fix(permissions): hide non-actionable UI + fix viewer route access

1. /executive-dashboard: add 'viewer' to ProtectedRoute roles — sidebar showed the link to viewers but the route redirected them to /dashboard. 2. /comparison: same fix — viewer was in sidebar roles but not in route. 3. /techniques/review-queue: add ProtectedRoute (leads+admin) — the page had no route-level protection, any authenticated user could access it. 4. TechniqueDetailPage review banner: hide from users who can't act on it. Previously shown to everyone with a 'Leads only' badge; now only shown to canReview users (admin/red_lead/blue_lead). Non-leads don't need to see alerts about changes they cannot acknowledge.
2026-05-29 15:25:36 +02:00
parent 857c793f31
commit 6f1f09d74d
2 changed files with 16 additions and 14 deletions
@@ -53,13 +53,20 @@ export default function App() {
        <Route path="/techniques/:mitreId" element={<Suspense fallback={<LoadingSpinner text="Loading…" />}><TechniqueDetailPage /></Suspense>} />

        <Route path="/matrix" element={<Suspense fallback={<LoadingSpinner text="Loading…" />}><MatrixPage /></Suspense>} />
-        <Route path="/techniques/review-queue" element={<Suspense fallback={<LoadingSpinner text="Loading…" />}><ReviewQueuePage /></Suspense>} />
+        <Route
+          path="/techniques/review-queue"
+          element={
+            <ProtectedRoute roles={["admin", "red_lead", "blue_lead"]}>
+              <Suspense fallback={<LoadingSpinner text="Loading…" />}><ReviewQueuePage /></Suspense>
+            </ProtectedRoute>
+          }
+        />

-        {/* ── Executive Dashboard (leads + admin) ──────────────── */}
+        {/* ── Executive Dashboard (leads + admin + viewer) ──────── */}
        <Route
          path="/executive-dashboard"
          element={
-            <ProtectedRoute roles={["admin", "red_lead", "blue_lead"]}>
+            <ProtectedRoute roles={["admin", "red_lead", "blue_lead", "viewer"]}>
              <Suspense fallback={<LoadingSpinner text="Loading…" />}><ExecutiveDashboardPage /></Suspense>
            </ProtectedRoute>
          }
@@ -84,11 +91,11 @@ export default function App() {
        {/* ── Compliance ───────────────────────────────────────── */}
        <Route path="/compliance" element={<Suspense fallback={<LoadingSpinner text="Loading…" />}><CompliancePage /></Suspense>} />

-        {/* ── Comparison (leads + admin) ───────────────────────── */}
+        {/* ── Comparison (leads + admin + viewer) ──────────────── */}
        <Route
          path="/comparison"
          element={
-            <ProtectedRoute roles={["admin", "red_lead", "blue_lead"]}>
+            <ProtectedRoute roles={["admin", "red_lead", "blue_lead", "viewer"]}>
              <Suspense fallback={<LoadingSpinner text="Loading…" />}><ComparisonPage /></Suspense>
            </ProtectedRoute>
          }