feat(frontend): RBAC permission gating via /authz/me/permissions

[erichare]

Problem

The backend POST /api/v1/authz/me/permissions endpoint is implemented (authz_me.py, backed by get_effective_permissions) and returns { resource_id: [allowed_actions] }, but the frontend had zero consumers — a repo-wide search of src/frontend/src finds no reference to the endpoint or any RBAC permission concept. The six components under src/frontend/src/components/authorization/ are pre-existing authentication guards (login/admin/settings/store/playground), not RBAC permission gates.

Result: even with an EE enforcer active, the UI showed every action regardless of the user's permissions; users discovered denials only via a failed request.

This PR adds the OSS permission-gating primitive that consumes the endpoint. The EE Share modal (3.9) and Roles/Audit admin UIs (4.6/4.7) are out of scope and build on this primitive.

What changed

Data layer

• types/permissions/index.ts — types mirroring the backend contract (EffectivePermissionsRequest/Response, resource-type + action vocabularies).
• controllers/API/queries/permissions/use-get-effective-permissions.ts — typed React Query hook for the batch endpoint. Modeled as a cached query (not a mutation): it is a side-effect-free batch read keyed by the requested resource set, so each list fetches its visible-resource permissions once and the gate reads from cache. Caps resource_ids at 500 (matches the backend), omits actions/domain when defaulted, and is disabled when there are no ids.
• controllers/API/helpers/constants.ts — registers the authz/me/permissions URL.

Gating logic (pure, framework-free → unit-testable)

• utils/permissionUtils.ts — buildPermissionMap (case-normalizing) + canPerformAction. Fail-open: returns true when data is absent (loading / errored / no provider) or the resource was not evaluated; a present resource is gated strictly against its returned action list (an empty list denies everything).

Distribution

• contexts/permissionsContext.tsx — PermissionsProvider batches one query for all resource ids in a list/surface and exposes usePermissions().can(resourceId, action). With no provider mounted, can is the fail-open default. Providers are mounted in containers (homePage, folder sidebar, deployments-content, flow toolbar); leaf components stay pure consumers.

Gated affordances

Resource	Affordances → action
Flows (list)	Edit→write, Export→read, Duplicate→create, Delete→delete, drag-to-Move→write
Flows (canvas toolbar)	Run/Playground→execute, Share→write, Deploy→execute
Projects/Folders (sidebar)	Rename→write, Download→read, Delete→delete
Deployments (table)	Test→execute, Update→write, Delete→delete

Graceful default (non-RBAC installs)

The OSS pass-through batch_enforce returns True for every request, so get_effective_permissions returns every requested action for every id. Gating on membership in that list therefore keeps all controls enabled when authz is off. Combined with fail-open on missing/loading/error data, no behavior changes for non-RBAC installs.

Acceptance criteria

• ✅ Authz off / OSS pass-through: all controls render enabled exactly as today (pass-through returns all actions; fail-open covers any error/loading).
• ✅ Mocked permissions response: denied actions are visibly gated (disabled) and don't fire requests (covered by a provider+component test).
• ✅ Component/hook tests for the gating logic (standalone files — biome has no test-rule relaxation on this repo, so editing old test files would trip pre-existing lint debt).

Test plan

New standalone tests (21 cases, all green):

• utils/__tests__/permissionUtils.test.ts — map building + fail-open/strict gating + case-insensitivity + empty-list deny-all.
• contexts/__tests__/permissionsContext.test.tsx — no-provider fail-open, pass-through all-enabled, denied gating, loading fail-open, and a component test asserting a denied control is disabled and its handler never fires.
• controllers/API/queries/permissions/__tests__/use-get-effective-permissions.test.ts — POST body shape, defaulted-field omission, the no-ids skip, and the 500-id cap.

Regression sweep over every touched directory: 886 tests / 66 suites pass, including the existing deployments-table and deploy-button suites. New files are biome-clean and tsc-clean (biome no-any pre-commit hook passes).

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features
  • Permission-based access control now enforces authorization across flows, deployments, and folders.
  • Action buttons and controls are disabled when you lack the required permissions, preventing unauthorized operations for deployment execution, flow publishing, folder management, and flow modifications.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 55b41011-4b18-4bfb-b9a1-afb5d7cdb05b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This PR introduces a complete frontend RBAC permission-gating layer. It defines permission types and API contracts, implements a React Context-based provider with fail-open semantics, adds a backend query hook, and applies permission checks across flow toolbar, folder operations, flow lists, and deployments to gate UI controls based on user permissions.

