open-metadata · siddhant1 · Feb 10, 2026 · Feb 10, 2026
@@ -0,0 +1,173 @@
+/*
+ *  Copyright 2025 Collate.
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+import { expect, Page, test as base } from '@playwright/test';
+import { PolicyClass } from '../../../support/access-control/PoliciesClass';
+import { RolesClass } from '../../../support/access-control/RolesClass';
+import { DataProduct } from '../../../support/domain/DataProduct';
+import { Domain } from '../../../support/domain/Domain';
+import { UserClass } from '../../../support/user/UserClass';
+import { performAdminLogin } from '../../../utils/admin';
+import { redirectToHomePage } from '../../../utils/common';
+
+const adminUser = new UserClass();
+const testUser = new UserClass();
+const domain = new Domain();
+const dataProduct = new DataProduct([domain]);
+
+let policy: PolicyClass;
+let role: RolesClass;
+
+const test = base.extend<{
+  page: Page;
+  testUserPage: Page;
+}>({
+  page: async ({ browser }, use) => {
+    const adminPage = await browser.newPage();
+    try {
+      await adminUser.login(adminPage);
+      await use(adminPage);
+    } finally {
+      await adminPage.close();
+    }
+  },
+  testUserPage: async ({ browser }, use) => {
+    const userPage = await browser.newPage();
+    try {
+      await testUser.login(userPage);
+      await use(userPage);
+    } finally {
+      await userPage.close();
+    }
+  },
+});
+
+test.beforeAll('Setup pre-requests', async ({ browser }) => {
+  const { apiContext, afterAction } = await performAdminLogin(browser);
+  await adminUser.create(apiContext);
+  await adminUser.setAdminRole(apiContext);
+  await testUser.create(apiContext);
+  await domain.create(apiContext);
+  await dataProduct.create(apiContext);
+
+  policy = new PolicyClass();
+  await policy.create(apiContext, [
+    {
+      name: 'DenyViewDomainRule',
+      resources: ['domain'],
+      operations: ['ViewAll', 'ViewBasic'],
+      effect: 'deny',
+    },
+    {
+      name: 'DenyViewDataProductRule',
+      resources: ['dataProduct'],
+      operations: ['ViewAll', 'ViewBasic'],
+      effect: 'deny',
+    },
+  ]);
+
+  role = new RolesClass();
+  await role.create(apiContext, [policy.responseData.name]);
+
+  await testUser.patch({
+    apiContext,
+    patchData: [
+      {
+        op: 'replace',
+        path: '/roles',
+        value: [
+          {
+            id: role.responseData.id,
+            type: 'role',
+            name: role.responseData.name,
+          },
+        ],
+      },
+    ],
+  });
+
+  await afterAction();
+});
+
+test.describe('Domain and Data Product View Permission Denied', () => {
+  test('Domain listing page should show permission error', async ({
+    testUserPage,
+  }) => {
+    await redirectToHomePage(testUserPage);
+    await testUserPage.goto('/domain');
+    await testUserPage.waitForLoadState('networkidle');
+
+    await expect(
+      testUserPage.getByTestId('permission-error-placeholder')
+    ).toBeVisible();
+  });
+
+  test('Data Product listing page should show permission error', async ({
+    testUserPage,
+  }) => {
+    await redirectToHomePage(testUserPage);
+    await testUserPage.goto('/dataProduct');
+    await testUserPage.waitForLoadState('networkidle');
+
+    await expect(
+      testUserPage.getByTestId('permission-error-placeholder')
+    ).toBeVisible();
+  });
+
+  test('Domain detail page should show permission error', async ({
+    testUserPage,
+  }) => {
+    const domainFqn = encodeURIComponent(
+      domain.responseData.fullyQualifiedName ?? domain.data.name
+    );
+    await redirectToHomePage(testUserPage);
+    await testUserPage.goto(`/domain/${domainFqn}`);
+    await testUserPage.waitForLoadState('networkidle');
+
+    await expect(
+      testUserPage.getByTestId('permission-error-placeholder')
+    ).toBeVisible();
+  });
+
+  test('Data Product detail page should show permission error', async ({
+    testUserPage,
+  }) => {
+    const dataProductFqn = encodeURIComponent(
+      dataProduct.responseData.fullyQualifiedName ?? dataProduct.data.name
+    );
+    await redirectToHomePage(testUserPage);
+    await testUserPage.goto(`/dataProduct/${dataProductFqn}`);
+    await testUserPage.waitForLoadState('networkidle');
+
+    await expect(
+      testUserPage.getByTestId('permission-error-placeholder')
+    ).toBeVisible();
+  });
+});
+
+test.afterAll('Cleanup', async ({ browser }) => {
+  const { apiContext, afterAction } = await performAdminLogin(browser);
+
+  if (role?.responseData?.id) {
+    await role.delete(apiContext);
+  }
+  if (policy?.responseData?.id) {
+    await policy.delete(apiContext);
+  }
+
+  await dataProduct.delete(apiContext);
+  await domain.delete(apiContext);
+  await adminUser.delete(apiContext);
+  await testUser.delete(apiContext);
+  await afterAction();
+});
@@ -320,6 +320,19 @@ const AuthenticatedAppRouter: FunctionComponent = () => {
       checkPermission(Operation.Create, ResourceEntity.BOT, permissions),
     [permissions]
   );
+  const domainViewPermission = useMemo(
+    () =>
+      userPermissions.hasViewPermissions(ResourceEntity.DOMAIN, permissions),
+    [permissions]
+  );
+  const dataProductViewPermission = useMemo(
+    () =>
+      userPermissions.hasViewPermissions(
+        ResourceEntity.DATA_PRODUCT,
+        permissions
+      ),
+    [permissions]
+  );
 
