ottomata/acsm
1
0
Fork 0
Code Issues 54 Pull requests Projects 5 Releases Packages Wiki Activity Actions

Role-Enforced UI (RBAC Throughout Frontend) #74

New issue
Open
opened 2026-02-23 10:05:34 +00:00 by ottomata · 0 comments
ottomata commented 2026-02-23 10:05:34 +00:00
Owner
Copy link

Context

Auth middleware protects the API, but the UI must also cleanly reflect what each role can and cannot do — not just hide buttons, but prevent unauthorized actions at every level.

Tasks

  • Create src/components/RequireRole.tsx: 
    <RequireRole role="operator">
  <Button>Run Now</Button>
</RequireRole>
// Renders null if current user's role is insufficient
  • Audit every interactive element across all pages and wrap with RequireRole:
    • Create/Edit/Delete Job → Operator/Admin
    • Run Now / Cancel Run → Operator/Admin
    • Manage Schedules → Operator/Admin
    • Manage Triggers → Operator/Admin
    • User Management → Admin
    • Watched Dirs → Admin
    • Audit Log → Admin
  • Navigation sidebar: hide menu items the user's role cannot access
  • API client: if a 403 is received, show a toast "You don't have permission to perform this action" (defense in depth)

Acceptance Criteria

  • Viewer sees no buttons that would mutate state
  • Operator sees no user management or admin config sections
  • Unauthorized API calls (403) surface a clear toast message
  • Role checks are centralized in RequireRole, not scattered as inline conditionals
### Context Auth middleware protects the API, but the UI must also cleanly reflect what each role can and cannot do — not just hide buttons, but prevent unauthorized actions at every level. ### Tasks - [ ] Create `src/components/RequireRole.tsx`: ```tsx <RequireRole role="operator"> <Button>Run Now</Button> </RequireRole> // Renders null if current user's role is insufficient ``` - [ ] Audit every interactive element across all pages and wrap with `RequireRole`: - Create/Edit/Delete Job → Operator/Admin - Run Now / Cancel Run → Operator/Admin - Manage Schedules → Operator/Admin - Manage Triggers → Operator/Admin - User Management → Admin - Watched Dirs → Admin - Audit Log → Admin - [ ] Navigation sidebar: hide menu items the user's role cannot access - [ ] API client: if a `403` is received, show a toast "You don't have permission to perform this action" (defense in depth) ### Acceptance Criteria - [ ] Viewer sees no buttons that would mutate state - [ ] Operator sees no user management or admin config sections - [ ] Unauthorized API calls (403) surface a clear toast message - [ ] Role checks are centralized in `RequireRole`, not scattered as inline conditionals
ottomata added this to the Phase 8 project 2026-02-23 10:09:19 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Phase 8
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ottomata/acsm#74
No description provided.