Changes

Frontend Permission-Gating System

Layer / File(s)	Summary
Permission types and API endpoint src/frontend/src/types/permissions/index.ts, src/frontend/src/controllers/API/helpers/constants.ts	Defines PERMISSION_RESOURCE_TYPES (flow, project, deployment), DEFAULT_PERMISSION_ACTIONS (execute, write, delete, read, export, duplicate), and request/response interfaces (EffectivePermissionsRequest, EffectivePermissionsResponse) for the new authz/me/permissions endpoint.
Permission lookup utilities src/frontend/src/utils/permissionUtils.ts, src/frontend/src/utils/__tests__/permissionUtils.test.ts	buildPermissionMap normalizes permissions responses into a lowercased resource-to-actions lookup; canPerformAction evaluates whether an action is allowed on a resource with fail-open semantics when the map is undefined. Comprehensive test coverage for normalization, deny-all empty-action lists, and fail-open behavior.
useGetEffectivePermissions API query src/frontend/src/controllers/API/queries/permissions/use-get-effective-permissions.ts, src/frontend/src/controllers/API/queries/permissions/index.ts, src/frontend/src/controllers/API/queries/permissions/__tests__/use-get-effective-permissions.test.ts	React-query hook that posts to authz/me/permissions, caps resourceIds to 500 client-side, derives a stable cache key (sorted ids/actions), sets 5-minute staleTime, and disables the query when no resource IDs are provided. Tests verify payload shape, optional field omission, request suppression, and truncation.
PermissionsContext provider and usePermissions hook src/frontend/src/contexts/permissionsContext.tsx, src/frontend/src/contexts/__tests__/permissionsContext.test.tsx	PermissionsProvider wraps components, queries effective permissions, builds the permission map, and memoizes a context value with can(resourceId, action) predicate. usePermissions() hook returns the context. Default context fails open with can() always true. Tests verify fail-open without provider, gating with provider, loading fail-open, and component-level disabled-state behavior.
Flow toolbar permission gating src/frontend/src/components/core/flowToolbarComponent/components/flow-toolbar-options.tsx, src/frontend/src/components/core/flowToolbarComponent/components/deploy-button.tsx, src/frontend/src/components/core/flowToolbarComponent/components/deploy-dropdown.tsx, src/frontend/src/components/core/flowToolbarComponent/components/playground-button.tsx	FlowToolbarOptions wraps toolbar in PermissionsProvider; DeployButton checks can(currentFlowId, "execute") to disable deployment, DeployDropdown checks can(flowId, "write") to disable publishing, PlaygroundButton checks can(currentFlowId, "execute") to disable playground run.
Folder sidebar permission gating src/frontend/src/components/core/folderSidebarComponent/components/sideBarFolderButtons/index.tsx, src/frontend/src/components/core/folderSidebarComponent/components/sideBarFolderButtons/components/select-options.tsx	SidebarFolderButtons wraps menu in PermissionsProvider with resourceType="project"; SelectOptions checks can(item.id, "rename"), can(item.id, "download"), can(item.id, "delete") to disable corresponding menu items.
Flow list and dropdown permission gating src/frontend/src/pages/MainPage/components/list/index.tsx, src/frontend/src/pages/MainPage/components/dropdown/index.tsx	ListComponent checks can(flowData.id, "write") to gate Card draggable behavior; DropdownComponent checks can(flowData.id, "edit"), "export", "duplicate", "delete" to disable corresponding dropdown actions.
Deployments page permission gating src/frontend/src/pages/MainPage/pages/deploymentsPage/components/deployments-content.tsx, src/frontend/src/pages/MainPage/pages/deploymentsPage/components/deployments-table.tsx	DeploymentsContent wraps DeploymentsTable in PermissionsProvider with resourceType="deployment"; DeploymentsTable checks can(deploymentId, "execute"), "write", "delete" to disable test, update, and delete actions respectively.
Home page flow list permission gating src/frontend/src/pages/MainPage/pages/homePage/index.tsx	HomePage wraps ListComponent grid/list in PermissionsProvider with resourceType="flow" and optional domain derived from folderId, enabling folder-scoped permission checks.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant FlowToolbarOptions
  participant PermissionsProvider
  participant useGetEffectivePermissions as Query Hook
  participant API
  participant DeployButton
  participant PlaygroundButton
  User->>FlowToolbarOptions: Mount toolbar in flow editor
  FlowToolbarOptions->>PermissionsProvider: Wrap with resourceType=flow, resourceIds=[currentFlowId]
  PermissionsProvider->>useGetEffectivePermissions: Fetch effective permissions
  useGetEffectivePermissions->>API: POST /api/v1/authz/me/permissions
  API-->>useGetEffectivePermissions: {permissions: {flowId: ["execute", "write"]}}
  PermissionsProvider->>PermissionsProvider: buildPermissionMap() normalizes to {flowid: ["execute", "write"]}
  PermissionsProvider-->>DeployButton: can(flowId, "execute") = true
  PermissionsProvider-->>PlaygroundButton: can(flowId, "execute") = true
  DeployButton-->>User: Deploy button enabled
  PlaygroundButton-->>User: Run button enabled
  User->>DeployButton: Click deploy
  DeployButton->>API: Execute deployment

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• langflow-ai/langflow#13371: The backend POST /api/v1/authz/me/permissions endpoint and response contract that this PR's frontend API query hook (useGetEffectivePermissions) directly consumes, including the 500-id resource limit.

