fix: grant member role read access to knowledge resources#792
Merged
Conversation
Add `knowledgeRead` UI permission subject and grant it to `member` and
`editor` roles so all non-disabled users can view knowledge resources
(documents, customers, products, vendors, websites).
Previously, the knowledge section was gated behind `knowledgeWrite`,
meaning members could see the nav item but got an access-denied page.
- Add `knowledgeRead` subject to `UiSubject` type
- Grant `can('read', 'knowledgeRead')` to editor and member roles
- Switch knowledge layout gate from `knowledgeWrite` to `knowledgeRead`
- Gate row actions (edit/delete) behind `knowledgeWrite` so read-only
users see no action column in knowledge tables
- Update access-denied message to be role-agnostic
- Add `ability.test.ts` with unit tests for the permission system
- Fix action column width (56px) across knowledge resource tables
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
📝 WalkthroughWalkthroughThis PR implements permission-based access controls across multiple knowledge management features. It introduces a new Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
📝 Coding Plan
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In
`@services/platform/app/features/customers/components/customer-row-actions.tsx`:
- Around line 27-29: The canEdit early-return makes the per-action "visible:
canEdit" flags redundant; remove the visible properties from the edit and delete
action objects in customer-row-actions.tsx (the action entries that build the
edit and delete menu items) and rely on the existing early return that checks
canEdit before rendering EntityRowActions; keep the canEdit calculation and the
early return in place and only eliminate the duplicate visible: canEdit fields
to clean up the logic.
In `@services/platform/app/features/customers/components/customers-table.tsx`:
- Around line 189-210: The DataTable uses onRowClick (handleRowClick) to open
CustomerInfoDialog via setViewingCustomer, which prevents keyboard users from
opening rows; update the interaction so keyboard activation (Enter/Space)
triggers the same flow: either extend DataTable to accept an
onRowKeyDown/onRowAction prop and wire it to call handleRowClick (or
setViewingCustomer) for Enter/Space, or add an onKeyDown handler where DataTable
is used that listens for Enter/Space and calls handleRowClick(viewingRow) —
ensure the row elements are focusable (tabIndex=0) and keep CustomerInfoDialog
usage (viewingCustomer, onOpenChange) unchanged so both mouse click and keyboard
activation open the dialog.
In `@services/platform/app/features/products/components/product-row-actions.tsx`:
- Around line 66-67: The action menu is still visible to read-only users when
hasExternalLink is true because some visibility props use "canWrite ||
hasExternalLink"; update those visibility expressions (the visible prop
assignments referencing canWrite and hasExternalLink in product-row-actions.tsx)
to require canWrite unconditionally (e.g., visible: canWrite) so that if
canWrite is false the action column is hidden even when hasExternalLink is true;
locate every occurrence where visible uses a disjunction with hasExternalLink
and change it to only depend on canWrite.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: cc2e06e3-b02a-4771-b34c-04cea83ffe93
📒 Files selected for processing (21)
services/platform/app/components/ui/data-table/data-table-filters.tsxservices/platform/app/features/customers/components/customer-row-actions.tsxservices/platform/app/features/customers/components/customers-action-menu.tsxservices/platform/app/features/customers/components/customers-table.tsxservices/platform/app/features/customers/hooks/use-customers-table-config.tsxservices/platform/app/features/documents/components/document-row-actions.tsxservices/platform/app/features/documents/components/documents-action-menu.tsxservices/platform/app/features/documents/components/rag-status-badge.tsxservices/platform/app/features/documents/hooks/use-documents-table-config.tsxservices/platform/app/features/products/components/product-row-actions.tsxservices/platform/app/features/products/components/products-action-menu.tsxservices/platform/app/features/products/components/products-table.tsxservices/platform/app/features/products/hooks/use-products-table-config.tsxservices/platform/app/features/vendors/components/vendor-row-actions.tsxservices/platform/app/features/vendors/components/vendors-action-menu.tsxservices/platform/app/features/vendors/components/vendors-table.tsxservices/platform/app/features/vendors/hooks/use-vendors-table-config.tsxservices/platform/app/routes/dashboard/$id/_knowledge.tsxservices/platform/lib/permissions/ability.test.tsservices/platform/lib/permissions/ability.tsservices/platform/messages/en.json
yannickmonney
pushed a commit
that referenced
this pull request
Apr 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #758
Summary
knowledgeReadUI permission subject; grant it toeditorandmemberroles so all non-disabled users can view knowledge resourcesknowledgeWritetoknowledgeReadknowledgeWrite— read-only users see no action column in knowledge tablesability.test.tswith unit tests for the permission systemTest plan
memberrole user → knowledge section is accessible and readablememberrole user → no action column shown in knowledge tableseditorrole user → edit/delete actions appear for supported resourcesdisableduser → access-denied message shownbun run --filter @tale/platform test→ability.test.tspasses🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Improvements
UI/UX