diff --git a/ui/app/helpers/has-permission.js b/ui/app/helpers/has-permission.js index da6978230f04..0e5ae43c654c 100644 --- a/ui/app/helpers/has-permission.js +++ b/ui/app/helpers/has-permission.js @@ -14,8 +14,10 @@ export default Helper.extend({ } ), - compute([route], { routeParams, capability }) { + compute([route], params) { + let { routeParams } = params; let permissions = this.permissions; - return permissions.hasNavPermission(route, routeParams, capability); + + return permissions.hasNavPermission(route, routeParams); }, }); diff --git a/ui/app/services/permissions.js b/ui/app/services/permissions.js index ed3ec6c02428..0590025b5b39 100644 --- a/ui/app/services/permissions.js +++ b/ui/app/services/permissions.js @@ -44,11 +44,12 @@ const API_PATHS_TO_ROUTE_PARAMS = { }; /* - The Permissions service is used to gate top navigation and sidebar items. It fetches - a users' policy from the resultant-acl endpoint and stores their allowed exact and glob - paths as state. It also has methods for checking whether a user has permission for a given - path. + The Permissions service is used to gate top navigation and sidebar items. + It fetches a users' policy from the resultant-acl endpoint and stores their + allowed exact and glob paths as state. It also has methods for checking whether + a user has permission for a given path. */ + export default Service.extend({ exactPaths: null, globPaths: null, @@ -88,7 +89,10 @@ export default Service.extend({ hasNavPermission(navItem, routeParams) { if (routeParams) { - return this.hasPermission(API_PATHS[navItem][routeParams]); + // viewing the entity and groups pages require the list capability, while the others require the default, which is anything other than deny + let capability = routeParams === 'entities' || routeParams === 'groups' ? ['list'] : [null]; + + return this.hasPermission(API_PATHS[navItem][routeParams], capability); } return Object.values(API_PATHS[navItem]).some(path => this.hasPermission(path)); }, diff --git a/ui/tests/unit/services/permissions-test.js b/ui/tests/unit/services/permissions-test.js index 508a80a8a9fa..aef4a1533e8b 100644 --- a/ui/tests/unit/services/permissions-test.js +++ b/ui/tests/unit/services/permissions-test.js @@ -157,24 +157,32 @@ module('Unit | Service | permissions', function(hooks) { assert.deepEqual(service.navPathParams('access'), expected); }); - test('hasNavPermission returns true if a policy includes access to at least one path', function(assert) { + test('hasNavPermission returns true if a policy includes the required capabilities for at least one path', function(assert) { let service = this.owner.lookup('service:permissions'); const accessPaths = { 'sys/auth': { capabilities: ['deny'], }, - 'sys/leases/lookup': { - capabilities: ['read'], + 'identity/group/id': { + capabilities: ['list', 'read'], }, }; service.set('exactPaths', accessPaths); - assert.equal(service.hasNavPermission('access', 'leases'), true); + assert.equal(service.hasNavPermission('access', 'groups'), true); }); - test('hasNavPermission returns false if a policy does not include access to any paths', function(assert) { + test('hasNavPermission returns false if a policy does not include the required capabilities for at least one path', function(assert) { let service = this.owner.lookup('service:permissions'); - service.set('exactPaths', {}); - assert.equal(service.hasNavPermission('access'), false); + const accessPaths = { + 'sys/auth': { + capabilities: ['deny'], + }, + 'identity/group/id': { + capabilities: ['read'], + }, + }; + service.set('exactPaths', accessPaths); + assert.equal(service.hasNavPermission('access', 'groups'), false); }); test('appends the namespace to the path if there is one', function(assert) {