fix: [UIE-9477] - IAM: disable delete and detach popups for Volumes when user has no permissions#13049
Merged
mpolotsk-akamai merged 2 commits intolinode:developfrom Nov 5, 2025
Conversation
… popups without permissions
mpolotsk-akamai
force-pushed
the
UIE-9477-volumes-perm-fix
branch
from
1c524fc to
54146d9
Compare
Cloud Manager UI test results🔺 2 failing tests on test run #3 ↗︎
Details
TroubleshootingUse this command to re-run the failing tests: pnpm cy:run -s "cypress/e2e/core/stackscripts/update-stackscripts.spec.ts,cypress/e2e/core/stackscripts/create-stackscripts.spec.ts" |
||||||||||||||||||||
abailly-akamai
approved these changes
Nov 5, 2025
abailly-akamai
pushed a commit
to abailly-akamai/manager
that referenced
this pull request
Nov 7, 2025
…hen user has no permissions (linode#13049) * fix: [UIE-9477] - IAM: Disable delete and detach popups for Volumes if no permissions * Added changeset: IAM: restricted users could access delete and detach popups without permissions
abailly-akamai
added a commit
that referenced
this pull request
Nov 7, 2025
* initial commit * Added changeset: Address oAuth issue with IAM OAuthCallback * fix: [UIE-9456 & UIE-9457] - Typo + expose search filters on /iam/roles route (#13034) * UIE-9456 & UIE-9457 * test * Added changeset: Typo + expose search filters on /iam/roles route * feat: [UIE-9481] - IAM: add perm check for the drawer (#13043) * feat: [UIE-9481] - IAM: add perm check for the drawer * Added changeset: IAM: add a permission check for delete nodebalancer drawer * feat: [UIE-9503] - add empty state to Default Roles/Entities tab (#13042) * feat: add empty state to Default Roles/Entities table * Added changeset: IAM: Empty state for the Default Roles and Default Entities Access tabs * update text * add unit tests * review fix * unit test fix * fix: [UIE-9478] - IAM: disable tag edit (#13046) * fix: [UIE-9478] - IAM: disable tag edit * Added changeset: IAM: tags editing was enabled for restricted users * fix: [UIE-9478] - add tooltip, disable manage tags in Volume action menu * style fix * Cloud version 1.154.0, API v4 version 0.152.0, Validation version 0.78.0, UI version 0.23.0 * Cloud version 1.154.0, API v4 version 0.152.0, Validation version 0.78.0, UI version 0.23.0 * fix: [M3-10698] - Update linode/clone endpoint and label calculations for < 1 hour (#13045) * fix: [M3-9498] - Update linode/clone endpoint and label calculations for < 1 hour * Add changelogs --------- Co-authored-by: Jaalah Ramos <jaalah.ramos@gmail.com> * fix: [UIE-9520] - IAM Child Account - user not found error handling (#13047) * try/cath child user query * consistent handling * types * Added changeset: IAM Child Account - user not found error handling * fix: [UIE-9477] - IAM: disable delete and detach popups for Volumes when user has no permissions (#13049) * fix: [UIE-9477] - IAM: Disable delete and detach popups for Volumes if no permissions * Added changeset: IAM: restricted users could access delete and detach popups without permissions * upcoming: [UIE-9434] - Create feature flag for generational compute plans (#13054) * upcoming: [UIE-9434] - Create feature flag for generational compute plans * Added changeset: Feature flag for Generational Compute plans * test: [DPS-34825] Add cypress tests for Create/Edit Stream forms and Streams Landing (#13008) * refactor: [DI-27807] - Change status of edit & delete button in alert list table based on status (#13052) * refactor: [DI-27807] - Change status of edit & delete button in alert list table based on status * Added comment * Added changeset * refactor: [DI-27807] - Updated test cases * upcoming: [UIE-9368] - Create a firewall Rulesets & Preflixlists feature flag (#13051) * Add firewall rs & pl feature flag * Added changeset: Feature flag for Firewall Rulesets & Prefixlists * feat: [UIE-9341, UIE-9342, UIE-9521] - IAM: fix perm for vpcs (#13050) * UIE-9342 * UIE-9341 * feat: [UIE-9341, UIE-9342, UIE-9521] - IAM: fix perm for vpc * Added changeset: IAM: fix permissiom's check for vpc for assigning/unassigning linodes * filter linodes * e2e deferred