From 9131c0da37a9fcc14db8c5178d260f124f572081 Mon Sep 17 00:00:00 2001 From: Matt Aitken Date: Fri, 19 Jun 2026 12:41:23 +0100 Subject: [PATCH] feat(webapp): show a PAT's maximum role on the tokens page Add a "Maximum role" column to the Personal Access Tokens list showing the role a token is capped to. The column only appears when an RBAC plugin is installed and reads "-" for tokens with no cap. The header tooltip reuses the same explanation shown when creating a token. --- .../app/routes/account.tokens/route.tsx | 36 +++++++++++++++---- 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/apps/webapp/app/routes/account.tokens/route.tsx b/apps/webapp/app/routes/account.tokens/route.tsx index d38841cb8b7..d2ef3b5f822 100644 --- a/apps/webapp/app/routes/account.tokens/route.tsx +++ b/apps/webapp/app/routes/account.tokens/route.tsx @@ -56,6 +56,11 @@ export const meta: MetaFunction = () => { ]; }; +// Shared between the create-token panel hint and the listing column +// header tooltip so the cap is explained identically in both places. +const MAX_ROLE_EXPLANATION = + "The token can act with up to this role. Your current role in each org is the actual ceiling. The token never grants permissions that are beyond your own user role."; + // PATs aren't org-scoped, but the RBAC plugin's allRoles is org-keyed // (a plugin may also expose org-defined custom roles alongside the // global system roles). The picker shows the assignable system role @@ -128,10 +133,25 @@ export const loader = async ({ request }: LoaderFunctionArgs) => { const defaultRoleId = userRoleId && assignableIds.has(userRoleId) ? userRoleId : lowestAssignable; + // The "Maximum role" column is a plugin concept — the OSS fallback + // has no TokenRole store, so only surface it when a plugin is + // installed. Tokens without a cap (legacy, or created when no + // plugin was present) render as "-". + const showMaxRole = await rbac.isUsingPlugin(); + const tokensWithMaxRole = showMaxRole + ? await Promise.all( + personalAccessTokens.map(async (pat) => ({ + ...pat, + maxRole: (await rbac.getTokenRole(pat.id))?.name ?? null, + })) + ) + : personalAccessTokens.map((pat) => ({ ...pat, maxRole: null as string | null })); + return typedjson({ - personalAccessTokens, + personalAccessTokens: tokensWithMaxRole, roles, defaultRoleId, + showMaxRole, }); } catch (error) { if (error instanceof Response) { @@ -225,7 +245,8 @@ export const action: ActionFunction = async ({ request }) => { }; export default function Page() { - const { personalAccessTokens, roles, defaultRoleId } = useTypedLoaderData(); + const { personalAccessTokens, roles, defaultRoleId, showMaxRole } = + useTypedLoaderData(); return ( @@ -258,6 +279,9 @@ export default function Page() { Name Token + {showMaxRole && ( + Maximum role + )} Created Last accessed Delete @@ -270,6 +294,7 @@ export default function Page() { {personalAccessToken.name} {personalAccessToken.obfuscatedToken} + {showMaxRole && {personalAccessToken.maxRole ?? "-"}} @@ -288,7 +313,7 @@ export default function Page() { ); }) ) : ( - + - - The token can act with up to this role. Your current role in each org is the - actual ceiling — the token never grants more than you have. - + {MAX_ROLE_EXPLANATION} )}