Add permision check for benchmark panel#2108
Conversation
|
There was a problem hiding this comment.
Pull request overview
Updates the secondary left side panel to conditionally show the Benchmark wizard based on user permissions, aligning the Benchmark panel visibility with the app’s authorization model (OPS-3693).
Changes:
- Introduces
useAuthorization-based gating for showing the Benchmark wizard panel content. - Adjusts panel visibility/minimize behavior to depend on
shouldShowBenchmarkrather than the rawisBenchmarkWizardOpenflag.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| const shouldShowBenchmark = hasBenchmarkAccess && isBenchmarkWizardOpen; | ||
| const shouldShowPanelContent = shouldShowBenchmark || shouldShowAiChat; |
There was a problem hiding this comment.
When hasBenchmarkAccess is false but isBenchmarkWizardOpen is true, shouldShowBenchmark becomes false and the wizard is hidden, but the global store state remains "open". Since useOpenBenchmarkWizard can still set isBenchmarkWizardOpen(true) without checking permissions, this can leave the app in an inconsistent state where the benchmark wizard is logically open but invisible. Consider auto-closing (setIsBenchmarkWizardOpen(false)) when access is missing, or enforcing the permission check at the point where the wizard is opened.
| const { checkAccess } = useAuthorization(); | ||
| const hasBenchmarkAccess = | ||
| checkAccess(Permission.WRITE_FLOW) && | ||
| checkAccess(Permission.READ_APP_CONNECTION); |
There was a problem hiding this comment.
hasBenchmarkAccess relies on checkAccess(...), but useAuthorization().checkAccess is currently implemented as return true (packages/react-ui/src/app/common/hooks/authorization-hooks.ts:9-11). As a result, this change does not actually add a permission check and the benchmark panel will still always be shown when isBenchmarkWizardOpen is true. Consider implementing real permission evaluation in useAuthorization (or using an existing authorization source) so this gating is effective.
| const { checkAccess } = useAuthorization(); | ||
| const hasBenchmarkAccess = | ||
| checkAccess(Permission.WRITE_FLOW) && | ||
| checkAccess(Permission.READ_APP_CONNECTION); |
There was a problem hiding this comment.
The access check uses Permission.READ_APP_CONNECTION, but the Benchmark wizard can open CreateOrEditConnectionDialog (benchmark-wizard.tsx -> ProviderConnectionDialog) which performs connection upsert/patch calls. This flow typically requires Permission.WRITE_APP_CONNECTION (e.g., connection-select.tsx uses WRITE_APP_CONNECTION). Using only READ permission may still expose a wizard UI that cannot successfully complete for users who lack connection write access.
| checkAccess(Permission.READ_APP_CONNECTION); | |
| checkAccess(Permission.WRITE_APP_CONNECTION); |
|
With this change, we are still giving the user the chance to click the Benchmark banner on the homepage. I suggest we:
|
Fixes OPS-3693