Skip to content

ROX-33771: Disable Delete for read-only role in auth providers list#19574

Merged
pedrottimark merged 1 commit intomasterfrom
ROX-33771-ActionsColumn-isDisabled-AuthProvidersList
Mar 24, 2026
Merged

ROX-33771: Disable Delete for read-only role in auth providers list#19574
pedrottimark merged 1 commit intomasterfrom
ROX-33771-ActionsColumn-isDisabled-AuthProvidersList

Conversation

@pedrottimark
Copy link
Contributor

@pedrottimark pedrottimark commented Mar 24, 2026
edited
Loading

Description

Problem

In RHACS, We tested the Analyst role behavior and observed that users with analyst role can see the delete option, after testing on test cluster it confirmed that the "Delete" action is not executable, indicating a UI vs functionality mismatch.
The Analyst role remains read-only, and permissions verified under “My Profile” confirm no write access. However, "Delete" actions ideally should not be visible for user with analyst role only.

Could you please confirm if this is expected or should be treated as a bug? If not expected, should we proceed with raising one?

Analysis

Row actions have isDisabled condition in 3 other list pages:

<Td isActionCell>
    <ActionsColumn
        isDisabled={
            !hasWriteAccessForPage || )
        }
        items={}
    />
</Td>

That is, vertical ellipsis button is visible but disabled.

Delete row action has isDisabled condition in auth providers list page:

items={[
    {
        title: 'Delete auth provider',
        isDisabled:
            id === currentUser?.authProvider?.id ||
            isImmutable,
    },
]}

That is, vertical ellipsis button is enabled.

Solution

Be consistent to disable row actions if user role does not have write 'Access' permission or during delete request for table row.

User-facing documentation

  • CHANGELOG.md update is not needed
  • documentation PR is not needed

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

  1. npm run tsc in ui/apps/platform folder.
  2. npm run lint:fast-dev in ui/apps/platform folder.
  3. npm run start in ui/apps/platform folder with staging demo as central.

Manual testing

Temporarily edit hasWriteAccessForPage condition.

  1. Visit /main/access-control/auth-providers

    See vertical ellipsis button is visible but disabled.
    isDisabled

@pedrottimark pedrottimark requested a review from a team as a code owner March 24, 2026 17:51
@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 24, 2026

Images are ready for the commit at 3a9c952.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-431-g3a9c952cf3.

@codecov
Copy link

codecov bot commented Mar 24, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.25%. Comparing base (47557b3) to head (3a9c952).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #19574      +/-   ##
==========================================
- Coverage   49.26%   49.25%   -0.01%     
==========================================
  Files        2735     2735              
  Lines      206138   206138              
==========================================
- Hits       101546   101542       -4     
- Misses      97045    97049       +4     
  Partials     7547     7547
Flag Coverage Δ
go-unit-tests 49.25% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@openshift-ci
Copy link

openshift-ci bot commented Mar 24, 2026

@pedrottimark: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ocp-4-21-ui-e2e-tests 3a9c952 link false /test ocp-4-21-ui-e2e-tests
ci/prow/ocp-4-21-nongroovy-e2e-tests 3a9c952 link false /test ocp-4-21-nongroovy-e2e-tests
ci/prow/ocp-4-20-ui-e2e-tests 3a9c952 link false /test ocp-4-20-ui-e2e-tests
ci/prow/ocp-4-12-nongroovy-e2e-tests 3a9c952 link false /test ocp-4-12-nongroovy-e2e-tests
ci/prow/ocp-4-20-nongroovy-e2e-tests 3a9c952 link false /test ocp-4-20-nongroovy-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@pedrottimark pedrottimark merged commit 5d84b54 into master Mar 24, 2026
85 of 90 checks passed
@pedrottimark pedrottimark deleted the ROX-33771-ActionsColumn-isDisabled-AuthProvidersList branch March 24, 2026 20:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dvail dvail dvail approved these changes

Assignees

No one assigned

Labels

area/ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pedrottimark @rhacs-bot @dvail