Suggested labels

enhancement, lgtm

Suggested reviewers

• HimavarshaVS
• dkaushik94
• viktoravelino

🚥 Pre-merge checks | ✅ 7 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 18.18% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Quality And Coverage	⚠️ Warning	Tests cover main functionality and follow project patterns, but lack error response testing. API failures and isError state are not tested despite being exposed in the context API.	Add tests for API POST rejection scenarios in useGetEffectivePermissions.test.ts, and add a test case in permissionsContext.test.tsx verifying fail-open behavior when isError=true.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(frontend): RBAC permission gating via /authz/me/permissions' directly describes the main change: implementing RBAC permission gating using a specific backend endpoint.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Coverage For New Implementations	✅ Passed	PR includes 3 test files (281 lines) covering core permissions implementations with proper naming conventions. Tests validate fail-open behavior, permission gating, and API payloads.
Test File Naming And Structure	✅ Passed	Frontend tests follow correct naming (*.test.ts/tsx), use Jest with React Testing Library, have descriptive names, comprehensive edge case coverage, and proper setup/teardown with beforeEach.
Excessive Mock Usage Warning	✅ Passed	Mock usage is appropriate: utility functions tested without mocks, external dependencies properly mocked, integration tests use real React components. 19% mock-to-test ratio with clear justification.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/frontend-rbac-permission-gating

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Test Coverage Advisor

No source changes detected without accompanying tests. Thanks for keeping coverage up! 🎉

Advisory check only — never blocks merge.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@src/frontend/src/components/core/flowToolbarComponent/components/deploy-dropdown.tsx`:
- Around line 54-57: The dropdown trigger is being disabled by a share-only
permission check (canShare from usePermissions/can(flowId, "write")), which
blocks all entries; change the gating so canShare only controls publish/share
menu items and not the trigger. Add/derive explicit permissions (e.g., canWrite
or canPublish for share, canExport for export, canEmbed for embed, canMCP for
MCP or at minimum a general canView/canUse flag) and apply those booleans to
each menu item's disabled prop (publish-related items use canShare/canWrite,
export uses canExport, embed uses canEmbed, etc.); ensure the dropdown trigger
(the component that opens the menu) is enabled whenever any of these action
permissions is true (or when a general view/use permission is present) so API
access, export, MCP, and embed are not blocked by canShare.

In
`@src/frontend/src/components/core/flowToolbarComponent/components/flow-toolbar-options.tsx`:
- Around line 20-23: The PermissionsProvider here is missing the domain prop so
toolbar permission checks differ from HomePage; update the PermissionsProvider
invocation (the component named PermissionsProvider that currently passes
resourceType="flow" and resourceIds={currentFlowId ? [currentFlowId] : []}) to
also pass the same domain string used elsewhere for project-scoped checks (e.g.,
domain={`project:${currentProjectId}`} or the equivalent value available in this
component), ensuring the toolbar uses the same domain-scoped permissions as
HomePage.

In
`@src/frontend/src/pages/MainPage/pages/deploymentsPage/components/deployments-content.tsx`:
- Around line 66-69: The resourceIds prop on PermissionsProvider is mapping
deployments to deployment.id without filtering out falsy values; update the
mapping for resourceIds (inside the PermissionsProvider usage near
deployments-content.tsx) to defensively coerce or filter out
null/undefined/empty ids (i.e., map each deployment to deployment.id ?? "" or
similar and then .filter(Boolean)) so PermissionsProvider only receives valid
non-empty identifiers from the deployments array.

In `@src/frontend/src/pages/MainPage/pages/homePage/index.tsx`:
- Around line 326-329: PermissionsProvider is only receiving a domain when
folderId is present, causing permission checks to be unscoped on the implicit
default collection; change the domain prop so it uses the same collection
resolution as the page load (use folderId ?? myCollectionId) - e.g., set domain
to `project:${folderId ?? myCollectionId}` when appropriate instead of passing
undefined, keeping resourceType="flow" and resourceIds={data.flows.map(f=>f.id)}
intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6eaa2884-d576-4fd7-9316-161966e6e6c1

📥 Commits

Reviewing files that changed from the base of the PR and between fa14076 and 4c992ca.