   return (
     <Routes>
@@ -750,9 +763,20 @@ const AuthenticatedAppRouter: FunctionComponent = () => {
       <Route element={<GlossaryRouter />} path="/glossary/*" />
       <Route element={<GlossaryTermRouter />} path="/glossary-term/*" />
       <Route element={<SettingsRouter />} path="/settings/*" />
-      <Route element={<DomainRouter />} path="/domain/*" />
       <Route
-        element={<DataProductListPage pageTitle={t('label.data-product')} />}
+        element={
+          <AdminProtectedRoute hasPermission={domainViewPermission}>
+            <DomainRouter />
+          </AdminProtectedRoute>
+        }
+        path="/domain/*"
+      />
+      <Route
+        element={
+          <AdminProtectedRoute hasPermission={dataProductViewPermission}>
+            <DataProductListPage pageTitle={t('label.data-product')} />
+          </AdminProtectedRoute>
+        }
         path={ROUTES.DATA_PRODUCT}
       />
       <Route element={<MetricListPage />} path={ROUTES.METRICS} />

@@ -14,6 +14,7 @@
 import { render, waitFor } from '@testing-library/react';
 import { MemoryRouter } from 'react-router-dom';
 import { DataProduct } from '../../../generated/entity/domains/dataProduct';
+import { ENTITY_PERMISSIONS } from '../../../mocks/Permissions.mock';
 import PageLayoutV1 from '../../PageLayoutV1/PageLayoutV1';
 import DataProductsPage from './DataProductsPage.component';
 
@@ -111,6 +112,14 @@ jest.mock('../../common/ErrorWithPlaceholder/ErrorPlaceHolder', () => {
   return jest.fn().mockImplementation(({ children }) => <div>{children}</div>);
 });
 
+jest.mock('../../../context/PermissionProvider/PermissionProvider', () => ({
+  usePermissionProvider: () => ({
+    permissions: {
+      dataProduct: ENTITY_PERMISSIONS,
+    },
+  }),
+}));
+
 describe('DataProductsPage component', () => {
   it('should render successfully', async () => {
     const { container } = render(<DataProductsPage />, {

