Skip to content

Access Control: Implement system-wide permission-aware UI rendering #845

New issue
New issue
Closed
Closed
Access Control: Implement system-wide permission-aware UI rendering#845
Labels
jules
@timothyfroehlich

Description

@timothyfroehlich
timothyfroehlich
opened on Jan 26, 2026

The application currently renders interactive elements (buttons, forms, editable inputs) to all authenticated users, even when they do not have the necessary permissions to perform the associated actions. This results in a poor user experience where users encounter "Permission Denied" errors only after attempting an action.

Goal

Implement a system-wide strategy for conditional UI rendering based on user roles and permissions. If a user does not have permission to perform an action, the UI should not suggest that they can.

Requirements

  1. Component-Level Permission Checks: Build permission awareness directly into components. Before rendering an "Edit" button or an editable form field, verify the current user's role.
  2. Read-Only Fallbacks: When a user lacks edit permissions, display information as static text or disabled elements instead of interactive forms.
  3. Consistency Across the App:
    • Machines: Hide or disable the update form/button for non-admins (ref Access Control: Implement system-wide permission-aware UI rendering #845 original scope).
    • Issues: In the IssueSidebar, only render status/priority/severity/assignment update forms if the user is a member or admin (or the machine owner).
    • User Management: Ensure admin-only features are hidden from members and guests.
  4. Server-Side Verification: Continue to enforce permissions on the server (Server Actions), but ensure the client-side UI reflects these constraints.

Suggested Implementation

  • Centralize permission logic (e.g., in src/lib/auth/permissions.ts) so it can be easily reused in both Server Components and Client Components.
  • Use this centralized logic to gate the rendering of interactive components.

Affected Areas (Non-exhaustive)

  • src/app/(app)/m/[initials]/page.tsx (Machine info card)
  • src/components/issues/IssueSidebar.tsx and its sub-components (SidebarActions, etc.)
  • src/app/report/unified-report-form.tsx (Reporting issues)
  • Any other forms or actions that require specific roles.

Metadata

Metadata

Assignees

No one assigned

    Labels

    jules

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions