Conversation
What was broken Work Manager users with global Copilot, Project Manager, or Talent Manager access could open a project users URL directly and still get member-management controls for a project they could not manage. Root cause (if identifiable) The users page enabled add, invite, remove, and role-edit controls from global Work Manager role flags instead of requiring manage access to the loaded project. What was changed The users page now derives member-management permission from the existing project management access helper for the loaded project. The same permission guards the header actions, editable member cards, and add/invite modal rendering. Any added/updated tests Added a UsersManagementPage regression test that verifies a global Project Manager who cannot manage the loaded project does not see add, invite, or edit controls. Validation note The focused UsersManagementPage test, lint, and build pass. The full test command still fails in an unrelated wallet-admin PaymentView spec that also fails when run by itself.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What was broken
Work Manager users with global Copilot, Project Manager, or Talent Manager access could open a project users URL directly and still get member-management controls for a project they could not manage.
Root cause (if identifiable)
The users page enabled add, invite, remove, and role-edit controls from global Work Manager role flags instead of requiring manage access to the loaded project.
What was changed
The users page now derives member-management permission from the existing project management access helper for the loaded project. The same permission guards the header actions, editable member cards, and add/invite modal rendering.
Any added/updated tests
Added a UsersManagementPage regression test that verifies a global Project Manager who cannot manage the loaded project does not see add, invite, or edit controls.
Validation:
yarn test:no-watch --runTestsByPath src/apps/work/src/pages/users/UsersManagementPage/UsersManagementPage.spec.tsxpassed.yarn lintpassed.yarn run buildpassed with existing warnings.yarn test:no-watchstill fails insrc/apps/wallet-admin/src/lib/components/payment-view/PaymentView.spec.tsx, and that spec also fails when run by itself. The failure expects a challenge URL but receives a project URL, outside the PM-4973 users-page change.