📒 Files selected for processing (20)

• src/frontend/src/components/core/flowToolbarComponent/components/deploy-button.tsx
• src/frontend/src/components/core/flowToolbarComponent/components/deploy-dropdown.tsx
• src/frontend/src/components/core/flowToolbarComponent/components/flow-toolbar-options.tsx
• src/frontend/src/components/core/flowToolbarComponent/components/playground-button.tsx
• src/frontend/src/components/core/folderSidebarComponent/components/sideBarFolderButtons/components/select-options.tsx
• src/frontend/src/components/core/folderSidebarComponent/components/sideBarFolderButtons/index.tsx
• src/frontend/src/contexts/__tests__/permissionsContext.test.tsx
• src/frontend/src/contexts/permissionsContext.tsx
• src/frontend/src/controllers/API/helpers/constants.ts
• src/frontend/src/controllers/API/queries/permissions/__tests__/use-get-effective-permissions.test.ts
• src/frontend/src/controllers/API/queries/permissions/index.ts
• src/frontend/src/controllers/API/queries/permissions/use-get-effective-permissions.ts
• src/frontend/src/pages/MainPage/components/dropdown/index.tsx
• src/frontend/src/pages/MainPage/components/list/index.tsx
• src/frontend/src/pages/MainPage/pages/deploymentsPage/components/deployments-content.tsx
• src/frontend/src/pages/MainPage/pages/deploymentsPage/components/deployments-table.tsx
• src/frontend/src/pages/MainPage/pages/homePage/index.tsx
• src/frontend/src/types/permissions/index.ts
• src/frontend/src/utils/__tests__/permissionUtils.test.ts
• src/frontend/src/utils/permissionUtils.ts

[codecov]

Codecov Report

❌ Patch coverage is 58.14394% with 221 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (release-1.11.0@29140c0). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
...omponent/components/sideBarFolderButtons/index.tsx	17.34%	81 Missing ⚠️
src/frontend/src/types/permissions/index.ts	0.00%	52 Missing ⚠️
...ontend/src/pages/MainPage/pages/homePage/index.tsx	22.72%	34 Missing ⚠️
...olbarComponent/components/flow-toolbar-options.tsx	25.00%	18 Missing ⚠️
...wToolbarComponent/components/playground-button.tsx	23.52%	13 Missing ⚠️
...deploymentsPage/components/deployments-content.tsx	45.00%	11 Missing ⚠️
...sideBarFolderButtons/components/select-options.tsx	50.00%	4 Missing ⚠️
...d/src/pages/MainPage/components/dropdown/index.tsx	60.00%	4 Missing ⚠️
...ntend/src/pages/MainPage/components/list/index.tsx	50.00%	3 Missing ⚠️
...lowToolbarComponent/components/deploy-dropdown.tsx	87.50%	1 Missing ⚠️

Additional details and impacted files

@@                Coverage Diff                @@
##             release-1.11.0   #13543   +/-   ##
=================================================
  Coverage                  ?   58.45%           
=================================================
  Files                     ?     2307           
  Lines                     ?   219533           
  Branches                  ?    31179           
=================================================
  Hits                      ?   128330           
  Misses                    ?    89749           
  Partials                  ?     1454           

Flag	Coverage Δ
backend	65.08% <ø> (?)
frontend	57.80% <58.14%> (?)
lfx	54.31% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
.../flowToolbarComponent/components/deploy-button.tsx	93.16% <100.00%> (ø)
src/frontend/src/contexts/permissionsContext.tsx	100.00% <100.00%> (ø)
.../frontend/src/controllers/API/helpers/constants.ts	98.48% <100.00%> (ø)
...d/src/controllers/API/queries/permissions/index.ts	100.00% <100.00%> (ø)
...eries/permissions/use-get-effective-permissions.ts	100.00% <100.00%> (ø)
...s/deploymentsPage/components/deployments-table.tsx	98.29% <100.00%> (ø)
src/frontend/src/utils/permissionUtils.ts	100.00% <100.00%> (ø)
...lowToolbarComponent/components/deploy-dropdown.tsx	36.53% <87.50%> (ø)
...ntend/src/pages/MainPage/components/list/index.tsx	31.83% <50.00%> (ø)
...sideBarFolderButtons/components/select-options.tsx	26.72% <50.00%> (ø)
... and 7 more

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	43.33% (57861/133512)	69.3% (7861/11343)	41.63% (1299/3120)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
4961	0 💤	0 ❌	0 🔥	12m 53s ⏱️