Skip to content

fix: prevent listPolicies call for project viewers without permission#1445

Merged
rohilsurana merged 1 commit intomainfrom
fix/listpolicies-permission-error-project-viewer
Mar 11, 2026
Merged

fix: prevent listPolicies call for project viewers without permission#1445
rohilsurana merged 1 commit intomainfrom
fix/listpolicies-permission-error-project-viewer

Conversation

@rohilsurana
Copy link
Member

@rohilsurana rohilsurana commented Mar 11, 2026

Summary

  • Fix permission error when project viewers access the project members page
  • The listPolicies API requires PolicyManagePermission which project viewers don't have
  • Added canUpdateProject check to conditionally enable the query only for users with update permissions
  • Project viewers will now see fallback text ("Project Viewer" or "Inherited role") without triggering permission errors

Changes

  • Updated useQuery enabled condition in project-member-columns.tsx to include canUpdateProject check
  • This prevents unnecessary API calls and eliminates permission errors for users without policy management access

Test plan

  • Verify project viewers can access the project members page without errors
  • Confirm project managers/owners can still view and update member roles
  • Check that fallback role text displays correctly for project viewers
  • Verify no console errors for project viewers on members page

@vercel
Copy link

vercel bot commented Mar 11, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
frontier Ready Ready Preview, Comment Mar 11, 2026 9:44am

@coderabbitai
Copy link

coderabbitai bot commented Mar 11, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fefecf9d-0ab7-480d-82da-02d11b760088

📥 Commits

Reviewing files that changed from the base of the PR and between 01aab59 and 36bd64b.

📒 Files selected for processing (1)
  • web/sdk/react/views/projects/details/project-member-columns.tsx
📝 Walkthrough

Summary by CodeRabbit

  • Bug Fixes
    • Fixed an access control issue in project member management where policy data could be queried without proper update permissions. Policy information is now only fetched for users with the appropriate authorization level.

Walkthrough

This PR modifies the query enablement condition in the project member columns component. The listPolicies query now requires canUpdateProject permission in addition to projectId and member.id before executing, adding a permission-based gate to policy data fetches.

Changes

Cohort / File(s) Summary
Permission gate for policy queries
web/sdk/react/views/projects/details/project-member-columns.tsx		 Added canUpdateProject condition to useQuery enablement for listPolicies, restricting policy data fetches to users with update permissions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@rohilsurana rohilsurana marked this pull request as ready for review March 11, 2026 09:44
@coveralls
Copy link

coveralls commented Mar 11, 2026

Pull Request Test Coverage Report for Build 22946364214

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 40.425%
Totals Coverage Status
Change from base Build 22943557563: 0.0%
Covered Lines: 13968
Relevant Lines: 34553
💛 - Coveralls

@rohilsurana rohilsurana merged commit 53fbdbe into main Mar 11, 2026
8 checks passed
@rohilsurana rohilsurana deleted the fix/listpolicies-permission-error-project-viewer branch March 11, 2026 10:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rsbh rsbh rsbh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rohilsurana @coveralls @rsbh