From 075cabae2356036888f1b412a568d7b084aaaeba Mon Sep 17 00:00:00 2001
From: Andy Pickering <anpicker@redhat.com>
Date: Tue, 22 Jan 2019 17:21:42 +0900
Subject: [PATCH] Monitoring: Fix hiding sidebar links for pages the user
 cannot access

Hide the "Alerts", "Silences", "Metrics" and "Dashboards" sidebar links
if the user doesn't have the necessary RBAC permissions to access those
pages (GET for namespaces).
---
 frontend/public/components/nav.jsx | 30 +++++++++++++++++++-----------
 frontend/public/features.ts        |  5 +++++
 2 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/frontend/public/components/nav.jsx b/frontend/public/components/nav.jsx
index d8b6d9ed836..00a5bc43999 100644
--- a/frontend/public/components/nav.jsx
+++ b/frontend/public/components/nav.jsx
@@ -5,7 +5,7 @@ import * as _ from 'lodash-es';
 import * as PropTypes from 'prop-types';
 
 import { FLAGS, featureReducerName, flagPending } from '../features';
-import { MonitoringRoutes, connectToURLs } from '../monitoring';
+import { monitoringReducerName, MonitoringRoutes } from '../monitoring';
 import { formatNamespacedRouteForResource } from '../ui/ui-actions';
 import {
   BuildConfigModel,
@@ -285,21 +285,29 @@ const imagestreamsStartsWith = ['imagestreams', 'imagestreamtags'];
 const monitoringAlertsStartsWith = ['monitoring/alerts', 'monitoring/alertrules'];
 const clusterSettingsStartsWith = ['settings/cluster', 'config.openshift.io'];
 
-const MonitoringNavSection_ = ({ urls }) => {
-  const prometheusURL = urls[MonitoringRoutes.Prometheus];
-  const grafanaURL = urls[MonitoringRoutes.Grafana];
-  const kibanaURL = urls[MonitoringRoutes.Kibana];
-  return window.SERVER_FLAGS.prometheusBaseURL || window.SERVER_FLAGS.alertManagerBaseURL || prometheusURL || grafanaURL || kibanaURL
+const monitoringNavSectionStateToProps = (state) => ({
+  canAccess: !!state[featureReducerName].get(FLAGS.CAN_GET_NS),
+  grafanaURL: state[monitoringReducerName].get(MonitoringRoutes.Grafana),
+  kibanaURL: state[monitoringReducerName].get(MonitoringRoutes.Kibana),
+  prometheusURL: state[monitoringReducerName].get(MonitoringRoutes.Prometheus),
+});
+
+const MonitoringNavSection_ = ({grafanaURL, canAccess, kibanaURL, prometheusURL}) => {
+  const showAlerts = canAccess && !!window.SERVER_FLAGS.prometheusBaseURL;
+  const showSilences = canAccess && !!window.SERVER_FLAGS.alertManagerBaseURL;
+  const showPrometheus = canAccess && !!prometheusURL;
+  const showGrafana = canAccess && !!grafanaURL;
+  return showAlerts || showSilences || showPrometheus || showGrafana || kibanaURL
     ? <NavSection title="Monitoring">
-      {window.SERVER_FLAGS.prometheusBaseURL && <HrefLink href="/monitoring/alerts" name="Alerts" startsWith={monitoringAlertsStartsWith} />}
-      {window.SERVER_FLAGS.alertManagerBaseURL && <HrefLink href="/monitoring/silences" name="Silences" />}
-      {prometheusURL && <ExternalLink href={prometheusURL} name="Metrics" />}
-      {grafanaURL && <ExternalLink href={grafanaURL} name="Dashboards" />}
+      {showAlerts && <HrefLink href="/monitoring/alerts" name="Alerts" startsWith={monitoringAlertsStartsWith} />}
+      {showSilences && <HrefLink href="/monitoring/silences" name="Silences" />}
+      {showPrometheus && <ExternalLink href={prometheusURL} name="Metrics" />}
+      {showGrafana && <ExternalLink href={grafanaURL} name="Dashboards" />}
       {kibanaURL && <ExternalLink href={kibanaURL} name="Logging" />}
     </NavSection>
     : null;
 };
-const MonitoringNavSection = connectToURLs(MonitoringRoutes.Prometheus, MonitoringRoutes.Grafana, MonitoringRoutes.Kibana)(MonitoringNavSection_);
+const MonitoringNavSection = connect(monitoringNavSectionStateToProps)(MonitoringNavSection_);
 
 export const Navigation = ({ isNavOpen, onNavSelect }) => {
   const PageNav = (
diff --git a/frontend/public/features.ts b/frontend/public/features.ts
index 52612341d24..507bd95ed32 100644
--- a/frontend/public/features.ts
+++ b/frontend/public/features.ts
@@ -27,6 +27,7 @@ import { UIActions } from './ui/ui-actions';
   OPERATOR_LIFECYCLE_MANAGER: false,
   CHARGEBACK: false,
   OPENSHIFT: false,
+  CAN_GET_NS: false,
   CAN_LIST_NS: false,
   CAN_LIST_NODE: false,
   CAN_LIST_PV: false,
@@ -46,6 +47,7 @@ export enum FLAGS {
   OPERATOR_LIFECYCLE_MANAGER = 'OPERATOR_LIFECYCLE_MANAGER',
   CHARGEBACK = 'CHARGEBACK',
   OPENSHIFT = 'OPENSHIFT',
+  CAN_GET_NS = 'CAN_GET_NS',
   CAN_LIST_NS = 'CAN_LIST_NS',
   CAN_LIST_NODE = 'CAN_LIST_NODE',
   CAN_LIST_PV = 'CAN_LIST_PV',
@@ -228,6 +230,9 @@ const detectShowOpenShiftStartGuide = (dispatch, canListNS: boolean = false) =>
 
 // Check the user's access to some resources.
 const ssarChecks = [{
+  flag: FLAGS.CAN_GET_NS,
+  resourceAttributes: { resource: 'namespaces', verb: 'get' },
+}, {
   flag: FLAGS.CAN_LIST_NS,
   resourceAttributes: { resource: 'namespaces', verb: 'list' },
   after: detectShowOpenShiftStartGuide,