Auditor user sees buttons for actions they cannot perform
The following discussion from !34794 (merged) should be addressed:
-
@splattael noticed some discrepancies in buttons displayed to the auditor user when they shouldn't be. We verified that the action when clicking the buttons is a 404 so there's no security risk. It's just a bad user experience. See !34794 (comment 374527051) for the discussion.
In looking deeper @dblessing found at least three cases of a button appearing when it shouldn't:
- 'New issue' button on 'Issues' page
- 'Suggest wiki improvement' button on 'Wiki' page.
- 'New merge request' button on
/-/analytics/code_reviews
We should add permission checks to these buttons so they don't show up if the user doesn't have the permission to do those things.
Edited by Drew Blessing