Skip to content

[BUG]: Manager role lacks expected permissions (logical bug) #3928

New issue
New issue
Open
Bug
Open
[BUG]: Manager role lacks expected permissions (logical bug)#3928
Bug
Assignees
NdekoCodeCREDO23samuelmbabhazi
Labels
Ever TeamsWEBWeb appbugSomething isn't working
@NdekoCode

Description

@NdekoCode
NdekoCode
opened on Jun 30, 2025
  • I have checked existing issues

Current behavior

When a second user is added to a team and marked as isManager = true, they only receive the EMPLOYEE role.

As a result:

  • They receive 403 Forbidden errors when calling:
    • GET /roles
    • GET /employee/pagination?where[tenantId]=...&where[organizationId]=...
  • They cannot assign roles to projects or view team members, despite the "Manager" label.
  • This creates a functional mismatch between the UI (expectation of authority) and the actual permissions.

This is not a system crash or broken feature, but a logical bug that breaks expected behavior and delegation workflows in teams.

Steps to reproduce

  1. User A registers → creates workspace/team → is made Admin + Employee + isManager=true

  2. User B is added to the same team with isManager=true

  3. As User B:

    • Try to create a project
    • Try to assign a role to a team member
    • Observe the following:
      • 403 error on GET /roles
      • 403 error on GET /employee/pagination?...

Environment

  • Development

Browser

  • Google Chrome

Operating System

  • macOS

Relevant logs

403 Forbidden
GET /roles
GET /employee/pagination?where[tenantId]=...&where[organizationId]=...
{
  "timestamp": "2025-06-30T16:49:45.745Z",
  "level": "ERROR",
  "message": "🚨 CRITICAL: HTTP 403 Forbidden - GET /roles - Permission Denied",
  "context": "HttpClient",
  "details": {
    "statusCode": 403,
    "statusText": "",
    "headers": {
      "content-type": "application/json; charset=utf-8"
    },
    "data": {
      "message": "Forbidden resource",
      "error": "Forbidden",
      "statusCode": 403
    },
    "errorMessage": "Request failed with status code 403",
    "errorName": "AxiosError",
    "stack": "AxiosError: Request failed with status code 403\n    at settle (webpack-internal:///(app-pages-browser)/../../node_modules/axios/lib/core/settle.js:24:12)\n    at XMLHttpRequest.onloadend (webpack-internal:///(app-pages-browser)/../../node_modules/axios/lib/adapters/xhr.js:73:66)",
    "criticalError": true,
    "endpoint": "/roles",
    "method": "GET",
    "timestamp": "2025-06-30T16:49:45.744Z",
    "debugInfo": {
      "message": "This 403 error indicates a permission/authorization issue",
      "possibleCauses": [
        "User lacks required permissions",
        "Invalid or expired authentication token",
        "Resource access restrictions",
        "Role-based access control (RBAC) denial"
      ]
    }
  }
}
{
  "timestamp": "2025-06-30T16:49:50.778Z",
  "level": "ERROR",
  "message": "🚨 CRITICAL: HTTP 403 Forbidden - GET /employee/pagination?where%5BtenantId%5D=e781cbc5-e1bb-422c-94dc-bceb62e0babb&where%5BorganizationId%5D=20d61ec0-8683-4202-b1c4-d54d7aa32c70&relations%5B0%5D=user - Permission Denied",
  "context": "HttpClient",
  "details": {
    "statusCode": 403,
    "statusText": "",
    "headers": {
      "content-type": "application/json; charset=utf-8"
    },
    "data": {
      "message": "Forbidden resource",
      "error": "Forbidden",
      "statusCode": 403
    },
    "errorMessage": "Request failed with status code 403",
    "errorName": "AxiosError",
    "stack": "AxiosError: Request failed with status code 403\n    at settle (webpack-internal:///(app-pages-browser)/../../node_modules/axios/lib/core/settle.js:24:12)\n    at XMLHttpRequest.onloadend (webpack-internal:///(app-pages-browser)/../../node_modules/axios/lib/adapters/xhr.js:73:66)",
    "criticalError": true,
    "endpoint": "/employee/pagination?where%5BtenantId%5D=e781cbc5-e1bb-422c-94dc-bceb62e0babb&where%5BorganizationId%5D=20d61ec0-8683-4202-b1c4-d54d7aa32c70&relations%5B0%5D=user",
    "method": "GET",
    "timestamp": "2025-06-30T16:49:50.778Z",
    "debugInfo": {
      "message": "This 403 error indicates a permission/authorization issue",
      "possibleCauses": [
        "User lacks required permissions",
        "Invalid or expired authentication token",
        "Resource access restrictions",
        "Role-based access control (RBAC) denial"
      ]
    }
  }
}

error-2025-06-30.log

Additional information

After clarification with the Ever team:

  • The isManager flag is not a real system role, nor is it tied to role-based permission logic (RBAC).
  • Therefore, permissions like CHANGE_ROLES_PERMISSIONS or ORG_EMPLOYEES_VIEW are not granted to managers unless explicitly included in their role.
  • The expectation that a team manager can assign roles or view team members is broken unless special case logic is implemented in backend APIs.

Suggested Backend-Side Solutions:

  • Add logic such as: 
    if (user.isManager && user.teamId === requestedTeamId) {

// allow sensitive actions like GET /roles or GET /employee/pagination

}
  • Or centralize "Manager access logic" in one utility/service to handle this properly for all endpoints.

Note: As explained by @evereq, we should not create a TEAM_MANAGER role, since a person may be manager in one team but not others.

This is about scoped delegation logic, not system-wide RBAC roles.

Let’s define these backend cases more clearly to avoid confusion for future users and contributors.

CC: @evereq @CREDO23 @rahul-rocket @samuelmbabhazi

Metadata

Metadata

Assignees

Labels

Ever TeamsWEBWeb appbugSomething isn't working

Type

Bug

Projects

Ever Teams Platform

Status

No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions