From f590a00006df7313a7cd085055f970b9d33c4088 Mon Sep 17 00:00:00 2001 From: kitos Date: Fri, 29 May 2026 15:25:36 +0200 Subject: [PATCH] fix(permissions): hide non-actionable UI + fix viewer route access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. /executive-dashboard: add 'viewer' to ProtectedRoute roles — sidebar showed the link to viewers but the route redirected them to /dashboard. 2. /comparison: same fix — viewer was in sidebar roles but not in route. 3. /techniques/review-queue: add ProtectedRoute (leads+admin) — the page had no route-level protection, any authenticated user could access it. 4. TechniqueDetailPage review banner: hide from users who can't act on it. Previously shown to everyone with a 'Leads only' badge; now only shown to canReview users (admin/red_lead/blue_lead). Non-leads don't need to see alerts about changes they cannot acknowledge. Co-Authored-By: Claude Sonnet 4.6 --- frontend/src/App.tsx | 17 ++++++++++++----- frontend/src/pages/TechniqueDetailPage.tsx | 13 ++++--------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/frontend/src/App.tsx b/frontend/src/App.tsx index b277095..af5ac4b 100644 --- a/frontend/src/App.tsx +++ b/frontend/src/App.tsx @@ -53,13 +53,20 @@ export default function App() { }>} /> }>} /> - }>} /> + + }> + + } + /> - {/* ── Executive Dashboard (leads + admin) ──────────────── */} + {/* ── Executive Dashboard (leads + admin + viewer) ──────── */} + }> } @@ -84,11 +91,11 @@ export default function App() { {/* ── Compliance ───────────────────────────────────────── */} }>} /> - {/* ── Comparison (leads + admin) ───────────────────────── */} + {/* ── Comparison (leads + admin + viewer) ──────────────── */} + }> } diff --git a/frontend/src/pages/TechniqueDetailPage.tsx b/frontend/src/pages/TechniqueDetailPage.tsx index e72e2ee..c575fb3 100644 --- a/frontend/src/pages/TechniqueDetailPage.tsx +++ b/frontend/src/pages/TechniqueDetailPage.tsx @@ -273,8 +273,8 @@ export default function TechniqueDetailPage() { - {/* Review required banner */} - {technique.review_required && ( + {/* Review required banner — only shown to users who can act on it */} + {technique.review_required && canReview && (
@@ -286,15 +286,10 @@ export default function TechniqueDetailPage() { {technique.mitre_last_modified && ( <> Last modified in ATT&CK: {technique.mitre_last_modified.slice(0, 10)}. )} - {" "}A lead or admin should review the changes and click{" "} - Mark as Reviewed to acknowledge them. + {" "}Click{" "} + Mark as Reviewed to acknowledge the changes.

- {!canReview && ( - - Leads only - - )}
)}