fix: add authorization check for Roles link in navbar

Only show Roles link in Settings dropdown for users with admin permissions, preventing unauthorized access attempts.
2026-01-08 14:25:29 +01:00 · 2026-01-08 14:25:29 +01:00 · dd1b126c14
commit dd1b126c14
parent cf220b9730
1 changed files with 6 additions and 3 deletions
--- a/lib/mv_web/components/layouts/navbar.ex
+++ b/lib/mv_web/components/layouts/navbar.ex
@ -7,6 +7,7 @@ defmodule MvWeb.Layouts.Navbar do
  use MvWeb, :verified_routes

  alias Mv.Membership
+  import MvWeb.Authorization

  attr :current_user, :map,
    required: true,
@ -33,9 +34,11 @@ defmodule MvWeb.Layouts.Navbar do
                <li>
                  <.link navigate="/settings">{gettext("Global Settings")}</.link>
                </li>
-                <li>
-                  <.link navigate="/admin/roles">{gettext("Roles")}</.link>
-                </li>
+                <%= if can_access_page?(@current_user, "/admin/roles") do %>
+                  <li>
+                    <.link navigate="/admin/roles">{gettext("Roles")}</.link>
+                  </li>
+                <% end %>
              </ul>
            </details>
          </li>