feat: [UIE-8910] - IAM RBAC: add the missing permission checks for linode (linode#12548)

aaleksee-akamai · cpathipa · corya-akamai · web-flow · commit c2153e91b691 · 2025-07-23T14:08:46.000-04:00
* feat: [UIE-8910] - IAM RBAC: add the missing permission checks for linode

* Added changeset: Add the missing permission checks for linode, update the tooltip

* remove tests

* address feedback

---------

Co-authored-by: cpathipa &lt;119517080+cpathipa@users.noreply.github.com&gt;
Co-authored-by: Conal Ryan &lt;136115382+corya-akamai@users.noreply.github.com&gt;
diff --git a/packages/manager/.changeset/pr-12548-upcoming-features-1753184620779.md b/packages/manager/.changeset/pr-12548-upcoming-features-1753184620779.md
@@ -0,0 +1,5 @@
+---
+"@linode/manager": Upcoming Features
+---
+
+Add the missing permission checks for linode, update the tooltip ([#12548](https://github.com/linode/manager/pull/12548))
diff --git a/packages/manager/src/features/Linodes/LinodeEntityDetail.test.tsx b/packages/manager/src/features/Linodes/LinodeEntityDetail.test.tsx
@@ -361,36 +361,6 @@ describe('Linode Entity Detail', () => {
 
     expect(encryptionStatusFragment).toBeInTheDocument();
   });
-
-  it('should disable "Add A Tag" button if the user does not have update_linode permission', async () => {
-    queryMocks.userPermissions.mockReturnValue({
-      permissions: {
-        update_linode: false,
-      },
-    });
-
-    const { getByText } = renderWithTheme(
-      <LinodeEntityDetail handlers={handlers} id={5} linode={linode} />
-    );
-    const addTagBtn = getByText('Add a tag');
-    expect(addTagBtn).toBeInTheDocument();
-    expect(addTagBtn).toBeDisabled();
-  });
-
-  it('should enable "Add A Tag" button if the user has update_linode permission', async () => {
-    queryMocks.userPermissions.mockReturnValue({
-      permissions: {
-        update_linode: true,
-      },
-    });
-
-    const { getByText } = renderWithTheme(
-      <LinodeEntityDetail handlers={handlers} id={5} linode={linode} />
-    );
-    const addTagBtn = getByText('Add a tag');
-    expect(addTagBtn).toBeInTheDocument();
-    expect(addTagBtn).toBeEnabled();
-  });
 });
 
 describe('getSubnetsString function', () => {
diff --git a/packages/manager/src/features/Linodes/LinodeEntityDetail.tsx b/packages/manager/src/features/Linodes/LinodeEntityDetail.tsx
@@ -149,7 +149,6 @@ export const LinodeEntityDetail = (props: Props) => {
         }
         footer={
           <LinodeEntityDetailFooter
-            isLinodesGrantReadOnly={!permissions.update_linode}
             linodeCreated={linode.created}
             linodeId={linode.id}
             linodeLabel={linode.label}
diff --git a/packages/manager/src/features/Linodes/LinodeEntityDetailFooter.test.tsx b/packages/manager/src/features/Linodes/LinodeEntityDetailFooter.test.tsx
@@ -0,0 +1,52 @@
+import * as React from 'react';
+
+import { renderWithTheme } from 'src/utilities/testHelpers';
+
+import { LinodeEntityDetailFooter } from './LinodeEntityDetailFooter';
+
+const props = {
+  linodeCreated: '2018-11-01T00:00:00',
+  linodeId: 1,
+  linodeLabel: 'test-linode',
+  linodePlan: 'Linode 4GB',
+  linodeRegionDisplay: 'us-east',
+  linodeTags: ['test', 'linode'],
+};
+
+const queryMocks = vi.hoisted(() => ({
+  userPermissions: vi.fn(() => ({
+    permissions: { update_account: false },
+  })),
+}));
+
+vi.mock('src/features/IAM/hooks/usePermissions', () => ({
+  usePermissions: queryMocks.userPermissions,
+}));
+
+describe('LinodeEntityDetailFooter', () => {
+  it('should disable "Add a tag" button if the user does not have update_account permission', async () => {
+    const { getByRole } = renderWithTheme(
+      <LinodeEntityDetailFooter {...props} />
+    );
+
+    const addTagBtn = getByRole('button', {
+      name: 'Add a tag',
+    });
+    expect(addTagBtn).toHaveAttribute('aria-disabled', 'true');
+  });
+
+  it('should enable "Add a tag" button if the user has update_account permission', async () => {
+    queryMocks.userPermissions.mockReturnValue({
+      permissions: { update_account: true },
+    });
+
+    const { getByRole } = renderWithTheme(
+      <LinodeEntityDetailFooter {...props} />
+    );
+
+    const addTagBtn = getByRole('button', {
+      name: 'Add a tag',
+    });
+    expect(addTagBtn).not.toHaveAttribute('aria-disabled', 'true');
+  });
+});
diff --git a/packages/manager/src/features/Linodes/LinodeEntityDetailFooter.tsx b/packages/manager/src/features/Linodes/LinodeEntityDetailFooter.tsx
@@ -5,10 +5,10 @@ import { useSnackbar } from 'notistack';
 import * as React from 'react';
 
