READER role inconsistencies UI vs. API

[hanna-modica]

I found that the READER role in the UI are not consistent with the rights it has in the API.

1. Reading users, secrets and infrastructure services is allowed for READER (and WRITER) in the API, but in the UI the menu is not available. If I try to access the url for the ui, e.g. /ui/organizations/{organizationId}/users as a READER directly, I see a 403 forbidden. If I do a GET request to /api/v1/organizations/{organizationId}/users with the same READER user, I get a 200 response and the body contains the user list.
   The UI should show those read options also in the menu
2. READER user has button to start a re(run) in the UI, even though when starting the run, a 403 will be returned. Same for creating repositories and products.

[Etsija]

I believe this goes even deeper than what @hanna-modica reports: we haven't done a thorough review of what list/edit/create/delete functionalities should be seen in the UI, based on the user role. This should definitely be done.

@hanna-modica I think you're suggesting we should basically allow all but /admin routes for everyone to see, then disable or make disappear UI functionality in those routes, for which the user does not have access API-wise.

I think this is a bigger discussion, which would involve both DO and Bosch teams.

[hanna-modica]

Hi @Etsija,

@hanna-modica I think you're suggesting we should basically allow all but /admin routes for everyone to see, then disable or make disappear UI functionality in those routes, for which the user does not have access API-wise.

Not 100% sure, but sounds like it could be what I want. Also, from a user perspective it makes sense for certain information to be visible. E.g. who is my org admin or, as a writer, which secrets and infrastructure services are available for use.

[Etsija]

@mnonnenmacher is this issue in any way related to #3908? I just want to make sure we properly link tickets to PRs which might close them.

[mnonnenmacher]

@mnonnenmacher is this issue in any way related to #3908? I just want to make sure we properly link tickets to PRs which might close them.

No, we do not yet change any of the roles, this is supposed to happen in a follow-up.