Skip to content

Add RBAC permissions and enforce UI actions#527

Open
psanghvi17 wants to merge 7 commits intomainfrom
new-rbac
Open

Add RBAC permissions and enforce UI actions#527
psanghvi17 wants to merge 7 commits intomainfrom
new-rbac

Conversation

@psanghvi17
Copy link
Contributor

@psanghvi17 psanghvi17 commented Feb 11, 2026

PR Checklist

  • [ X] Linting Test is passing
  • [ X] Code is well documented
  • [ X] If applicable, a PR in the epinio/docs repository has been opened

Summary

Fixes #
Implements RBAC-aware UI for the Epinio dashboard. The UI fetches the current user's permissions from /api/v1/me, maps roles to action permissions, and conditionally shows or hides Create buttons and action-menu items (Edit, Delete, Show Configuration) based on those permissions.

Occurred changes and/or fixed issues

  • utils/permissions.ts (new): Maps role IDs to action IDs (ROLE_ACTIONS), buildPermissionsFromRoles() for the store
  • Store (epinio-store/): Added me action, permissions and can getters, me/permissions/reset mutations; fetches /api/v1/me on load
  • Types (types.ts): Added EpinioRole and EpinioMe interfaces
  • Models: _availableActions overrides in applications.js, configurations.js, namespaces.js, services.js to filter actions by can() checks
  • Pages/lists: Applications index and Namespaces list call epinio/me on mount; Create buttons are shown only when canCreateApp / canCreateNamespace is true

Technical notes summary

Areas or cases that should be tested

Areas which could experience regressions

  • Permissions are built from me.roles via buildPermissionsFromRoles(); role IDs like epinio-role-application-manager are normalized to application_manager
  • The can getter checks the permission map; models use it to filter _availableActions (Edit, Delete, Show Configuration)
  • When permissions have not loaded yet (empty map), Create buttons default to visible and all actions shown — the API enforces RBAC
  • reset mutation clears me and permissions on store reset (e.g. logout/navigation away)

Screenshot/Video

@psanghvi17
Add RBAC permissions and enforce UI actions
60e604b 
Introduce client-side RBAC support and apply it across the Epinio dashboard. Add utils/permissions.ts to build a flat permission map from /api/v1/me roles, and new EpinioMe/EpinioRole types. Extend the epinio store with a me action, permissions state, a can getter helper, and related mutations/reset. Fetch /me on relevant pages (namespaces, applications) and conditionally show Create buttons only when appropriate permissions are present (with sensible defaults while permissions are not yet loaded). Update resource models (applications, namespaces, services, configurations) to filter available actions based on the can getter and prune orphaned dividers for application actions. Overall this enforces UI-level RBAC while still relying on the API for authoritative enforcement.
@psanghvi17
linting error esolved
5bb0c49
@psanghvi17
Edit config button visibility corrected
737f129
@psanghvi17
Create instance button hidden from read only user
81acc83
@psanghvi17
gate Create/Shell/Config by permissions, fix Vue reactive warning
a7c5d84 
- config: isCreatable false for Configuration/Service; Create only when canCreateConfiguration/canCreateService
- configurations.vue: masthead + RBAC-gated Create button
- services.vue: strict canCreateService (hide when no service_write)
- applications: gate shell by app_exec, Edit/ViewConfig by app_update and configuration_read/write
- permissions: add configuration and service actions to role definitions
- index.ts: markRaw for ThemeToggle and UnsavedChangesDialog (Vue warning fix)
@psanghvi17
enforce RBAC for Edit Config and Shell in applications
5a64367 
- Hide "Edit Config" in view mode when user lacks configuration_write/configuration
- Hide Shell action for users without app_exec (e.g. view_only)
- Add .hide-edit-config CSS when button should be hidden.
@psanghvi17
Enforce RBAC for Edit Config and Create in Epinio UI
af6654a 
- Always hide the primary "Edit Config" footer button in the applications edit dialog when the user lacks configuration write permissions, regardless of view vs edit mode.
- Restrict the "Edit Config" menu action so it is only shown to users who have configuration write permissions.
- Add a canEdit getter on the application model so the Resource Detail drawer only shows "Edit Config" when the user can actually modify configuration.
- Tighten logic for the "Create Application" button so it is only shown when loaded permissions confirm the user has app create/write capabilities, keeping it hidden for view-only users.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@psanghvi17