fix(permissions): restore visibility controls in Flowise canvas for admin users

[diecoscai]

Summary

• Fix visibility controls for admin users in Flowise canvas — `usePermissions.js` was importing `useAuth0` from `@auth0/auth0-react`, a package with no `Auth0Provider` in the component tree, silently returning `undefined` user and disabling all visibility checkboxes for everyone
• Harden the auth enrichment chain — restore Auth0 roles in `enrichSession` when the access token lacks the claim; preserve server-enriched fields in `PermissionProvider` so client-side Auth0 data cannot overwrite them
• Clean up broken legacy entry point — remove dead `useAuth0` token management code from `App.jsx` (disabled Vite-only path, never reached in production)

Root Cause

The Flowise canvas (`packages/ui`) wraps its tree with `` from `@auth0/nextjs-auth0/client` — not `` from `@auth0/auth0-react`. Calling `useAuth0()` from the wrong package silently returns `{ user: undefined }` because no matching provider exists in the tree.

`createPermissionManager(undefined ?? {})` produces an empty permission set → `hasFeature('org:manage')` = false → `Organization` and `Browser Extension` visibility checkboxes permanently disabled for every user, including admins.

The correct source is `state.auth.user` from Redux, populated by `useAuth0Setup` after fetching `/auth/me` and dispatching `loginSuccess`. This object contains server-enriched `roles` and `permissions` and is backed by `localStorage` for instant availability on returning sessions.

This fix also covers agentflows — both canvases share the same `CanvasHeader` → `ChatflowConfigurationDialog` → `VisibilitySettings` → `usePermissions` path.

Changes

File	Change
`packages/ui/src/hooks/usePermissions.js`	Replace `useAuth0()` from wrong package with `useSelector((state) => state.auth.user)`
`packages/ui/src/App.jsx`	Remove broken `useAuth0` import and dead token management `useEffect` from legacy Vite entry
`packages-answers/ui/src/PermissionProvider.tsx`	Preserve `roles`, `permissions`, `features`, `org_id`, `organizationId` from server — prevent client-side Auth0 data from overwriting them
`packages-answers/utils/src/auth/enrichSession.ts`	Restore Auth0 roles from ID token when Flowise access token lacks the `https://theanswer.ai/roles\` claim

Test plan

• ESLint: `cd packages/ui && npx eslint src/hooks/usePermissions.js src/App.jsx` — no errors
• Log in as Admin → open chatflow canvas → Configuration → Visibility tab → Organization and Browser Extension checkboxes are enabled
• Select Organization, click Save → success toast appears, chatflow reloads with visibility persisted
• Repeat on an agentflow canvas — same checkboxes enabled
• Log in as Member role → verify Organization/Browser Extension checkboxes remain disabled (correct restriction)
• Verify no regressions in credentials dialog, variables dialog (both use `usePermissions`)

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
answerai-docs	Ready	Preview	Apr 14, 2026 4:28pm
the-answerai	Ready	Preview	Apr 14, 2026 4:28pm