PostHog · zlwaterfield · Jan 17, 2025 · Jan 17, 2025 · Jan 17, 2025 · Jan 17, 2025
diff --git a/frontend/__snapshots__/scenes-app-feature-flags--edit-feature-flag--light.png b/frontend/__snapshots__/scenes-app-feature-flags--edit-feature-flag--light.png
diff --git a/...snapshots__/scenes-app-feature-flags--edit-multi-variate-feature-flag--dark.png b/...snapshots__/scenes-app-feature-flags--edit-multi-variate-feature-flag--dark.png
diff --git a/frontend/__snapshots__/scenes-app-insights--trends-area--light--webkit.png b/frontend/__snapshots__/scenes-app-insights--trends-area--light--webkit.png
diff --git a/frontend/__snapshots__/scenes-app-insights--trends-bar--light--webkit.png b/frontend/__snapshots__/scenes-app-insights--trends-bar--light--webkit.png
diff --git a/frontend/__snapshots__/scenes-app-insights--trends-pie--light--webkit.png b/frontend/__snapshots__/scenes-app-insights--trends-pie--light--webkit.png
diff --git a/frontend/__snapshots__/scenes-app-insights--trends-world-map--light--webkit.png b/frontend/__snapshots__/scenes-app-insights--trends-world-map--light--webkit.png
diff --git a/frontend/src/lib/components/AccessControlAction.tsx b/frontend/src/lib/components/AccessControlAction.tsx
@@ -0,0 +1,46 @@
+type AccessControlLevelNone = 'none'
+type AccessControlLevelMember = AccessControlLevelNone | 'member' | 'admin'
+type AccessControlLevelResource = AccessControlLevelNone | 'viewer' | 'editor'
+type AccessControlLevel = AccessControlLevelMember | AccessControlLevelResource
+
+interface AccessControlActionProps {
+    children: (props: { disabled: boolean; disabledReason: string | null }) => React.ReactElement
+    userAccessLevel?: AccessControlLevel
+    minAccessLevel: AccessControlLevel
+    resourceType: string
+}
+
+const orderedAccessLevels = (resourceType: string): AccessControlLevel[] => {
+    if (resourceType === 'project' || resourceType === 'organization') {
+        return ['none', 'member', 'admin']
+    }
+    return ['none', 'viewer', 'editor']
+}
+
+const accessLevelSatisfied = (
+    resourceType: string,
+    currentLevel: AccessControlLevel,
+    requiredLevel: AccessControlLevel
+): boolean => {
+    const levels = orderedAccessLevels(resourceType)
+    return levels.indexOf(currentLevel) >= levels.indexOf(requiredLevel)
+}
+
+// This is a wrapper around a component that checks if the user has access to the resource
+// and if not, it disables the component and shows a reason why
+export const AccessControlAction = ({
+    children,
+    userAccessLevel,
+    minAccessLevel,
+    resourceType = 'resource',
+}: AccessControlActionProps): JSX.Element => {
+    const hasAccess = userAccessLevel ? accessLevelSatisfied(resourceType, userAccessLevel, minAccessLevel) : false
+    const disabledReason = !hasAccess
+        ? `You don't have sufficient permissions for this ${resourceType}. Your access level (${userAccessLevel}) doesn't meet the required level (${minAccessLevel}).`
+        : null
+
+    return children({
+        disabled: !hasAccess,
+        disabledReason,
+    })
+}
diff --git a/frontend/src/lib/components/AccessControlledLemonButton.tsx b/frontend/src/lib/components/AccessControlledLemonButton.tsx
@@ -0,0 +1,32 @@
+import { LemonButton, LemonButtonProps } from 'lib/lemon-ui/LemonButton'
+
+import { WithAccessControl } from '../../types'
+import { AccessControlAction } from './AccessControlAction'
+
+export type AccessControlledLemonButtonProps = LemonButtonProps & {
+    userAccessLevel?: WithAccessControl['user_access_level']
+    minAccessLevel: WithAccessControl['user_access_level']
+    resourceType: string
+}
+
+export const AccessControlledLemonButton = ({
+    userAccessLevel,
+    minAccessLevel,
+    resourceType,
+    children,
+    ...props
+}: AccessControlledLemonButtonProps): JSX.Element => {
+    return (
+        <AccessControlAction
+            userAccessLevel={userAccessLevel}
+            minAccessLevel={minAccessLevel}
+            resourceType={resourceType}
+        >
+            {({ disabledReason: accessControlDisabledReason }) => (
+                <LemonButton {...props} disabledReason={accessControlDisabledReason || props.disabledReason}>
+                    {children}
+                </LemonButton>
+            )}
+        </AccessControlAction>
+    )
+}
diff --git a/frontend/src/lib/components/Cards/InsightCard/InsightMeta.tsx b/frontend/src/lib/components/Cards/InsightCard/InsightMeta.tsx
@@ -79,6 +79,8 @@ export function InsightMeta({
     const { nameSortedDashboards } = useValues(dashboardsModel)
 
