feat: client side access control checks #27635
Conversation
zlwaterfield
force-pushed
the
zach/rbac/6d
branch
from
fb9e3c8 to
580b445
Compare
zlwaterfield
changed the title
|
Size Change: +761 B (+0.07%) Total Size: 1.16 MB ℹ️ View Unchanged
|
📸 UI snapshots have been updated2 snapshot changes in total. 0 added, 2 modified, 0 deleted:
Triggered by this commit. |
frontend/src/layout/navigation-3000/sidepanel/panels/access_control/accessControlLogic.ts
Outdated
Show resolved
Hide resolved
📸 UI snapshots have been updated4 snapshot changes in total. 0 added, 4 modified, 0 deleted:
Triggered by this commit. |
zlwaterfield
force-pushed
the
zach/rbac/6d
branch
from
d776f6f to
6510905
Compare
| <AccessControlledLemonButton | ||
| userAccessLevel={featureFlag.user_access_level} | ||
| minAccessLevel="editor" | ||
| resourceType="feature flag" |
There was a problem hiding this comment.
nit(non-blocking): resourceType is free text for inserting into the disabledReason, but it's also passed to accessLevelSatisfied where it needs to be correct. may be worth considering an enum or string literal
There was a problem hiding this comment.
I was about to say the same - resourceType should be a proper typed enum to match what the backend has. I don't think feature flag is actually correct?
There was a problem hiding this comment.
Yeah, resource type is irrelevant to the checks right now other than project and org, but that's a good point. I'll make a change
📸 UI snapshots have been updated1 snapshot changes in total. 0 added, 1 modified, 0 deleted:
Triggered by this commit. |
| children, | ||
| ...props | ||
| }: AccessControlledLemonButtonProps): JSX.Element => { | ||
| return ( |
| <AccessControlledLemonButton | ||
| userAccessLevel={featureFlag.user_access_level} | ||
| minAccessLevel="editor" | ||
| resourceType="feature flag" |
There was a problem hiding this comment.
I was about to say the same - resourceType should be a proper typed enum to match what the backend has. I don't think feature flag is actually correct?
frontend/__snapshots__/scenes-app-insights--trends-bar--light--webkit.png
Outdated
Show resolved
Hide resolved
📸 UI snapshots have been updated1 snapshot changes in total. 0 added, 1 modified, 0 deleted:
Triggered by this commit. |
📸 UI snapshots have been updated1 snapshot changes in total. 0 added, 1 modified, 0 deleted:
Triggered by this commit. |
|
CI pased - halleluwah |
zlwaterfield
dismissed
benjackwhite’s stale review
Others approved and nee to get this out
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Michael Matloka <[email protected]>
Changes
Follow along: #24512
This PR is adding a component that checks if the current user can perform an action on a resource under the access control model and return a reason why if not. It will disable buttons/inputs where the user does not have access and show a tooltip on hover with more information. This includes a helped component named
<AccessControlledLemonButton />that extendsLemonButtonto make it very easy to use.Initially adding for the main four resources (insights, dashboards, notebooks, feature flags). The actions being blocked are being made under the assumption the user will always have access to the underlying data ,so they will still be able to duplicate, view SQL, etc. They just won't be able to action edit or delete the resource. This doesn't yet cover 100% of cases but it's covering most. It's integrating into existing patterns of
canEditInsightandcanEditDashboard.Only relevant for those with the feature flag on.
👉 Stay up-to-date with PostHog coding conventions for a smoother review.
Does this work well for both Cloud and self-hosted?
Yes
How did you test this code?
Manually