Branch create and delete buttons are visible to all project membership roles
in the UI, including Reviewer, Reporter, and Guest. Backend correctly blocks
the operation with "You do not have permission" but the button should not be
visible at all for roles below DEVELOPER.
Steps to Reproduce
Add a user to a project as Guest, Reporter, or Reviewer
Log in as that user
Navigate to Branches tab
Observe: New Branch button is visible and delete icons are shown
Expected Behavior
New Branch button and branch delete icons should be hidden for project
membership roles below DEVELOPER (i.e. Reviewer, Reporter, Guest).
Actual Behavior
Buttons are visible for all roles. Clicking them results in a backend
rejection with "You do not have permission to create/delete branches"
but the button should never have been shown.
Root Cause
Frontend branch components have no awareness of the current user's project
membership role. ProjectDto does not include currentUserRole. Frontend
cannot conditionally render buttons based on project role.
Proposed Fix
Add currentUserRole field to ProjectDto, populated from ProjectMemberService
in ProjectController. Frontend branch components conditionally render
New Branch button and delete icons only when currentUserRole is DEVELOPER
or above.
Severity
Low — security is enforced at backend, this is purely a UX issue
Summary
Branch create and delete buttons are visible to all project membership roles in the UI, including Reviewer, Reporter, and Guest. Backend correctly blocks the operation with "You do not have permission" but the button should not be visible at all for roles below DEVELOPER.
Steps to Reproduce
Expected Behavior
New Branch button and branch delete icons should be hidden for project membership roles below DEVELOPER (i.e. Reviewer, Reporter, Guest).
Actual Behavior
Buttons are visible for all roles. Clicking them results in a backend rejection with "You do not have permission to create/delete branches" but the button should never have been shown.
Root Cause
Frontend branch components have no awareness of the current user's project membership role. ProjectDto does not include currentUserRole. Frontend cannot conditionally render buttons based on project role.
Proposed Fix
Add currentUserRole field to ProjectDto, populated from ProjectMemberService in ProjectController. Frontend branch components conditionally render New Branch button and delete icons only when currentUserRole is DEVELOPER or above.
Severity
Low — security is enforced at backend, this is purely a UX issue
Time Estimate
3–4 hours (backend DTO change + frontend conditional rendering)