Skip to content

fix: add role guard to user officer proposals table#1523

Merged
ChongJiaChua merged 1 commit into
developfrom
990_Restrict_Proposals_Table_Access
May 20, 2026
Merged

fix: add role guard to user officer proposals table#1523
ChongJiaChua merged 1 commit into
developfrom
990_Restrict_Proposals_Table_Access

Conversation

@ChongJiaChua
Copy link
Copy Markdown
Contributor

@ChongJiaChua ChongJiaChua commented May 19, 2026

Closes UserOfficeProject/issue-tracker/issues/990

Description

Currently, unauthorized roles could access the ProposalTableOfficer component by navigating to the /Proposals route manually. This change makes it such only the User Officer and Proposal Reader roles are allowed to access it. Any unauthorized roles attempting to access the /Proposals route directly will be redirected back to the main dashboard (/)

Motivation and Context

How Has This Been Tested

Fixes

Changes

Frontend AppRoutes.tsx:

  • Added conditional guards based on user roles (isUserOfficer || isProposalReader)
  • Added a fallback route for /Proposals that redirects unauthorized roles back to /

Depends on

Tests included/Docs Updated?

  • I have added tests to cover my changes.
  • All relevant doc has been updated

@ChongJiaChua ChongJiaChua requested a review from a team as a code owner May 19, 2026 16:10
@ChongJiaChua ChongJiaChua requested review from simonfernandes and removed request for a team May 19, 2026 16:10
@ChongJiaChua ChongJiaChua self-assigned this May 19, 2026
YufanKambang
YufanKambang previously approved these changes May 20, 2026
View reviewed changes
@YufanKambang YufanKambang dismissed their stale review May 20, 2026 08:19

noticed something

@YufanKambang
Copy link
Copy Markdown
Contributor

YufanKambang commented May 20, 2026

The client side for the code can still be affected. Not sure if this is needed but making sure that the at the API layer that supplies data to /Proposals page, also check for the correct roles of the user.

This exists here:

user-office-core/apps/backend/src/queries/ProposalQueries.ts

Line 104 in 045dd10

@Authorized([Roles.USER_OFFICER, Roles.PROPOSAL_READER])

it is defended

@ChongJiaChua
Copy link
Copy Markdown
Contributor Author

ChongJiaChua commented May 20, 2026

The client side for the code can still be affected. Not sure if this is needed but making sure that the at the API layer that supplies data to /Proposals page, also check for the correct roles of the user.

This exists here:

user-office-core/apps/backend/src/queries/ProposalQueries.ts

Line 104 in 045dd10

@Authorized([Roles.USER_OFFICER, Roles.PROPOSAL_READER])

it is defended

Yeap, the backend already prevented unauthorised users from accessing the data so this PR just stops them from navigating to the page.

@ChongJiaChua ChongJiaChua merged commit 5d466c9 into develop May 20, 2026
23 checks passed
@ChongJiaChua ChongJiaChua deleted the 990_Restrict_Proposals_Table_Access branch May 20, 2026 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simonfernandes simonfernandes simonfernandes approved these changes

@YufanKambang YufanKambang YufanKambang approved these changes

Assignees

@ChongJiaChua ChongJiaChua

Labels

review: please

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

As a user Proposals route is loading and empty ProposalTableOfficer table.

3 participants

@ChongJiaChua @YufanKambang @simonfernandes