flowfuse icon indicating copy to clipboard operation
flowfuse copied to clipboard
verified publisher icon FlowFuse

Teams without the emailAlerts feature can setup alerts if they access the url dirrectly

Open cstns opened this issue 9 months ago • 0 comments

Current Behavior

While teams without the team.type.properties.features.emailAlerts feature enabled can't access the instance alert settings via the ui, they can do so by accessing the url dirrectly. Once there they can set alerts unimpeded.

There should be backend checks for the team feature state to prevent this.

Expected Behavior

Teams without the emailAlerts feature enabled should not be allowed to set alerts even if they access the ui

Steps To Reproduce

access an instance's alerts settings url dirrectly /instance/<instance-id>/settings/alerts that's part of a team that doesn't have the emailAlerts feature enabled and setup alerts

Environment

  • FlowFuse version: 2.15.0
  • Node.js version: N/A
  • npm version: N/A
  • Platform/OS: N/A
  • Browser: N/A

Have you provided an initial effort estimate for this issue?

I have provided an initial effort estimate

cstns avatar Mar 25 '25 15:03 cstns