fix: better rbac frontend UX for selecting permissions#2783
Merged
Conversation
Graphite Automations"Warn authors when publishing large PRs" took an action on this PR • (06/01/26)1 teammate was notified to this PR based on Kyle Mendell's automation. |
kmendell
added a commit
that referenced
this pull request
Jun 2, 2026
kmendell
added a commit
that referenced
this pull request
Jun 4, 2026
kmendell
added a commit
that referenced
this pull request
Jun 4, 2026
kmendell
added a commit
that referenced
this pull request
Jun 4, 2026
kmendell
added a commit
that referenced
this pull request
Jun 4, 2026
kmendell
added a commit
that referenced
this pull request
Jun 4, 2026
kmendell
added a commit
that referenced
this pull request
Jun 7, 2026
kmendell
added a commit
that referenced
this pull request
Jun 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Checklist
mainbranchWhat This PR Implements
Fixes:
Changes Made
Testing Done
./scripts/development/dev.sh startjust lint all)just test backendAI Tool Used (if applicable)
AI Tool:
Assistance Level:
What AI helped with:
I reviewed and edited all AI-generated output:
I ran all required tests and manually verified changes:
Additional Context
Disclaimer Greptiles Reviews use AI, make sure to check over its work.
To better help train Greptile on our codebase, if the comment is useful and valid Like the comment, if its not helpful or invalid Dislike
To have Greptile Re-Review the changes, mention
greptileai.Greptile Summary
This PR improves the RBAC frontend UX by replacing coarse "gate-all" permission middleware on the settings, customize-search, and roles-manifest endpoints with per-category filtering, allowing users with granular permissions to access only the categories they're entitled to. It also adds a
PermissionPresetabstraction and anormalizePermissionSelectionutility that auto-addsrequiresdependencies whenever a permission is toggled, surfaces a quick Admin/Editor role-assignment checkbox panel on the user form, and lets account-page users create API keys with an explicit permission picker backed by the full manifest.RequirePermissionmiddleware removed from read-only list/category/manifest endpoints; handlers now filter results based on the caller's actual permission set, returning an empty list to unauthenticated or unpermissioned callers rather than a hard 401.normalizePermissionSelectionutility propagatesrequiresconstraints transitively; preset bundles ("Editor", "Global Admin") are added to the picker; the account-page API-key flow is promoted to the fullApiKeyFormSheetcomponent with permission selection.PermissionAction.requires,PermissionPreset, andUser.isGlobalAdminfields added to both Go and TypeScript type definitions.Confidence Score: 5/5
Safe to merge; the backend permission-filtering logic is correctly defensive (nil permission set returns an empty result) and the frontend changes are well-scoped.
All backend handler changes correctly handle nil permission sets by returning empty results, so no data leaks exist for unauthenticated callers. The normalizePermissionSelection fixed-point loop is correct. The one regression found — the password card becoming visible to auto-login users — is a UX inconvenience rather than a data or security issue, and the backend would reject an invalid password-change attempt.
frontend/src/routes/(app)/account/+page.svelte — the !autoLoginEnabled guard was removed from the password card condition.
Comments Outside Diff (1)
frontend/src/routes/(app)/account/+page.svelte, line 881-890 (link)showCreateKeyFormis set totrueby the "Add key" button click before the{#if permissionsManifest}block renders the sheet. If the user clicks the button during the brief window betweenonMountstarting andloadPermissionsManifestresolving, the sheet is not in the DOM yet and nothing visible happens. Consider keeping the sheet always mounted (removing the{#if}) or disabling the "Add key" button untilpermissionsManifestis non-null.Prompt To Fix With AI
Prompt To Fix All With AI
Reviews (3): Last reviewed commit: "fix: better rbac frontend UX for selecti..." | Re-trigger Greptile