fix: issues found in PBAC creation

[sean-brydon]

What does this PR do?

Fixes the issues found here: #22467 (review)

When organization permission is set to "None" the "Roles and Permissions" option is still visible on the side bar. Clicking it throws a 404.
When changing "organization" permission from "Read only" to another option, on page reload "Read only" is selected instead of the changed option.
Under advanced permission settings, when toggling a permission, the dropdown closes
When changing permissions from "Read only" to "All" then back to "Read only", I'm still seeing "All" permissions even after logging out of the user

[coderabbitai]

Walkthrough

The changes introduce a new optional boolean property, canViewRoles, which is propagated through several components and hooks related to the settings sidebar and tabs. The useTabs hook now uses this property, in combination with the existing isPbacEnabled flag, to determine whether to include the "roles_and_permissions" menu item in the organization settings tab. The SettingsLayoutAppDir function is updated to fetch and compute the user's permission to view roles and passes this information to the client component. Additional changes include refining click handling logic in the AdvancedPermissionGroup component, filtering out permission keys starting with an underscore in the usePermissions hook, and expanding cache tag invalidation in the revalidateTeamRoles function.

Estimated code review effort

3 (30–60 minutes)

Possibly related PRs

• feat: team roles ui pbac #22585: Introduces a TeamRolesNavItem component and updates TeamListCollapsible to conditionally render the roles tab based on PBAC feature flags for sub-teams, modifying the same SettingsLayoutAppDirClient.tsx file and relating to conditional visibility of roles UI elements based on permissions and feature flags.

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/AdvancedPermissionGroup.tsx

Oops! Something went wrong! :(

ESLint: 8.57.1

ESLint couldn't find the plugin "eslint-plugin-playwright".

(The package "eslint-plugin-playwright" was not found when loaded as a Node module from the directory "".)

It's likely that the plugin isn't installed correctly. Try reinstalling by running the following:

npm install eslint-plugin-playwright@latest --save-dev

The plugin "eslint-plugin-playwright" was referenced from the config file in ".eslintrc.js".

If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d8bbbc6 and ea72ef9.

📒 Files selected for processing (1)

• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/AdvancedPermissionGroup.tsx (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/AdvancedPermissionGroup.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Check for E2E label
• GitHub Check: Security Check

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Hey there and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

No release type found in pull request title "fix issues found in org PR". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

[delve-auditor]

✅ No security or compliance issues detected. Reviewed everything up to ea72ef9.

Security Overview

• 🔎 Scanned files: 5 changed file(s)

Detected Code Changes

Change Type	Relevant files
Enhancement	► SettingsLayoutAppDirClient.tsx     Add role visibility control to settings sidebar ► layout.tsx     Add server-side role permission checks ► AdvancedPermissionGroup.tsx     Improve permission group UI and interaction ► usePermissions.ts     Update permission handling logic ► actions.ts     Add cache revalidation for roles

Reply to this PR with @delve-auditor followed by a description of what change you want and we'll auto-submit a change to this PR to implement it.

[coderabbitai]

Actionable comments posted: 2

🔭 Outside diff range comments (1)

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx (1)

270-270: Add missing dependency to useMemo.

The canViewRoles prop should be included in the dependency array since it's used in the memoized computation.

-  }, [isAdmin, orgBranding, isOrgAdminOrOwner, user, isDelegationCredentialEnabled]);
+  }, [isAdmin, orgBranding, isOrgAdminOrOwner, user, isDelegationCredentialEnabled, isPbacEnabled, canViewRoles]);

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bb4260c and 46d155b.

📒 Files selected for processing (5)

• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx (9 hunks)
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/layout.tsx (3 hunks)
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/AdvancedPermissionGroup.tsx (1 hunks)
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/usePermissions.ts (4 hunks)
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/actions.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/AdvancedPermissionGroup.tsx (1)

Learnt from: alishaz-polymath
PR: #22304
File: packages/features/eventtypes/components/MultiplePrivateLinksController.tsx:92-94
Timestamp: 2025-07-16T06:42:27.001Z
Learning: In the MultiplePrivateLinksController component (packages/features/eventtypes/components/MultiplePrivateLinksController.tsx), the currentLink.maxUsageCount ?? 1 fallback in the openSettingsDialog function is intentional. Missing maxUsageCount values indicate old/legacy private links that existed before the expiration feature was added, and they should default to single-use behavior (1) for backward compatibility.

🧬 Code Graph Analysis (1)

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx (1)

packages/features/shell/Shell.tsx (1)

• Shell (111-124)

🪛 Biome (1.9.4)

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/usePermissions.ts

[error] 93-95: Other switch clauses can erroneously access this declaration.
Wrap the declaration in a block to restrict its access to the switch clause.

The declaration is defined in this switch clause:

Unsafe fix: Wrap the declaration in a block.

(lint/correctness/noSwitchDeclarations)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: required
• GitHub Check: Detect changes
• GitHub Check: Security Check

🔇 Additional comments (9)

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/actions.ts (1)

12-16: LGTM! Expanded cache invalidation coverage.

The addition of general cache tags alongside team-specific ones ensures that permission-related cached data is properly refreshed when team roles change. This supports the new permission checking logic introduced in the layout components.

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/layout.tsx (3)

29-36: LGTM! Well-structured cached permission fetching.

The new getCachedResourcePermissions function follows Next.js caching best practices with appropriate cache keys and revalidation settings. The 120-second revalidation aligns with the existing getTeamFeatures function.

---

46-46: LGTM! Proper permission checking implementation.

The server-side permission checking correctly:

• Fetches role permissions concurrently with team features
• Uses PermissionMapper.toActionMap to convert permissions to actionable flags
• Checks for read permission on roles before enabling UI visibility
• Handles the case where features might not exist

Also applies to: 51-63

---

69-69: LGTM! Clean prop threading to client component.

The canViewRoles flag is properly passed to the client component, enabling permission-based UI rendering.

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/usePermissions.ts (1)

22-26: LGTM! Consistent filtering of internal permission keys.

The filtering of actions that start with "_" is consistently applied across all permission enumeration functions. This properly excludes internal/meta keys from user-actionable permissions while maintaining the same logic pattern throughout.

Also applies to: 35-37, 49-52

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/AdvancedPermissionGroup.tsx (2)

71-85: LGTM! Improved click handling prevents unintended interactions.

The refined click handling logic properly separates concerns:

• Button only toggles on direct clicks (excluding children)
• Icon area has independent toggle handler
• Icon rotation changed to more conventional 90 degrees

This prevents the dropdown from closing unexpectedly when users interact with child elements.

---

93-102: LGTM! Enhanced text interactivity.

Making the text spans clickable with proper cursor styling improves user experience by providing larger click targets for expanding/collapsing the permission group.

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx (2)

187-191: LGTM! Proper permission-based menu filtering.

The implementation correctly combines feature flag checking (isPbacEnabled) with permission checking (canViewRoles) to ensure the roles and permissions menu item only appears when both conditions are met. This addresses the original issue where the menu would appear for users without proper permissions.

Also applies to: 228-235

---

297-297: LGTM! Comprehensive prop threading implementation.

The canViewRoles prop is properly threaded through all necessary components in the hierarchy, enabling consistent permission-based UI behavior throughout the settings layout.

Also applies to: 490-490, 520-520, 795-795, 801-801, 836-836, 859-859, 867-867, 884-884

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

2 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
cal	⬜️ Ignored (Inspect)			Jul 21, 2025 1:55pm
cal-eu	⬜️ Ignored (Inspect)			Jul 21, 2025 1:55pm

[joeauyeung]

I'll approve this PR for the UI fixes.

Although something we need to follow up on sooner rather than later is deleting permissions. Right now when removing permissions from a role, we're not deleting those permissions in the RolePermissions table.
https://cap.link/j1pbhrg4pw2r0r3

[graphite-app]

Graphite Automations

"Add ready-for-e2e label" took an action on this PR • (07/22/25)

1 label was added to this PR based on Keith Williams's automation.

[github-actions]

E2E results are ready!

• Workflow #68940.1 latest results