kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(permissions): hide action buttons for unauthorized roles
Some checks failed
Aegis CI / lint-and-test (push) Has been cancelled
Details

Browse Source 
TestCatalogPage: 'Use Template' button had no role check — any user
(including viewer/blue_tech/red_tech) could see and click it, which
would fail at the backend (POST /tests/from-template requires
red_lead|blue_lead). Added canUseTemplate check; button hidden for
viewer, blue_tech, red_tech.

TechniqueDetailPage: 'Run This Test' / 'Re-run' buttons in the
Available Templates section also had no role check. Added canRunTemplate
(same criteria: admin|red_lead|blue_lead). The 'View test' button for
active tests remains visible to everyone (read-only navigation).

Principle: if a user cannot perform the action, the button does not
appear — no permission error messages, just absence of the control.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
kitos
2026-05-29 15:47:08 +02:00
parent f590a00006
commit 07c6164ceb
2 changed files with 27 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
frontend/src/pages/TechniqueDetailPage.tsx
View File

@@ -158,6 +158,10 @@ export default function TechniqueDetailPage() {
const canReview =
user?.role === "admin" || user?.role === "red_lead" || user?.role === "blue_lead";
// Same roles that can create tests (mirrors backend POST /tests/from-template)
const canRunTemplate =
user?.role === "admin" || user?.role === "red_lead" || user?.role === "blue_lead";
const {
data: technique,
isLoading,
@@ -584,7 +588,7 @@ export default function TechniqueDetailPage() {
<ExternalLink className="h-3.5 w-3.5" />
View test
</button>
) : (
) : canRunTemplate ? (
<button
onClick={() => setTemplateFormId(tpl.id)}
className={`flex items-center gap-1 rounded-lg border px-3 py-1.5 text-xs font-medium transition-colors ${
@@ -596,7 +600,7 @@ export default function TechniqueDetailPage() {
<FlaskConical className="h-3.5 w-3.5" />
{needsReRun ? "Run This Test" : latestValidated ? "Re-run" : "Run This Test"}
</button>
)}
) : null}
</div>
</div>
);