fix: allow users with a systemRole.grant = true to update user roles#2515
fix: allow users with a systemRole.grant = true to update user roles#2515finnar-bin wants to merge 5 commits into
Conversation
…es-with-admin-base-roles
Review SummaryThe rename from Correctness
Scope / consistency
Other
Nothing blocking — happy to see this go in once the optional-chaining and (ideally) the shared-helper question are addressed. |
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Nar -- <28705606+finnar-bin@users.noreply.github.com>
Review summaryBlocking
Non-blocking, but worth considering
Looks good
|
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Nar -- <28705606+finnar-bin@users.noreply.github.com>
Review SummaryNice, focused fix — switching from a hard-coded Scope inconsistency across the appThe same A medium-term cleanup might be to replace Backward compatibilityWorth confirming with the API that the seeded Minor inline notes
SecurityNo new auth surface introduced — the client is just deciding what UI affordances to show; the API still enforces. That said, please double-check that the backend authorizes |
…es-with-admin-base-roles
| const canUpdateUsers = React.useMemo(() => { | ||
| if (!userInfo || !instanceUserWithRoles?.length) { | ||
| return false; | ||
| } | ||
|
|
||
| const updateUsersPermission = instanceUserWithRoles.find( | ||
| (user) => user.ZUID === userInfo.ZUID, | ||
| )?.role?.systemRole?.grant; | ||
|
|
||
| return updateUsersPermission || userInfo.staff; | ||
| }, [instanceUserWithRoles, userInfo]); |
There was a problem hiding this comment.
Two small issues with this memoized value:
-
The return can be
undefinedinstead offalse. IfupdateUsersPermissionisundefined(user not found ininstanceUserWithRoles, or nosystemRole) anduserInfo.staffis alsoundefined, the expressionundefined || undefinedreturnsundefined. It coerces to falsy in JSX but it's safer to return a strict boolean so downstream?:/equality checks behave predictably:return Boolean(updateUsersPermission || userInfo.staff);
-
The name
canUpdateUsersis a bit narrow — this same flag also gates the Delete User action (Users.js:194) and the entire popover menu choice (Users.js:211). ConsidercanManageUsersto better reflect the scope, or align with the underlying permission name (grant).
| data, | ||
| instanceRoles, | ||
| // isOwner, | ||
| // canUpdateUsers, |
There was a problem hiding this comment.
This commented-out destructure can be removed. The parent passes canUpdateUsers={canUpdateUsers} to PendingTable (line 363) but the component never reads it — the prop is unused on both ends. Either destructure and use it (e.g. gate the "Cancel Invite" action below at line 436 the same way Delete User is gated), or drop the prop pass-through entirely. Leaving a stale comment and dead prop is misleading for future readers.
Review summaryNice, focused fix — replacing the hard-coded A few things to consider: Same bug class exists in sibling pagesThe legacy
A user with a custom role that has Permission semanticsThe new check uses Test coveragePer the PR description this is manual-test only. Given this is a permissions check, a small unit test around the Inline comments left on specific lines for the smaller nits. |
| }; | ||
|
|
||
| const role = isOwner | ||
| const role = canUpdateUsers |
There was a problem hiding this comment.
Heads-up on a residual gap: RoleSwitcher (lines 34–48, above) still gates editability by hard-coded role name (case 'Owner'). After this PR, a custom role with systemRole.grant = true will see the editable dropdown for every user — including users whose role is named "Owner" — and could attempt to demote them. Whether the API rejects that or not, the UI behavior should probably match the new permission model (e.g. also block edits where the target row's role.systemRole.name === 'Owner' or role.systemRole.super is true). Not blocking for this PR, but worth a follow-up.
Description
Allows users with a systemRole.grant = true to update user roles. Originally it only allows users with a role name of Admin or Owner which makes it not flexible and doesn't take into consideration created custom roles.
Fixes #2514
Type of change
How Has This Been Tested?
Screenshots / Screen recording
Screencast_20251111_100718.webm