feat(sidebar): hide unauthorized settings buttons in the sidebar for non-admins

[dembrane-sam-bot]

What this changes

• Non-admin workspace members will no longer see "General" and "Danger zone" settings navigation buttons in the sidebar when visiting workspace settings.
• When non-admins click the top-level "Settings" button in the workspace sidebar, they are now automatically and correctly routed to a tab they have access to ("Usage and billing" for billing-only users, and "Members" for standard workspace members), rather than landing on the "General" tab and seeing an admin-locked notice.
• Cleaned up duplicate canEditSettings variable declaration in WorkspaceSettingsRoute.tsx and simplified default tab resolution.

Confidence: High. Safe, client-side, UI-only change using the established isAdminRole and role-policies logic.

Summary by CodeRabbit

New Features

• Settings navigation and available configuration options now adapt based on workspace user role
• Added "Danger zone" section for administrators in workspace settings

Improvements

• Default settings tab selection now prioritizes appropriate views based on user permissions and assigned role

[coderabbitai]

Warning

Review limit reached

@dembrane-sam-bot, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 1 minute and 28 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6f388172-298b-446a-9225-8a0610f9c196

📥 Commits

Reviewing files that changed from the base of the PR and between 97dd83a and 87d7117.

📒 Files selected for processing (1)

• echo/frontend/src/features/sidebar/views/workspace/WorkspaceHomeView.tsx

Walkthrough

Settings access is now gated by admin role across home sidebar, settings navigation, and route logic. WorkspaceHomeView derives admin state; WorkspaceSettingsView conditionally renders admin-only nav items; WorkspaceSettingsRoute refactors default tab selection to use "settings:manage" policy.

Changes

Role-based settings access control

Layer / File(s)	Summary
Workspace home role-based state echo/frontend/src/features/sidebar/views/workspace/WorkspaceHomeView.tsx	isAdminRole import and derivation of isAdmin, isBilling, and settingsPath from workspace role to enable role-aware routing logic.
Settings sidebar navigation gating echo/frontend/src/features/sidebar/views/workspace/WorkspaceSettingsView.tsx	Workspace role lookup via useWorkspace and admin-only conditional rendering of General settings nav and new Danger zone nav item.
Settings route default tab permission logic echo/frontend/src/routes/workspaces/WorkspaceSettingsRoute.tsx	Permission check for "settings:manage" policy hoisted earlier, and defaultTab selection refactored to route based on canEditSettings and my_role instead of prior callerCanManage logic.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

Feature

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: hiding unauthorized settings buttons for non-admins in the sidebar.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sam/hide-unauthorized-settings-buttons

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Hi @dembrane-sam-bot!

Thank you for contributing to Dembrane ECHO! Before we consider your Pull Request, we ask that you sign our Contributor License Agreement (CLA). This is only required for your first Pull Request.

Please review the CLA, and sign it by adding your GitHub username to the contributors.yml file. Thanks!

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@echo/frontend/src/features/sidebar/views/workspace/WorkspaceHomeView.tsx`:
- Around line 35-39: The sidebar computes settingsPath but the Settings nav link
is still hardcoded to "/settings/general"; update the Settings nav target to use
the computed settingsPath (replace the hardcoded string used where the nav item
is rendered, e.g., the link or NavItem that currently points to
"/settings/general") so admins go to general and non-admins to billing or
members based on isAdmin/isBilling logic in WorkspaceHomeView and the
settingsPath constant.

In `@echo/frontend/src/routes/workspaces/WorkspaceSettingsRoute.tsx`:
- Around line 467-473: The current default-tab computation and redirect run
before `settings` is loaded causing wrong tab lock-in; update
`WorkspaceSettingsRoute` to defer computing `canEditSettings`/`defaultTab` and
performing the redirect until `settings` is non-null (or a loading flag is
false). Specifically, guard or delay the logic that reads
`settings?.my_policies` and `settings?.my_role` (the `canEditSettings` and
`defaultTab` calculations) and the subsequent redirect code block (the code
around lines handling tab selection/redirect) so it only executes when
`settings` is available, leaving the route idle or showing a loader until then.
Ensure `defaultTab: TabValue` is derived from `settings` inside that guarded
branch to avoid landing billing/admin users on `members` prematurely.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 54218718-1636-4600-a922-e623356f7b8d

📥 Commits

Reviewing files that changed from the base of the PR and between c525458 and 97dd83a.

📒 Files selected for processing (3)

• echo/frontend/src/features/sidebar/views/workspace/WorkspaceHomeView.tsx
• echo/frontend/src/features/sidebar/views/workspace/WorkspaceSettingsView.tsx
• echo/frontend/src/routes/workspaces/WorkspaceSettingsRoute.tsx

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Defer default-tab redirect until settings are loaded.

Line 469 computes a fallback before settings exists, and Line 485 then locks in a valid but wrong segment. Billing/admin users can land on members from /settings and never get corrected.

Suggested fix

-	const defaultTab: TabValue = canEditSettings
-		? "general"
-		: settings?.my_role === "billing"
-			? "billing"
-			: "members";
+	const defaultTab: TabValue | null = settings
+		? canEditSettings
+			? "general"
+			: settings.my_role === "billing"
+				? "billing"
+				: "members"
+		: null;
 	const activeTab: TabValue = segmentIsValid
 		? (segment as TabValue)
-		: defaultTab;
+		: (defaultTab ?? "members");
@@
 	useEffect(() => {
 		if (!workspaceId) return;
-		if (segment !== activeTab) {
-			navigate(`/w/${workspaceId}/settings/${activeTab}${urlSearch}`, {
+		if (!segmentIsValid) {
+			if (!defaultTab) return;
+			navigate(`/w/${workspaceId}/settings/${defaultTab}${urlSearch}`, {
 				replace: true,
 			});
 		}
-	}, [workspaceId, segment, activeTab, navigate, urlSearch]);
+	}, [workspaceId, segmentIsValid, defaultTab, navigate, urlSearch]);

Also applies to: 483-490

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@echo/frontend/src/routes/workspaces/WorkspaceSettingsRoute.tsx` around lines
467 - 473, The current default-tab computation and redirect run before
`settings` is loaded causing wrong tab lock-in; update `WorkspaceSettingsRoute`
to defer computing `canEditSettings`/`defaultTab` and performing the redirect
until `settings` is non-null (or a loading flag is false). Specifically, guard
or delay the logic that reads `settings?.my_policies` and `settings?.my_role`
(the `canEditSettings` and `defaultTab` calculations) and the subsequent
redirect code block (the code around lines handling tab selection/redirect) so
it only executes when `settings` is available, leaving the route idle or showing
a loader until then. Ensure `defaultTab: TabValue` is derived from `settings`
inside that guarded branch to avoid landing billing/admin users on `members`
prematurely.