Skip to content

FOUR-25264: Prevent Admin menu from appearing for project-only users by switching project user selectors to /users #8647

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eiresendez wants to merge 6 commits into
base: develop
Choose a base branch
from
Open

FOUR-25264: Prevent Admin menu from appearing for project-only users by switching project user selectors to /users #8647

eiresendez wants to merge 6 commits into from
+5 −1

Conversation

@eiresendez
Copy link
Contributor

@eiresendez eiresendez commented Dec 11, 2025
edited
Loading

Issue & Reproduction Steps

A non-admin project owner with all project permissions could not add members in Designer because the users_task_count endpoint returned 403. The route is protected by can:view-users, but project managers don’t have that global permission.

  1. Create a non-admin user, grant all project permissions, set as project owner.
  2. Log in as that user, go to Designer → Projects, open a project and try to add a member.
  3. The request to GET /api/1.0/users_task_count fails with 403, showing an authorization error.

Solution

  • Override the view-users gate to also allow users with create-projects, enabling project managers/owners to call users_task_count without needing the global view-users permission.

How to Test

  1. Ensure a user has create-projects (project manager/owner) but not view-users.
  2. Log in as that user and navigate to Designer → Projects → open a project.
  3. Use the member selector; adding/searching members should succeed, and GET /api/1.0/users_task_count should return 200 instead of 403.

Related Tickets & Packages

ci:deploy
ci:package-projects:bugfix/FOUR-25264

Code Review Checklist

  • I have pulled this code locally and tested it on my instance, along with any associated packages.
  • This code adheres to ProcessMaker Coding Guidelines.
  • This code includes a unit test or an E2E test that tests its functionality, or is covered by an existing test.
  • This solution fixes the bug reported in the original ticket.
  • This solution does not alter the expected output of a component in a way that would break existing Processes.
  • This solution does not implement any breaking changes that would invalidate documentation or cause existing Processes to fail.
  • This solution has been tested with enterprise packages that rely on its functionality and does not introduce bugs in those packages.
  • This code does not duplicate functionality that already exists in the framework or in ProcessMaker.
  • This ticket conforms to the PRD associated with this part of ProcessMaker.

@vladyrichter
Copy link

vladyrichter commented Dec 11, 2025

QA server K8S was successfully deployed https://ci-578647db74.engk8s.processmaker.net

@vladyrichter
Copy link

vladyrichter commented Dec 12, 2025

QA server K8S was successfully deployed https://ci-578647db74.engk8s.processmaker.net

@eiresendez eiresendez requested review from PaolaPellegrini and removed request for PaolaPellegrini December 12, 2025 22:46
@eiresendez eiresendez changed the title FOUR-25264: Allow project managers to load users_task_count without full view-users permission FOUR-25264: Prevent Admin menu from appearing for project-only users by switching project user selectors to /users Dec 18, 2025
@vladyrichter
Copy link

vladyrichter commented Dec 18, 2025

QA server K8S was successfully deployed https://ci-578647db74.engk8s.processmaker.net

@processmaker-sonarqube
Copy link

processmaker-sonarqube bot commented Dec 18, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

CarliPinell
CarliPinell approved these changes Dec 19, 2025
View reviewed changes
Copy link
Contributor

@CarliPinell CarliPinell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approved!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CarliPinell CarliPinell CarliPinell approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@eiresendez @vladyrichter @CarliPinell