     const otherDashboards = nameSortedDashboards.filter((d) => !dashboards?.includes(d.id))
+
+    // (@zach) Access Control TODO: add access control checks for remove from dashboard
     const editable = insight.effective_privilege_level >= DashboardPrivilegeLevel.CanEdit
 
     const summary = useSummarizeInsight()(insight.query)

diff --git a/frontend/src/scenes/dashboard/DashboardHeader.tsx b/frontend/src/scenes/dashboard/DashboardHeader.tsx
@@ -1,5 +1,6 @@
 import { useActions, useValues } from 'kea'
 import { router } from 'kea-router'
+import { AccessControlledLemonButton } from 'lib/components/AccessControlledLemonButton'
 import { TextCardModal } from 'lib/components/Cards/TextCard/TextCardModal'
 import { EditableField } from 'lib/components/EditableField/EditableField'
 import { ExportButton, ExportButtonItem } from 'lib/components/ExportButton/ExportButton'
@@ -260,16 +261,20 @@ export function DashboardHeader(): JSX.Element | null {
                                             >
                                                 Create notebook from dashboard
                                             </LemonButton>
+
                                             {canEditDashboard && (
-                                                <LemonButton
+                                                <AccessControlledLemonButton
+                                                    userAccessLevel={dashboard.user_access_level}
+                                                    minAccessLevel="editor"
+                                                    resourceType="dashboard"
                                                     onClick={() => {
                                                         showDeleteDashboardModal(dashboard.id)
                                                     }}
                                                     status="danger"
                                                     fullWidth
                                                 >
                                                     Delete dashboard
-                                                </LemonButton>
+                                                </AccessControlledLemonButton>
                                             )}
                                         </>
                                     ) : undefined
@@ -292,25 +297,30 @@ export function DashboardHeader(): JSX.Element | null {
                                 </>
                             )}
                             {dashboard ? (
-                                <LemonButton
+                                <AccessControlledLemonButton
+                                    userAccessLevel={dashboard.user_access_level}
+                                    minAccessLevel="editor"
+                                    resourceType="dashboard"
                                     onClick={showAddInsightToDashboardModal}
                                     type="primary"
                                     data-attr="dashboard-add-graph-header"
-                                    disabledReason={canEditDashboard ? null : DASHBOARD_CANNOT_EDIT_MESSAGE}
                                     sideAction={{
                                         dropdown: {
                                             placement: 'bottom-end',
                                             overlay: (
                                                 <>
-                                                    <LemonButton
+                                                    <AccessControlledLemonButton
+                                                        userAccessLevel={dashboard.user_access_level}
+                                                        minAccessLevel="editor"
+                                                        resourceType="dashboard"
                                                         fullWidth
                                                         onClick={() => {
                                                             push(urls.dashboardTextTile(dashboard.id, 'new'))
                                                         }}
                                                         data-attr="add-text-tile-to-dashboard"
                                                     >
                                                         Add text card
-                                                    </LemonButton>
+                                                    </AccessControlledLemonButton>
                                                 </>
                                             ),
                                         },
@@ -319,7 +329,7 @@ export function DashboardHeader(): JSX.Element | null {
                                     }}
                                 >
                                     Add insight
-                                </LemonButton>
+                                </AccessControlledLemonButton>
                             ) : null}
                         </>
                     )

