Fix: Dont attempt to retrieve objects for which user doesnt have global permissions (#5612)

2025-10-04 01:52:42 -05:00 · 2024-02-01 01:20:14 -08:00
parent 4996b7e5f7
commit 5e3d1b26e7
14 changed files with 375 additions and 143 deletions
--- a/src-ui/src/app/components/dashboard/widgets/saved-view-widget/saved-view-widget.component.html
+++ b/src-ui/src/app/components/dashboard/widgets/saved-view-widget/saved-view-widget.component.html
@@ -15,8 +15,14 @@
        <tr>
          <th scope="col" i18n>Created</th>
          <th scope="col" i18n>Title</th>
-          <th scope="col" class="d-none d-md-table-cell" i18n>Tags</th>
-          <th scope="col" class="d-none d-md-table-cell" i18n>Correspondent</th>
+          @if (permissionsService.currentUserCan(PermissionAction.View, PermissionType.Tag)) {
+            <th scope="col" class="d-none d-md-table-cell" i18n>Tags</th>
+          }
+          @if (permissionsService.currentUserCan(PermissionAction.View, PermissionType.Correspondent)) {
+            <th scope="col" class="d-none d-md-table-cell" i18n>Correspondent</th>
+          } @else {
+            <th scope="col" class="d-none d-md-table-cell"></th>
+          }
        </tr>
      </thead>
      <tbody>
@@ -26,13 +32,15 @@
            <td class="py-2 py-md-3">
              <a routerLink="/documents/{{doc.id}}" title="Edit" i18n-title class="btn-link text-dark text-decoration-none py-2 py-md-3">{{doc.title | documentTitle}}</a>
            </td>
-            <td class="py-2 py-md-3 d-none d-md-table-cell">
-              @for (t of doc.tags$ | async; track t) {
-                <pngx-tag [tag]="t" class="ms-1" (click)="clickTag(t, $event)"></pngx-tag>
-              }
-            </td>
+            @if (permissionsService.currentUserCan(PermissionAction.View, PermissionType.Tag)) {
+              <td class="py-2 py-md-3 d-none d-md-table-cell">
+                @for (t of doc.tags$ | async; track t) {
+                  <pngx-tag [tag]="t" class="ms-1" (click)="clickTag(t, $event)"></pngx-tag>
+                }
+              </td>
+            }
            <td class="position-relative py-2 py-md-3 d-none d-md-table-cell">
-              @if (doc.correspondent !== null) {
+              @if (permissionsService.currentUserCan(PermissionAction.View, PermissionType.Correspondent) && doc.correspondent !== null) {
                <a class="btn-link text-dark text-decoration-none py-2 py-md-3" routerLink="/documents" [queryParams]="getCorrespondentQueryParams(doc.correspondent)">{{(doc.correspondent$ | async)?.name}}</a>
              }
              <div class="btn-group position-absolute top-50 end-0 translate-middle-y">