Skip to content

fix: guard project and org admin routes against direct URL access#9311

Merged
royendo merged 1 commit intomainfrom
royendo/fix-editor-visit-status-page
May 1, 2026
Merged

fix: guard project and org admin routes against direct URL access#9311
royendo merged 1 commit intomainfrom
royendo/fix-editor-visit-status-page

Conversation

@royendo
Copy link
Copy Markdown
Contributor

@royendo royendo commented Apr 27, 2026

  • Add redirect guards on /-/status/*, /-/settings/*, and /[organization]/-/settings/* so users without the required permissions are redirected to a page they can access, rather than rendering a broken page or hitting 403s.
  • Status and project settings gate on manageProject; org settings gates on manageOrg. These match the existing nav-tab visibility, so URL-paste behaves the same as clicking a hidden tab.
  • Frontend guards are UX, not security — the backend already enforces these permissions on every relevant endpoint. This change just stops users from landing on a page that would 403 every API call.

Checklist:

  • Covered by tests
  • Ran it and it works as intended
  • Reviewed the diff before requesting a review
  • Checked for unhandled edge cases
  • Linked the issues it closes
  • Checked if the docs need to be updated. If so, create a separate Linear DOCS issue
  • Intend to cherry-pick into the release branch
  • I'm proud of this work!

Developed in collaboration with Claude Code

@royendo @claude
fix: guard project and org admin routes against direct URL access
242f406 
Adds redirect guards to /-/status, /-/settings, and /[organization]/-/settings
so users without the required permissions are redirected to a page they can
access, instead of rendering a broken page or hitting 403s on each underlying
API call. Matches the existing nav-tab visibility rules.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@royendo royendo requested a review from a team as a code owner April 27, 2026 20:59
@royendo royendo requested a review from AdityaHegde April 30, 2026 15:48
@royendo royendo merged commit 25b01d9 into main May 1, 2026
15 checks passed
@royendo royendo deleted the royendo/fix-editor-visit-status-page branch May 1, 2026 14:27
royendo added a commit that referenced this pull request May 1, 2026
@royendo @claude
Open Status loader to editors
5ceaa70 
`status/+layout.ts` (added in #9311) gates direct-URL access on
`manageProject`, which would block editors who can now see the Status
tab. Loosen the gate to `readProdStatus` to match the nav.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AdityaHegde AdityaHegde AdityaHegde approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@royendo @AdityaHegde