 import { TagCell } from 'src/components/TagCell/TagCell';
-import { useRestrictedGlobalGrantCheck } from 'src/hooks/useRestrictedGlobalGrantCheck';
 import { getAPIErrorOrDefault } from 'src/utilities/errorUtils';
 import { formatDate } from 'src/utilities/formatDate';
 
+import { usePermissions } from '../IAM/hooks/usePermissions';
 import {
   StyledBox,
   StyledLabelBox,
@@ -18,7 +18,6 @@ import {
 } from './LinodeEntityDetail.styles';
 
 interface FooterProps {
-  isLinodesGrantReadOnly: boolean;
   linodeCreated: string;
   linodeId: number;
   linodeLabel: string;
@@ -33,7 +32,6 @@ export const LinodeEntityDetailFooter = React.memo((props: FooterProps) => {
   const { data: profile } = useProfile();
 
   const {
-    isLinodesGrantReadOnly,
     linodeCreated,
     linodeId,
     linodeLabel,
@@ -42,10 +40,7 @@ export const LinodeEntityDetailFooter = React.memo((props: FooterProps) => {
     linodeTags,
   } = props;
 
-  const isReadOnlyAccountAccess = useRestrictedGlobalGrantCheck({
-    globalGrantType: 'account_access',
-    permittedGrantLevel: 'read_write',
-  });
+  const { permissions } = usePermissions('account', ['update_account']);
 
   const { mutateAsync: updateLinode } = useLinodeUpdateMutation(linodeId);
 
@@ -148,7 +143,7 @@ export const LinodeEntityDetailFooter = React.memo((props: FooterProps) => {
         }}
       >
         <TagCell
-          disabled={isLinodesGrantReadOnly || isReadOnlyAccountAccess}
+          disabled={!permissions.update_account}
           entityLabel={linodeLabel}
           sx={{
             width: '100%',
diff --git a/packages/manager/src/features/Linodes/LinodesLanding/LinodeActionMenu/LinodeActionMenu.test.tsx b/packages/manager/src/features/Linodes/LinodesLanding/LinodeActionMenu/LinodeActionMenu.test.tsx
@@ -1,5 +1,5 @@
 import { linodeBackupsFactory, regionFactory } from '@linode/utilities';
-import { screen } from '@testing-library/react';
+import { screen, within } from '@testing-library/react';
 import userEvent from '@testing-library/user-event';
 import * as React from 'react';
 
@@ -104,6 +104,28 @@ describe('LinodeActionMenu', () => {
       expect(queryByText('Power Off')).toBeNull();
     });
 
