kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(permissions): hide non-actionable UI + fix viewer route access
Some checks failed
Aegis CI / lint-and-test (push) Has been cancelled
Details

Browse Source 
1. /executive-dashboard: add 'viewer' to ProtectedRoute roles — sidebar
   showed the link to viewers but the route redirected them to /dashboard.
2. /comparison: same fix — viewer was in sidebar roles but not in route.
3. /techniques/review-queue: add ProtectedRoute (leads+admin) — the page
   had no route-level protection, any authenticated user could access it.
4. TechniqueDetailPage review banner: hide from users who can't act on it.
   Previously shown to everyone with a 'Leads only' badge; now only shown
   to canReview users (admin/red_lead/blue_lead). Non-leads don't need to
   see alerts about changes they cannot acknowledge.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
kitos
2026-05-29 15:25:36 +02:00
parent 8a542f912d
commit f590a00006
2 changed files with 16 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
frontend/src/pages/TechniqueDetailPage.tsx
View File

@@ -273,8 +273,8 @@ export default function TechniqueDetailPage() {
</div>
</div>
{/* Review required banner */}
{technique.review_required && (
{/* Review required banner — only shown to users who can act on it */}
{technique.review_required && canReview && (
<div className="flex items-start gap-3 rounded-xl border border-amber-500/30 bg-amber-500/5 p-4">
<AlertTriangle className="mt-0.5 h-5 w-5 shrink-0 text-amber-400" />
<div className="flex-1 min-w-0">
@@ -286,15 +286,10 @@ export default function TechniqueDetailPage() {
{technique.mitre_last_modified && (
<> Last modified in ATT&CK: <span className="font-mono">{technique.mitre_last_modified.slice(0, 10)}</span>.</>
)}
{" "}A lead or admin should review the changes and click{" "}
<span className="font-semibold">Mark as Reviewed</span> to acknowledge them.
{" "}Click{" "}
<span className="font-semibold">Mark as Reviewed</span> to acknowledge the changes.
</p>
</div>
{!canReview && (
<span className="shrink-0 rounded-full border border-amber-500/20 bg-amber-500/10 px-2 py-0.5 text-[10px] text-amber-400">
Leads only
</span>
)}
</div>
)}