feat: client side access control (WIP)

[zlwaterfield]

Changes

(this is still a WIP but wanted feedback on the implementation so far)

Follow along with all RBAC changes here: #24512

This PR is starting to layer on the client side access control changes. This PR is trying to layer on these changes without affecting this current experience. The main goal is to block access to actions where the user does not have access (editing, renaming, deleting, etc.). The API handles all this but we want the client to properly render what actions the user has access to.

It includes

• API middleware to render UI for access denied when a resource being loaded 403s
• New AccessControlAction wrapper component to make the experience consistent for showing the user doesn't have access - takes in required levels and current levels and returns a message if they don't have access and why
• New hasResourceAccess method in the access control logic that the AccessControlAction uses to determine access

TODO:

• client
  • only run API middleware for access when feature flag is on
  • get the access control check for canEditInsight and canEditDashboard working
  • thinking through what edit access means - duplicating? editing SQL? adding insight to dashboard?
  • review feature flag can_edit and make sure this doesn't break anything + works as expected going forward
  • make sure all edit level actions are being covered for feature flags, notebooks, insights and dashboards
• API
  • limit list requests from API for Insights and Dashboards
  • dashboard retrieve access is not working

Note: this has not been implemented for projects, teams, or environments - it's focused on resources.

Feedback

Asking all leads for reviews as this will affect all teams once implemented. Please provide thoughts/feedback on the way this implemented. This is attempting to make a reuseable pattern to it's easy to add access level checks.

An alternative approach could be to return an object from hasResourceAccess which has the disabled reason and the wrapper is not needed.

👉 Stay up-to-date with PostHog coding conventions for a smoother review.

Does this work well for both Cloud and self-hosted?

Yes

How did you test this code?

Manually testing + will add some snapshots

[zlwaterfield]

importing feature flag logic here is breaking this logic so haven't figured out this check yet

[zlwaterfield]

Need to figure out how to access access control logic hasResourceAccess

[zlwaterfield]

Need to figure out how to access access control logic hasResourceAccess

[github-actions]

Size Change: +1.27 kB (+0.01%)

Total Size: 9.44 MB

Filename	Size	Change
frontend/dist/toolbar.js	9.44 MB	+1.27 kB (+0.01%)

_{compressed-size-action}

[posthog-bot]

This PR hasn't seen activity in a week! Should it be merged, closed, or further worked on? If you want to keep it open, post a comment or remove the stale label – otherwise this will be closed in another week. If you want to permanentely keep it open, use the waiting label.

[zlwaterfield]

This was a bug I shipped on another PR.

[zlwaterfield]

This is not fool proof because it looks at all requests and I only really want to look at specific ones.

[zlwaterfield]

Going to close this and split into multiple PRs because it got bigger than expected.