+    it('should disable Power On when the Linode is rebooting', async () => {
+      const { getByLabelText, queryByTestId } = renderWithTheme(
+        <LinodeActionMenu {...props} linodeStatus="rebooting" />
+      );
+
+      const actionMenuButton = getByLabelText(
+        `Action menu for Linode ${props.linodeLabel}`
+      );
+
+      await userEvent.click(actionMenuButton);
+
+      const powerOnItem = queryByTestId('Power On');
+      expect(powerOnItem).toHaveAttribute('aria-disabled', 'true');
+
+      const tooltipButton = within(powerOnItem!).getByRole('button');
+
+      expect(tooltipButton).toHaveAttribute(
+        'aria-label',
+        'This action is unavailable while your Linode is offline.'
+      );
+    });
+
     it('should allow a reboot if the Linode is running', async () => {
       renderWithTheme(<LinodeActionMenu {...props} />);
       await userEvent.click(screen.getByLabelText(/^Action menu for/));
@@ -114,7 +136,7 @@ describe('LinodeActionMenu', () => {
       // TODO: Should check for "read_only" permissions too
       renderWithTheme(<LinodeActionMenu {...props} linodeStatus="offline" />);
       await userEvent.click(screen.getByLabelText(/^Action menu for/));
-      expect(screen.queryByText('Reboot')?.closest('li')).toHaveAttribute(
+      expect(screen.queryByTestId('Reboot')).toHaveAttribute(
         'aria-disabled',
         'true'
       );
@@ -223,7 +245,7 @@ describe('LinodeActionMenu', () => {
 
     for (const action of actions) {
       expect(getByText(action)).toBeVisible();
-      expect(screen.queryByText(action)?.closest('li')).toHaveAttribute(
+      expect(screen.queryByTestId(action)).toHaveAttribute(
         'aria-disabled',
         'true'
       );
diff --git a/packages/manager/src/features/Linodes/LinodesLanding/LinodeActionMenu/LinodeActionMenu.tsx b/packages/manager/src/features/Linodes/LinodesLanding/LinodeActionMenu/LinodeActionMenu.tsx
@@ -88,6 +88,11 @@ export const LinodeActionMenu = (props: LinodeActionMenuProps) => {
   const isMTCLinode = Boolean(linodeType && isMTCPlan(linodeType));
   const isLinodeRunning = linodeStatus === 'running';
 
