UI: Fix permissions for accessing queries table Edit UX (#29319)

## For #28532 #### As global observer: ![Screenshot 2025-05-20 at 10 03 59 PM](https://github.com/user-attachments/assets/8ad9d01d-d0cb-402c-b32b-1928a494054e) #### As global admin: ![Screenshot 2025-05-20 at 10 04 01 PM](https://github.com/user-attachments/assets/6f8fdfd5-9255-4865-b91a-0d2fd4a22121) - [x] Changes file added for user-visible changes in `changes/` - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2026-05-23 17:08:53 +00:00 · 2025-05-21 10:40:57 -07:00 · 2025-05-21 10:40:57 -07:00 · bf9e9566a8
commit bf9e9566a8
parent d69436efa6
3 changed files with 21 additions and 5 deletions
--- a/changes/28532-fix-query-edit-permissinos
+++ b/changes/28532-fix-query-edit-permissinos
@ -0,0 +1 @@
+- Fix a bug where global observers could access the "delete query" UX on the queries table
--- a/frontend/pages/queries/ManageQueriesPage/components/QueriesTable/QueriesTableConfig.tsx
+++ b/frontend/pages/queries/ManageQueriesPage/components/QueriesTable/QueriesTableConfig.tsx
@ -8,7 +8,14 @@ import PATHS from "router/paths";
 import { Tooltip as ReactTooltip5 } from "react-tooltip-5";

 import { secondsToDhms } from "utilities/helpers";
-import permissionsUtils from "utilities/permissions";
+import {
+  isGlobalAdmin,
+  isGlobalMaintainer,
+  isTeamAdmin,
+  isTeamMaintainer,
+  isTeamObserver,
+  isOnlyObserver,
+} from "utilities/permissions/permissions";
 import { getPathWithQueryParams } from "utilities/url";

 import {
@ -123,8 +130,8 @@ const generateColumnConfigs = ({
  omitSelectionColumn = false,
 }: IGenerateColumnConfigs): IDataColumn[] => {
  const isCurrentTeamObserverOrGlobalObserver = currentTeamId
-    ? permissionsUtils.isTeamObserver(currentUser, currentTeamId)
-    : permissionsUtils.isOnlyObserver(currentUser);
+    ? isTeamObserver(currentUser, currentTeamId)
+    : isOnlyObserver(currentUser);
  const viewingTeamScope = currentTeamId !== API_ALL_TEAMS_ID;

  const tableHeaders: IDataColumn[] = [
@ -282,7 +289,15 @@ const generateColumnConfigs = ({
      ),
    },
  ];
-  if (!isCurrentTeamObserverOrGlobalObserver && !omitSelectionColumn) {
+
+  const canEditQueries =
+    isGlobalAdmin(currentUser) ||
+    isGlobalMaintainer(currentUser) ||
+    (currentTeamId &&
+      (isTeamAdmin(currentUser, currentTeamId) ||
+        isTeamMaintainer(currentUser, currentTeamId)));
+
+  if (canEditQueries && !omitSelectionColumn) {
    tableHeaders.unshift({
      id: "selection",
      // TODO - improve typing of IHeaderProps instead of using any
--- a/frontend/utilities/permissions/permissions.ts
+++ b/frontend/utilities/permissions/permissions.ts
@ -111,7 +111,7 @@ const isAnyTeamMaintainerOrTeamAdmin = (user: IUser): boolean => {
  return false;
 };

-const isOnlyObserver = (user: IUser): boolean => {
+export const isOnlyObserver = (user: IUser): boolean => {
  if (isGlobalObserver(user)) {
    return true;
  }
				`@ -0,0 +1 @@`
				`- Fix a bug where global observers could access the "delete query" UX on the queries table`