Strengthening Permission Resolution and Role-Based Access Control
under review
Ramesh Lokesh
When a user’s access is changed from a higher level (e.g., project-level) to a lower level (e.g., category-level), permission resolution fails and incorrect access is applied. Role precedence is not properly enforced when multiple content roles (including Reviewer) are assigned, resulting in unintended access to pages and modules such as Starred, Recycle Bin, All Articles, Recent, Analytics, and Feedback Manager. Additionally, users with view-only permissions are still able to create articles or categories through various UI entry points, and drag-and-drop actions are not validating permissions correctly. Permission recalculation for team account users and readers with partial access is also inconsistent. We request improvements to permission recalculation logic, role precedence handling, and stricter UI-level enforcement to ensure accurate and secure access control.
Log In
Ramesh Lokesh
One of our customers has verified and confirmed that a Reviewer is unable to create an article or category, which indicates that the permission settings are currently working as expected.
However, the customer has requested that the "Article" and "Category" options be greyed out in the "Create" menu for users with the Reviewer role. Alternatively, they suggested removing the "Create" button entirely for Reviewers to avoid any potential confusion.
Mohamed Shakheen
marked this post as
under review
Mohamed Shakheen
Hi Iris Sailfish Ramesh
Thank you for highlighting this in detail.
We acknowledge the concerns around permission resolution, especially in scenarios where access is downgraded from a higher scope (e.g., project-level) to a lower scope (e.g., category-level). Based on your observations, the current behavior does not consistently enforce role precedence or fully recalculate effective permissions, which can lead to unintended access across pages and modules such as Starred, Recycle Bin, All Articles, Recent, Analytics, and Feedback Manager.
We understand that this creates both operational and security concerns, particularly when multiple content roles - including Reviewer - are assigned simultaneously. In such cases, deterministic role precedence and accurate scope enforcement are critical to prevent access leakage. Additionally, UI-level enforcement gaps (for example, view-only users being able to initiate create flows or perform drag-and-drop actions) need to be tightly aligned with backend permission validation to ensure consistent behavior across all entry points.
We will be conducting an internal evaluation focused on:
- Strengthening permission recalculation logic when access scope changes
- Enforcing clear and deterministic role precedence handling
- Eliminating residual or cached privileges during access downgrades
- Ensuring strict UI-level validation aligned with backend authorization
- Validating permission consistency for team accounts and readers with partial access
Our objective is to ensure that effective permissions always reflect the lowest applicable scope and that module-level visibility and actions are accurately restricted.
We will review this comprehensively with the technical team and share an update once the assessment is complete, including next steps and timelines where applicable.
Ramesh Lokesh
Iris Sailfish
Ramesh Lokesh
Periwinkle Herring
Users with read-only access were able to drag and drop articles into folders/categories they do not have permission to create or edit, leading to access control inconsistencies.
Ramesh Lokesh
Thorough Chinchilla