-
Bug
-
Resolution: Obsolete
-
Undefined
-
None
-
None
-
None
-
False
-
-
False
-
-
-
The "Create report" button on CVE overview pages checks hasReadAccess('WorkflowAdministration') to determine visibility, but the backend endpoint (POST /v2/reports/view-based/run) requires Modify(WorkflowAdministration). This causes users with only READ permission to see the button but receive a permission error when clicking it.
Affected Files
- ui/apps/platform/src/Containers/Vulnerabilities/WorkloadCves/Overview/WorkloadCvesOverviewPage.tsx:136
- ui/apps/platform/src/Containers/Vulnerabilities/WorkloadCves/Deployment/DeploymentPage.tsx:76
- ui/apps/platform/src/Containers/Vulnerabilities/WorkloadCves/Image/ImagePage.tsx:158
All three use:
const hasWorkflowAdminAccess = hasReadAccess('WorkflowAdministration');
Should be:
const hasWorkflowAdminAccess = hasReadWriteAccess('WorkflowAdministration');
Context
This was discovered while investigating a customer report about the permission model for ad-hoc CSV exports in ACS 4.9. The broader permission granularity issue (view-based reports requiring the same WRITE permission as config-based report management) is tracked separately. This ticket covers only the UI/backend mismatch.