Fix settings permissions

app/controllers/configuration_controller.rb

@@ -21,15 +21,9 @@ def title
 
   def index
     assert_privileges('my_settings_view')
+    @change_settings = role_allows?(:feature => 'my_settings_visuals', :any => true)
     @breadcrumbs = []
-    active_tab = nil
-    if role_allows?(:feature => "my_settings_visuals")
-      active_tab = 1 if active_tab.nil?
-    elsif role_allows?(:feature => "my_settings_default_filters")
-      active_tab = 3 if active_tab.nil?
-    elsif role_allows?(:feature => "my_settings_time_profiles")
-      active_tab = 4 if active_tab.nil?
-    end
+    active_tab = 1
     @tabform = params[:load_edit_err] ? @tabform : "ui_#{active_tab}"
     edit
     render :action => "show"
@@ -70,7 +64,8 @@ def edit
 
   # New tab was pressed
   def change_tab
-    assert_privileges('my_settings_admin')
+    assert_privileges('my_settings_view')
+    @change_settings = role_allows?(:feature => 'my_settings_visuals')
     @tabform = "ui_" + params['uib-tab'] if params['uib-tab'] != "5"
     edit
     render :action => "show"
@@ -151,6 +146,7 @@ def update
 
   # Show the users list
   def show_timeprofiles
+    assert_privileges('my_settings_view')
     build_tabs if params[:action] == "change_tab" || %w[cancel add save].include?(params[:button])
     @timeprofiles = if report_admin_user?
                       TimeProfile.in_my_region.ordered_by_desc
@@ -213,7 +209,7 @@ def get_hr_str(hr)
   end
 
   def timeprofile_new
-    assert_privileges("timeprofile_new")
+    assert_privileges("my_settings_time_profiles")
     @all_timezones = ActiveSupport::TimeZone.all.collect { |tz| ["(GMT#{tz.formatted_offset}) #{tz.name}", tz.name] }.freeze
     @timeprofile = TimeProfile.new
     @timeprofile_action = "timeprofile_new"
@@ -225,7 +221,7 @@ def timeprofile_new
   end
 
   def timeprofile_edit
-    assert_privileges("tp_edit")
+    assert_privileges("my_settings_time_profiles")
     @all_timezones = ActiveSupport::TimeZone.all.collect { |tz| ["(GMT#{tz.formatted_offset}) #{tz.name}", tz.name] }.freeze
     @timeprofile = TimeProfile.find(params[:id])
     @timeprofile_action = "timeprofile_edit"
@@ -249,7 +245,7 @@ def timeprofile_edit
 
   # Delete all selected or single displayed VM(s)
   def timeprofile_delete
-    assert_privileges("tp_delete")
+    assert_privileges("my_settings_time_profiles")
     timeprofiles = []
     unless params[:id] # showing a list, scan all selected timeprofiles
       timeprofiles = find_checked_items
@@ -278,7 +274,7 @@ def timeprofile_delete
   end
 
   def timeprofile_copy
-    assert_privileges("tp_copy")
+    assert_privileges("my_settings_time_profiles")
     session[:set_copy] = "copy"
     @all_timezones = ActiveSupport::TimeZone.all.collect { |tz| ["(GMT#{tz.formatted_offset}) #{tz.name}", tz.name] }.freeze
     @in_a_form = true
@@ -381,9 +377,9 @@ def build_tabs
     @active_tab = @tabform.split("_").last
 
     @tabs = []
-    @tabs.push(["1", _("Visual")])          if role_allows?(:feature => "my_settings_visuals")
-    @tabs.push(["3", _("Default Filters")]) if role_allows?(:feature => "my_settings_default_filters")
-    @tabs.push(["4", _("Time Profiles")])   if role_allows?(:feature => "my_settings_time_profiles")
+    @tabs.push(["1", _("Visual")])
+    @tabs.push(["3", _("Default Filters")])
+    @tabs.push(["4", _("Time Profiles")])
   end
 
   def merge_in_user_settings(settings)

app/javascript/components/visual-settings-form/index.jsx

@@ -4,7 +4,7 @@ import PropTypes from 'prop-types';
 import MiqFormRenderer from '@@ddf';
 import createSchema from './visual-settings-form.schema';
 
-const VisualSettingsForm = ({ recordId }) => {
+const VisualSettingsForm = ({ recordId, changeSettings }) => {
   const [{ initialValues, timezoneOptions, isLoading }, setState] = useState({ isLoading: true });
 
   useEffect(() => {
@@ -24,13 +24,17 @@ const VisualSettingsForm = ({ recordId }) => {
   }, [recordId]);
 
   const onSubmit = (settings) => {
-    settings.perpage.list = parseInt(settings.perpage.list, 10);
-    settings.perpage.reports = parseInt(settings.perpage.reports, 10);
-    miqSparkleOn();
-    API.patch(`/api/users/${recordId}`, { settings }).then(() => {
-      window.location.reload();
-      add_flash(__('User Interface settings saved'), 'success');
-    }).catch(miqSparkleOff);
+    if (changeSettings) {
+      settings.perpage.list = parseInt(settings.perpage.list, 10);
+      settings.perpage.reports = parseInt(settings.perpage.reports, 10);
+      miqSparkleOn();
+      API.patch(`/api/users/${recordId}`, { settings }).then(() => {
+        window.location.reload();
+        add_flash(__('User Interface settings saved'), 'success');
+      }).catch(miqSparkleOff);
+    } else {
+      add_flash(__('The user is not authorized for this task or item.'), 'error');
+    }
   };
 
   return !isLoading && (
@@ -45,6 +49,7 @@ const VisualSettingsForm = ({ recordId }) => {
 
 VisualSettingsForm.propTypes = {
   recordId: PropTypes.string.isRequired,
+  changeSettings: PropTypes.bool.isRequired,
 };
 
 export default VisualSettingsForm;

app/views/configuration/show.html.haml

@@ -3,7 +3,7 @@
   - when 'ui_1'
     %div{:id => @tabs[0][1], 'role' => 'tabpanel', 'aria-labelledby' =>"#{@tabs[0][1]}_tab"}
       = render :partial => "layouts/flash_msg"
-      = react 'VisualSettingsForm', :recordId => current_user.id.to_s
+      = react 'VisualSettingsForm', {:recordId => current_user.id.to_s, :changeSettings => @change_settings}
   - when 'ui_3'
     = render :partial => 'ui_3'
   - when 'ui_4'