, safari]
  • Version [e.g. 22]

Additional context
Add any other context about the problem here.
@rithviknishad rithviknishad added the good first issue Good for newcomers label Nov 17, 2023
@ayush-seth
Copy link
Contributor

This is the function that controls the visibility of the delete button

 const showDelete = (user: any) => {
    const STATE_ADMIN_LEVEL = USER_TYPES.indexOf("StateAdmin");
    const STATE_READ_ONLY_ADMIN_LEVEL =
      USER_TYPES.indexOf("StateReadOnlyAdmin");
    const DISTRICT_ADMIN_LEVEL = USER_TYPES.indexOf("DistrictAdmin");
    const level = USER_TYPES.indexOf(user.user_type);
    const currentUserLevel = USER_TYPES.indexOf(authUser.user_type);
    if (user.is_superuser) return true;

    if (currentUserLevel >= STATE_ADMIN_LEVEL)
      return user.state_object?.id === authUser.state;
    if (
      currentUserLevel < STATE_READ_ONLY_ADMIN_LEVEL &&
      currentUserLevel >= DISTRICT_ADMIN_LEVEL &&
      currentUserLevel > level
    )
      return facilityData?.district_object_id === authUser.district;
    return false;
  };

Reproducing the issue, I can see that the delete button is visible because the 3rd if condition is evaluating to true which because currentUserLevel > level which implies that the authUser should be able to delete user and they also belong to the same district. Which makes me think something is wrong on the backend here? Since the logic for showing the button seems to be right. How can I find out why exactly the backend API is failing?

@rithviknishad
Copy link
Member

@ayush-seth coronasafe/care@0cbff7c has changed the restriction to much simpler, only "StateAdmin" user can delete other users.

@rithviknishad
Copy link
Member

This change was not reflected in front-end. Hence the issue.

@ayush-seth
Copy link
Contributor

cool, I can take this up. Can you assign it to me? @rithviknishad

@ayush-seth ayush-seth mentioned this issue Nov 17, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ayush-seth ayush-seth

Labels
good first issue Good for newcomers
Projects
Care
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

show delete user button only for stateAdmin
3 participants
@ayush-seth @rithviknishad @AshrafMd-1