Manage navigation entry is not hidden if the user does not have ROLE_MANAGE

[klopfdreh]

Hey,

I was expecting the menu entry to be hidden when the user does not have the role "ROLE_MANAGE" in the spring cloud data flow server ui:

My question is how I can make this entry not visible with "Customizing Authorization" mentioned here: https://docs.spring.io/spring-cloud-dataflow/docs/current/reference/htmlsingle/#configuration-security-customizing-authorization

kind regards and thanks in advance.

[klopfdreh]

Maybe add [appRole]="['ROLE_MANAGE']" to the tag https://github.com/spring-cloud/spring-cloud-dataflow-ui/blob/main/ui/src/app/layout/nav/nav.component.html#L66 and remove [appRole]="[]" from https://github.com/spring-cloud/spring-cloud-dataflow-ui/blob/main/ui/src/app/layout/nav/nav.component.html#L77

[oodamien]

Hi @klopfdreh, ROLE_MANAGE is not meant to be used on the UI part (see the definition you pointed). We will have in the following days a discussion with the team to see how we can answer to this request.

[klopfdreh]

Hey @oodamien, yes I saw it - online for the spring boot admin actuator endpoints. Thanks for the information, I wait till your answer. 👍

[markpollack]

Thanks for the input, we are going to review this functionality and look into defining new roles that will make these menu options available that are separate from the current use of the role_manage for actuator endpoints.

[klopfdreh]

Sounds great! Looking forward for that implementation. You can add me as reviewer. 👍

[klopfdreh]

Hey @markpollack / @oodamien - are there any updates when this feature is going to be implemented?

Currently I am patching the UI manually so that the Manage menu entry is not shown when you don't have the ROLE_MANAGE.

Unfortunately, this is not very secure as this entry is only hidden but you can still access it when you know the path.