diff --git a/frontend/src/scenes/dashboard/dashboardLogic.tsx b/frontend/src/scenes/dashboard/dashboardLogic.tsx
@@ -15,7 +15,7 @@ import {
 import { loaders } from 'kea-loaders'
 import { router, urlToAction } from 'kea-router'
 import api, { ApiMethodOptions, getJSONOrNull } from 'lib/api'
-import { DashboardPrivilegeLevel, OrganizationMembershipLevel } from 'lib/constants'
+import { DashboardPrivilegeLevel, FEATURE_FLAGS, OrganizationMembershipLevel } from 'lib/constants'
 import { Dayjs, dayjs, now } from 'lib/dayjs'
 import { currentSessionId, TimeToSeeDataPayload } from 'lib/internalMetrics'
 import { lemonToast } from 'lib/lemon-ui/LemonToast/LemonToast'
@@ -945,8 +945,14 @@ export const dashboardLogic = kea<dashboardLogicType>([
             },
         ],
         canEditDashboard: [
-            (s) => [s.dashboard],
-            (dashboard) => !!dashboard && dashboard.effective_privilege_level >= DashboardPrivilegeLevel.CanEdit,
+            (s) => [s.dashboard, s.featureFlags],
+            (dashboard, featureFlags) => {
+                if (featureFlags[FEATURE_FLAGS.ROLE_BASED_ACCESS_CONTROL]) {
+                    const requiredLevels = ['admin', 'editor']
+                    return dashboard?.user_access_level ? requiredLevels.includes(dashboard.user_access_level) : true
+                }
+                return !!dashboard && dashboard.effective_privilege_level >= DashboardPrivilegeLevel.CanEdit
+            },
         ],
         canRestrictDashboard: [
             // Sync conditions with backend can_user_restrict
@@ -991,8 +997,8 @@ export const dashboardLogic = kea<dashboardLogicType>([
             },
         ],
         breadcrumbs: [
-            (s) => [s.dashboard, s._dashboardLoading, s.dashboardFailedToLoad],
-            (dashboard, dashboardLoading, dashboardFailedToLoad): Breadcrumb[] => [
+            (s) => [s.dashboard, s._dashboardLoading, s.dashboardFailedToLoad, s.canEditDashboard],
+            (dashboard, dashboardLoading, dashboardFailedToLoad, canEditDashboard): Breadcrumb[] => [
                 {
                     key: Scene.Dashboards,
                     name: 'Dashboards',
@@ -1007,15 +1013,17 @@ export const dashboardLogic = kea<dashboardLogicType>([
                         : !dashboardLoading
                         ? 'Not found'
                         : null,
-                    onRename: async (name) => {
-                        if (dashboard) {
-                            await dashboardsModel.asyncActions.updateDashboard({
-                                id: dashboard.id,
-                                name,
-                                allowUndo: true,
-                            })
-                        }
-                    },
+                    onRename: canEditDashboard
+                        ? async (name) => {
+                              if (dashboard) {
+                                  await dashboardsModel.asyncActions.updateDashboard({
+                                      id: dashboard.id,
+                                      name,
+                                      allowUndo: true,
+                                  })
+                              }
+                          }
+                        : undefined,
                 },
             ],
         ],

diff --git a/frontend/src/scenes/dashboard/dashboards/DashboardsTable.tsx b/frontend/src/scenes/dashboard/dashboards/DashboardsTable.tsx
@@ -1,6 +1,7 @@
 import { IconHome, IconLock, IconPin, IconPinFilled, IconShare } from '@posthog/icons'
 import { LemonInput } from '@posthog/lemon-ui'
 import { useActions, useValues } from 'kea'
+import { AccessControlledLemonButton } from 'lib/components/AccessControlledLemonButton'
 import { MemberSelect } from 'lib/components/MemberSelect'
 import { ObjectTags } from 'lib/components/ObjectTags/ObjectTags'
 import { DashboardPrivilegeLevel } from 'lib/constants'
@@ -131,7 +132,7 @@ export function DashboardsTable({
             ? {}
             : {
                   width: 0,
-                  render: function RenderActions(_, { id, name }: DashboardType) {
+                  render: function RenderActions(_, { id, name, user_access_level }: DashboardType) {
                       return (
                           <More
                               overlay={
@@ -149,7 +150,11 @@ export function DashboardsTable({
                                       >
                                           View
                                       </LemonButton>
-                                      <LemonButton
+
+                                      <AccessControlledLemonButton
+                                          userAccessLevel={user_access_level}
+                                          minAccessLevel="editor"
+                                          resourceType="dashboard"
                                           to={urls.dashboard(id)}
                                           onClick={() => {
                                               dashboardLogic({ id }).mount()
@@ -161,7 +166,8 @@ export function DashboardsTable({
                                           fullWidth
                                       >
                                           Edit
-                                      </LemonButton>
+                                      </AccessControlledLemonButton>
+
                                       <LemonButton
                                           onClick={() => {
                                               showDuplicateDashboardModal(id, name)
@@ -170,7 +176,9 @@ export function DashboardsTable({
                                       >
                                           Duplicate
                                       </LemonButton>
+
                                       <LemonDivider />
+
                                       <LemonRow icon={<IconHome className="text-warning" />} fullWidth status="warning">
                                           <span className="text-muted">
                                               Change the default dashboard
@@ -180,15 +188,19 @@ export function DashboardsTable({
                                       </LemonRow>
 
                                       <LemonDivider />
-                                      <LemonButton
+
+                                      <AccessControlledLemonButton
+                                          userAccessLevel={user_access_level}
+                                          minAccessLevel="editor"
+                                          resourceType="dashboard"
                                           onClick={() => {
                                               showDeleteDashboardModal(id)
                                           }}
                                           fullWidth
                                           status="danger"
                                       >
                                           Delete dashboard
-                                      </LemonButton>
+                                      </AccessControlledLemonButton>
                                   </>
                               }
                           />