diff --git a/apps/webapp/app/routes/account.tokens/route.tsx b/apps/webapp/app/routes/account.tokens/route.tsx index d38841cb8b7..d2ef3b5f822 100644 --- a/apps/webapp/app/routes/account.tokens/route.tsx +++ b/apps/webapp/app/routes/account.tokens/route.tsx @@ -56,6 +56,11 @@ export const meta: MetaFunction = () => { ]; }; +// Shared between the create-token panel hint and the listing column +// header tooltip so the cap is explained identically in both places. +const MAX_ROLE_EXPLANATION = + "The token can act with up to this role. Your current role in each org is the actual ceiling. The token never grants permissions that are beyond your own user role."; + // PATs aren't org-scoped, but the RBAC plugin's allRoles is org-keyed // (a plugin may also expose org-defined custom roles alongside the // global system roles). The picker shows the assignable system role @@ -128,10 +133,25 @@ export const loader = async ({ request }: LoaderFunctionArgs) => { const defaultRoleId = userRoleId && assignableIds.has(userRoleId) ? userRoleId : lowestAssignable; + // The "Maximum role" column is a plugin concept — the OSS fallback + // has no TokenRole store, so only surface it when a plugin is + // installed. Tokens without a cap (legacy, or created when no + // plugin was present) render as "-". + const showMaxRole = await rbac.isUsingPlugin(); + const tokensWithMaxRole = showMaxRole + ? await Promise.all( + personalAccessTokens.map(async (pat) => ({ + ...pat, + maxRole: (await rbac.getTokenRole(pat.id))?.name ?? null, + })) + ) + : personalAccessTokens.map((pat) => ({ ...pat, maxRole: null as string | null })); + return typedjson({ - personalAccessTokens, + personalAccessTokens: tokensWithMaxRole, roles, defaultRoleId, + showMaxRole, }); } catch (error) { if (error instanceof Response) { @@ -225,7 +245,8 @@ export const action: ActionFunction = async ({ request }) => { }; export default function Page() { - const { personalAccessTokens, roles, defaultRoleId } = useTypedLoaderData(); + const { personalAccessTokens, roles, defaultRoleId, showMaxRole } = + useTypedLoaderData(); return ( @@ -258,6 +279,9 @@ export default function Page() { Name Token + {showMaxRole && ( + Maximum role + )} Created Last accessed Delete @@ -270,6 +294,7 @@ export default function Page() { {personalAccessToken.name} {personalAccessToken.obfuscatedToken} + {showMaxRole && {personalAccessToken.maxRole ?? "-"}} @@ -288,7 +313,7 @@ export default function Page() { ); }) ) : ( - + - - The token can act with up to this role. Your current role in each org is the - actual ceiling — the token never grants more than you have. - + {MAX_ROLE_EXPLANATION} )}