getLinodes call --------- Co-authored-by: Alban Bailly <abailly@akamai.com> * refactor: [UIE-9325] - Replace Formik with React Hook Form in AddAccessControlDrawer (#13044) ## Description 📝 Refactor Database Manage Networking drawer to use React Hook Form instead of Formik ## Changes 🔄 - There should be no visual external changes other than IP validation on blur instead of after clicking Update Access Controls ## How to test 🧪 ### Prerequisites (How to setup test environment) - Have the Database VPC feature flag enabled ### Verification steps (How to verify changes) - [ ] Test adding/editing IPs in the Database landing page via Manage Access Controls action dropdown - [ ] Test adding/editing IPs in the Database details page via the Networking tab - [ ] There should be no regressions compared to prod, error messages should display * [UIE-9533] -Hopeful fix: Race condition with Preferences overrides in PrimaryNav (#13056) * attempt to rule out any race condition * comments * code and fixes * cleanup * Added changeset: Race condition with Preferences overrides in PrimaryNav * feat: [UIE-9393] - IAM Parent/Child: delegate permissions for child account (#13033) * feat: [UIE-9393] - IAM Parent/Child: delegate permissions for child account * changesets * remove the unrestricted check for query * fix conflict * e2e gating * lint fix * better approach to fixing e2e * Mock IAM to be disabled in Account Switching test --------- Co-authored-by: Alban Bailly <abailly@akamai.com> Co-authored-by: Alban Bailly <130582365+abailly-akamai@users.noreply.github.com> Co-authored-by: Joe D'Amore <jdamore@akamai.com> * feat: [UIE-9534] - IAM: fix perm for nodebalancer (#13058) * feat: [UIE-9534] - IAM: add tooltips * Added changeset: IAM: add tooltips for disabled buttons for nodebalancers, remove notification banner * update text * remove tooltip * change:[UIE-9541] Add MSW crud support for types API (#13067) * change:[UIE-9541] Add MSW crud support for types API * Added changeset: Add MSW crud support for types API * Added changeset: Add MSW crud support for types API --------- Co-authored-by: aaleksee-akamai <aaleksee@akamai.com> Co-authored-by: mpolotsk-akamai <157619599+mpolotsk-akamai@users.noreply.github.com> Co-authored-by: Dajahi Wiley <dwiley@linode.com> Co-authored-by: Jaalah Ramos <125309814+jaalah-akamai@users.noreply.github.com> Co-authored-by: Jaalah Ramos <jaalah.ramos@gmail.com> Co-authored-by: grevanak-akamai <145482092+grevanak-akamai@users.noreply.github.com> Co-authored-by: mduda-akamai <mduda@akamai.com> Co-authored-by: Nikhil Agrawal <165884194+nikhagra-akamai@users.noreply.github.com> Co-authored-by: Purvesh Makode <pmakode@akamai.com> Co-authored-by: Hana Xu <115299789+hana-akamai@users.noreply.github.com> Co-authored-by: Joe D'Amore <jdamore@akamai.com>
This was referenced Nov 13, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description 📝
This PR fixes an issue where users with the volume_viewer role could manually access Delete and Detach popups via direct URLs, allowing unauthorized requests.
Changes 🔄
List any change(s) relevant to the reviewer.
Scope 🚢
Upon production release, changes in this PR will be visible to:
Target release date 🗓️
November 18th
Preview 📷
How to test 🧪
Prerequisites
(How to setup test environment)
volume_viewerroleVerification steps
(How to verify changes)
navigate to the following routes manually:
verify that Delete and Detach actions are disabled when the user does not have the required permissions
Author Checklists
As an Author, to speed up the review process, I considered 🤔
👀 Doing a self review
❔ Our contribution guidelines
🤏 Splitting feature into small PRs
➕ Adding a changeset
🧪 Providing/improving test coverage
🔐 Removing all sensitive information from the code and PR description
🚩 Using a feature flag to protect the release
👣 Providing comprehensive reproduction steps
📑 Providing or updating our documentation
🕛 Scheduling a pair reviewing session
📱 Providing mobile support
♿ Providing accessibility support
As an Author, before moving this PR from Draft to Open, I confirmed ✅