+  const isStatusNotEligible = !['offline', 'running'].includes(linodeStatus);
+  const lacksBootPermission = !isLinodeRunning && !permissions.boot_linode;
+  const lacksShutdownPermission =
+    isLinodeRunning && !permissions.shutdown_linode;
+
   const actionConfigs: ActionConfig[] = [
     {
       condition: true,
@@ -99,9 +104,11 @@ export const LinodeActionMenu = (props: LinodeActionMenuProps) => {
       onClick: handlePowerAction,
       title: isLinodeRunning ? 'Power Off' : 'Power On',
       tooltipAction: 'modify',
-      tooltipText: !permissions.shutdown_linode
-        ? NO_PERMISSION_TOOLTIP_TEXT
-        : undefined,
+      tooltipText: isStatusNotEligible
+        ? LINODE_STATUS_NOT_RUNNING_TOOLTIP_TEXT
+        : lacksBootPermission || lacksShutdownPermission
+          ? NO_PERMISSION_TOOLTIP_TEXT
+          : undefined,
     },
     {
       condition: true,
diff --git a/packages/manager/src/features/Linodes/LinodesLanding/LinodesLandingEmptyState.test.tsx b/packages/manager/src/features/Linodes/LinodesLanding/LinodesLandingEmptyState.test.tsx
@@ -0,0 +1,51 @@
+import React from 'react';
+
+import { renderWithTheme } from 'src/utilities/testHelpers';
+
+import { LinodesLandingEmptyState } from './LinodesLandingEmptyState';
+
+const queryMocks = vi.hoisted(() => ({
+  userPermissions: vi.fn(() => ({
+    permissions: {
+      create_linode: false,
+    },
+  })),
+  useNavigate: vi.fn(),
+}));
+
+vi.mock('src/features/IAM/hooks/usePermissions', () => ({
+  usePermissions: queryMocks.userPermissions,
+}));
+
+vi.mock('@tanstack/react-router', async () => {
+  const actual = await vi.importActual('@tanstack/react-router');
+  return {
+    ...actual,
+    useNavigate: queryMocks.useNavigate,
+  };
+});
+
+describe('LinodesLandingEmptyState', () => {
+  it('should disable "Create Linode" button if the user does not have create_linode permission', () => {
+    const { getByRole } = renderWithTheme(<LinodesLandingEmptyState />);
+
+    const createLinodeBtn = getByRole('button', { name: 'Create Linode' });
+
+    expect(createLinodeBtn).toBeInTheDocument();
+    expect(createLinodeBtn).toHaveAttribute('aria-disabled', 'true');
+  });
+
+  it('should enable "Create Linode" button if the user has create_linode permission', () => {
+    queryMocks.userPermissions.mockReturnValue({
+      permissions: {
+        create_linode: true,
+      },
+    });
+    const { getByRole } = renderWithTheme(<LinodesLandingEmptyState />);
+
+    const createLinodeBtn = getByRole('button', { name: 'Create Linode' });
+
+    expect(createLinodeBtn).toBeInTheDocument();
+    expect(createLinodeBtn).not.toHaveAttribute('aria-disabled', 'true');
+  });
+});
diff --git a/packages/manager/src/features/Linodes/LinodesLanding/LinodesLandingEmptyState.tsx b/packages/manager/src/features/Linodes/LinodesLanding/LinodesLandingEmptyState.tsx
@@ -9,7 +9,7 @@ import { ResourcesLinksSubSection } from 'src/components/EmptyLandingPageResourc
 import { ResourcesMoreLink } from 'src/components/EmptyLandingPageResources/ResourcesMoreLink';
 import { ResourcesSection } from 'src/components/EmptyLandingPageResources/ResourcesSection';
 import { getRestrictedResourceText } from 'src/features/Account/utils';
-import { useRestrictedGlobalGrantCheck } from 'src/hooks/useRestrictedGlobalGrantCheck';
+import { usePermissions } from 'src/features/IAM/hooks/usePermissions';
 import { sendEvent } from 'src/utilities/analytics/utils';
 import { getLinkOnClick } from 'src/utilities/emptyStateLandingUtils';
 
@@ -26,9 +26,7 @@ const APPS_MORE_LINKS_TEXT = 'See all Marketplace apps';
 export const LinodesLandingEmptyState = () => {
   const navigate = useNavigate();
 
-  const isLinodesGrantReadOnly = useRestrictedGlobalGrantCheck({
-    globalGrantType: 'add_linodes',
-  });
+  const { permissions } = usePermissions('account', ['create_linode']);
 
   return (
     <React.Fragment>
@@ -37,7 +35,7 @@ export const LinodesLandingEmptyState = () => {
         buttonProps={[
           {
             children: 'Create Linode',
-            disabled: isLinodesGrantReadOnly,
+            disabled: !permissions.create_linode,
             onClick: () => {
               navigate({ to: '/linodes/create' });
               sendEvent({

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@linode/manager": Upcoming Features
 +---
++
 +Add the missing permission checks for linode, update the tooltip ([#12548](https://github.com/linode/manager/pull/12548))
Original file line number	Diff line number	Diff line change
`@@ -149,7 +149,6 @@ export const LinodeEntityDetail = (props: Props) => {`
`149`	`149`	`}`
`150`	`150`	`footer={`
`151`	`151`	`<LinodeEntityDetailFooter`
`152`		`- isLinodesGrantReadOnly={!permissions.update_linode}`
`153`	`152`	`linodeCreated={linode.created}`
`154`	`153`	`linodeId={linode.id}`
`155`	`154`	`linodeLabel={linode.label}`