Feature/admin configurable access denied message#772
Open
vivche wants to merge 3 commits intomicrosoft:Developmentfrom
Open
Feature/admin configurable access denied message#772vivche wants to merge 3 commits intomicrosoft:Developmentfrom
vivche wants to merge 3 commits intomicrosoft:Developmentfrom
Conversation
- Add access_denied_message to default_settings in functions_settings.py - Persist access_denied_message from Admin Settings form in route_frontend_admin_settings.py - Add Access Denied Message textarea to Admin Settings UI - Render dynamic message on index.html for signed-in users lacking required roles Fix Copilot PR microsoft#557 findings: - Finding 1: default message in functions_settings.py now matches index.html fallback (both use 'Please contact an administrator for access.') - Finding 2: replaced '| e | replace(\\n, <br>) | safe' filter chain with a proper nl2br Jinja filter registered in app.py, avoiding potential filter-order confusion flagged by Copilot review
paullizer
previously approved these changes
Mar 5, 2026
paullizer
previously approved these changes
Mar 5, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an admin-configurable “access denied” message for signed-in users who lack required roles, persisted in Cosmos settings and rendered on the home page with newline support.
Changes:
- Adds
access_denied_messageto default application settings (Cosmos-backed). - Extends Admin Settings to edit/persist
access_denied_message. - Adds a Jinja
nl2brfilter and updates the home page to render the configured message with line breaks.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| application/single_app/functions_settings.py | Introduces access_denied_message in default_settings (Cosmos merge default). |
| application/single_app/route_frontend_admin_settings.py | Persists access_denied_message from Admin Settings form submissions. |
| application/single_app/templates/admin_settings.html | Adds the “Access Denied Message” textarea to the Admin Settings UI. |
| application/single_app/app.py | Registers nl2br Jinja filter (escape + newline-to-<br>). |
| application/single_app/templates/index.html | Renders the (sanitized) configured access denied message via nl2br. |
…ture
Finding 1 (index.html redundant fallback):
- Removed hardcoded 'or ...' fallback from access_denied_message rendering in
templates/index.html; default lives exclusively in functions_settings.py and
is guaranteed present after get_settings() deep-merge
Finding 2 (route silent data loss):
- Changed access_denied_message in route_frontend_admin_settings.py to fall back
to settings.get('access_denied_message', '') instead of '' so an older/cached
form submission that omits the field does not wipe the existing stored value
Finding 3 (missing functional regression test):
- Added functional_tests/test_access_denied_message_feature.py (4/4 passing):
(1) admin_settings.html exposes textarea name=access_denied_message with label
(2) route uses safe settings.get() fallback, not bare empty string
(3) index.html renders via nl2br with no inline hardcoded fallback
(4) functions_settings.py defines a non-empty default value
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Adds a user-facing message shown on the home page when a signed-in user lacks the required roles. Admins can set and update this message in Admin Settings; the value is persisted in Azure Cosmos DB. A stable, hard-coded default remains in place when no admin override is set.
Version Implemented: 0.239.003
Purpose
Technical Specification
application/single_app/functions_settings.pyunderdefault_settings['access_denied_message'].nl2brfilter is registered inapplication/single_app/app.py; it HTML-escapes the value then converts\ncharacters to<br>tags.access_denied_messageand persists it viaupdate_settings()to Cosmos DB.app_settingsand renders the message through thenl2brfilter.Files Changed
application/single_app/functions_settings.pyaccess_denied_messagedefault value todefault_settings.application/single_app/app.pynl2brJinja filter (HTML-escape + newline-to-<br>conversion).application/single_app/route_frontend_admin_settings.pyaccess_denied_messageread from POST form data and included in the settings update payload.application/single_app/templates/admin_settings.htmlapplication/single_app/templates/index.htmlapp_settings.access_denied_messagerendered via thenl2brfilter.application/single_app/config.py0.239.003.Usage
Limitations
<br>entered in the textarea will display as plain text, not a line break, because the filter HTML-escapes the value before processing newlines.Testing & Validation
<br>line breaks in the UI.<br>in the stored message displays as text in some input paths.