@@ -19,9 +19,13 @@ import { useCallback, useEffect, useMemo, useState } from 'react';
 import { useTranslation } from 'react-i18next';
 import { useNavigate } from 'react-router-dom';
 import { ROUTES } from '../../../constants/constants';
-import { ERROR_PLACEHOLDER_TYPE } from '../../../enums/common.enum';
+import { usePermissionProvider } from '../../../context/PermissionProvider/PermissionProvider';
+import { ResourceEntity } from '../../../context/PermissionProvider/PermissionProvider.interface';
+import { ClientErrors } from '../../../enums/Axios.enum';
+import { ERROR_PLACEHOLDER_TYPE, SIZE } from '../../../enums/common.enum';
 import { EntityType, TabSpecificField } from '../../../enums/entity.enum';
 import { DataProduct } from '../../../generated/entity/domains/dataProduct';
+import { Operation } from '../../../generated/entity/policies/policy';
 import { EntityHistory } from '../../../generated/type/entityHistory';
 import { useApplicationStore } from '../../../hooks/useApplicationStore';
 import { useFqn } from '../../../hooks/useFqn';
@@ -35,6 +39,7 @@ import {
   removeFollower,
 } from '../../../rest/dataProductAPI';
 import { getEntityName } from '../../../utils/EntityUtils';
+import { checkPermission } from '../../../utils/PermissionsUtils';
 import {
   getDomainPath,
   getEntityDetailsPath,
@@ -55,8 +60,25 @@ const DataProductsPage = () => {
   const { currentUser } = useApplicationStore();
   const currentUserId = currentUser?.id ?? '';
   const { fqn: dataProductFqn } = useFqn();
+  const { permissions } = usePermissionProvider();
   const [isMainContentLoading, setIsMainContentLoading] = useState(true);
   const [dataProduct, setDataProduct] = useState<DataProduct>();
+  const [isForbidden, setIsForbidden] = useState(false);
+
+  const [viewBasicPermission, viewAllPermission] = useMemo(() => {
+    return [
+      checkPermission(
+        Operation.ViewBasic,
+        ResourceEntity.DATA_PRODUCT,
+        permissions
+      ),
+      checkPermission(
+        Operation.ViewAll,
+        ResourceEntity.DATA_PRODUCT,
+        permissions
+      ),
+    ];
+  }, [permissions]);
   const [versionList, setVersionList] = useState<EntityHistory>(
     {} as EntityHistory
   );
@@ -120,6 +142,7 @@ const DataProductsPage = () => {
 
   const fetchDataProductByFqn = async (fqn: string) => {
     setIsMainContentLoading(true);
+    setIsForbidden(false);
     try {
       const data = await getDataProductByName(fqn, {
         fields: [
@@ -140,7 +163,11 @@ const DataProductsPage = () => {
         fetchActiveVersion(data);
       }
     } catch (error) {
-      showErrorToast(error as AxiosError);
+      if ((error as AxiosError)?.response?.status === ClientErrors.FORBIDDEN) {
+        setIsForbidden(true);
+      } else {
+        showErrorToast(error as AxiosError);
+      }
     } finally {
       setIsMainContentLoading(false);
     }
@@ -277,10 +304,36 @@ const DataProductsPage = () => {
     }
   }, [dataProductFqn, version]);
 
+  if (!(viewBasicPermission || viewAllPermission)) {
+    return (
+      <ErrorPlaceHolder
+        className="mt-0-important"
+        permissionValue={t('label.view-entity', {
+          entity: t('label.data-product'),
+        })}
+        size={SIZE.LARGE}
+        type={ERROR_PLACEHOLDER_TYPE.PERMISSION}
+      />
+    );
+  }
+
   if (isMainContentLoading) {
     return <Loader />;
   }
 
+  if (isForbidden) {
+    return (
+      <ErrorPlaceHolder
+        className="mt-0-important"
+        permissionValue={t('label.view-entity', {
+          entity: t('label.data-product'),
+        })}
+        size={SIZE.LARGE}
+        type={ERROR_PLACEHOLDER_TYPE.PERMISSION}
+      />
+    );
+  }
+
   if (!dataProduct) {
     return (
       <ErrorPlaceHolder type={ERROR_PLACEHOLDER_TYPE.CUSTOM}>