feat: disallow UPLOAD_ONLY role from some views (BED-7937)#2944
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis change adds ChangesRoute role metadata and enforcement
Estimated code review effort: 3 (Moderate) | ~20 minutes Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
packages/javascript/bh-shared-ui/src/routes/index.tsx (1)
70-70: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winConsider using
RoleValuetype fornameinstead of plainstring.
roles.tsexports aRoleValuetype derived from theRolesconst map. TypingdisallowedRoles[].nameagainst it would prevent typos/drift between route configs and actual role names, rather than allowing any arbitrary string.♻️ Suggested refactor
+import type { RoleValue } from '../utils/roles'; + export type Routable = { path: string; component: React.LazyExoticComponent<React.FC>; authenticationRequired: boolean; navigation: boolean; exact?: boolean; - disallowedRoles?: { name: string; notification: string }[]; + disallowedRoles?: { name: RoleValue; notification: string }[]; };🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/javascript/bh-shared-ui/src/routes/index.tsx` at line 70, The disallowedRoles entry in the route config is using a plain string for the role name, which can drift from the actual role constants. Update the Route type in index.tsx so disallowedRoles[].name uses the shared RoleValue type exported from roles.ts instead of string, and make sure the type is imported and applied consistently wherever route role names are declared.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@packages/javascript/bh-shared-ui/src/routes/index.tsx`:
- Line 70: The disallowedRoles entry in the route config is using a plain string
for the role name, which can drift from the actual role constants. Update the
Route type in index.tsx so disallowedRoles[].name uses the shared RoleValue type
exported from roles.ts instead of string, and make sure the type is imported and
applied consistently wherever route role names are declared.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 066d6c2f-de05-41da-9879-e06fc0e8a41a
📒 Files selected for processing (2)
packages/javascript/bh-shared-ui/src/routes/index.tsxpackages/javascript/bh-shared-ui/src/utils/index.ts
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@cmd/ui/src/components/AuthenticatedRoute/AuthenticatedRoute.tsx`:
- Around line 45-57: The disallowed-role badge branch in AuthenticatedRoute is
executing before the authentication/session and password-expiry guards, which
can hide the required redirect for expired users. Reorder the logic in
AuthenticatedRoute so the existing auth/session and password-expiry checks run
first, and only evaluate hasDisallowedRoles after those guards have passed; keep
the Badge render tied to the disallowed-role path after the redirect conditions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 773028b5-2e23-4fcd-bb5b-d2465e44d23b
📒 Files selected for processing (2)
cmd/ui/src/components/AuthenticatedRoute/AuthenticatedRoute.tsxcmd/ui/src/views/Content.tsx
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
cmd/ui/src/components/AuthenticatedRoute/AuthenticatedRoute.test.tsx (1)
133-185: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueMinor: wrapping
renderinawait act(async () => {...})may be redundant if the sharedrenderhelper fromsrc/test-utilsalready flushes effects/act internally; not blocking.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cmd/ui/src/components/AuthenticatedRoute/AuthenticatedRoute.test.tsx` around lines 133 - 185, The two AuthenticatedRoute tests are unnecessarily wrapping the shared render helper in await act(async () => {...}), which may be redundant if src/test-utils already handles act/effect flushing. Remove the extra act wrapper from these TestRoutes render calls and keep the assertions unchanged, using the existing render, screen, and window.location.pathname checks to verify behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@cmd/ui/src/components/AuthenticatedRoute/AuthenticatedRoute.test.tsx`:
- Around line 146-150: The mock user role in AuthenticatedRoute.test.tsx does
not match the configured disallowedRoles, so the test is asserting the wrong
branch. Update the mocked role inside the AuthenticatedRoute test to use
DISALLOWED_ROLE_NAME so it matches the disallowedRoles check in
AuthenticatedRoute’s role-matching logic, and keep the assertion aligned with
the badge rendering path rather than the children-rendering path.
- Around line 169-175: The authenticated-user mock is missing roles, which can
still crash when AuthenticatedRoute evaluates disallowedRoles. Update the
component’s roles check in AuthenticatedRoute to guard the lookup with optional
chaining or a default empty array around authState.user?.roles.find, and add
roles: [] to this test fixture so the normal-page path can run without throwing.
---
Nitpick comments:
In `@cmd/ui/src/components/AuthenticatedRoute/AuthenticatedRoute.test.tsx`:
- Around line 133-185: The two AuthenticatedRoute tests are unnecessarily
wrapping the shared render helper in await act(async () => {...}), which may be
redundant if src/test-utils already handles act/effect flushing. Remove the
extra act wrapper from these TestRoutes render calls and keep the assertions
unchanged, using the existing render, screen, and window.location.pathname
checks to verify behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 55681a07-fede-4a4e-ac28-9cd62493b35a
📒 Files selected for processing (1)
cmd/ui/src/components/AuthenticatedRoute/AuthenticatedRoute.test.tsx
Description
Motivation and Context
We need a repeatable pattern for excluding users with certain roles from accessing given pages. After this PR, we will pass an array
disallowedPropsthen display a badge instead of the route if the user's roles are on that list.Resolves: BED-7937
How Has This Been Tested?
Screenshots (if appropriate):
Checklist:
Summary by CodeRabbit
Summary by CodeRabbit
New Features
Enhancements
Tests