with an increasing portion of our UI moving to React, we need to think about how to handle access permissions.
For those not familiar with permission system details in Foreman - handling permissions in Foreman has an additional layer of complexity due to permission filters. Essentially, knowledge that a user called Bob has a :edit_hosts permission is not enough do decide whether Bob is allowed to edit a particular host as that permission can be limited by a search filter using scoped search syntax.
Since filters are tied to scoped search, authorization information needs to be supplied to UI from backend after the filters are applied. For view, records that user is not allowed to see are filtered out and not displayed. For edit and destroy, our API resolves permissions for each record and GraphQL follows that approach.
The knowledge about create permissions is useful on its own in the context of UI - if Bob does not have create permission, he should not be allowed to access create form/page and see links that navigate to it. If Bob has create permission, it means he is allowed to create at least some resources and therefore he is allowed to access create form.
The problem is: how do we make UI aware of create permissions? It is possible to get the information from API when we fetch a list of records, but that assumes a certain succession of actions. If users try to access the create page directly, we currently do not have a way to decide whether they are authorized to see that page. This is already an existing issue for Job Invocation Wizard.
A possible approach is to add those permissions into context.