Admin UI not fully respecting settings and system roles

[tlodge]

Describe the bug
When I set a role for my seller to ensure that they cannot see the settings or system functionality, the settings and system functionality menus are still displayed at the bottom of the admin ui interface. If a user clicks on these entries they are automatically logged out, and if they don't know any better, subsequent attempts to login will fail as the system will attempt to go to the last url, which was the one that logged them out:

Role settings for bob's parts channel:

Admin dashboard when logged in to bob's parts:

To Reproduce
Login as a seller, by default they should not have permssions to view the system and settings menu, but they will be there.

Expected behavior
I would expect that the system and settings menus would not be there at all.

Environment (please complete the following information):

• @vendure/core version: v2 beta
• Nodejs version 19.2.0
• Database (mysql/postgres etc): postgres

Additional context
Add any other context about the problem here.

[mpacary]

I got a very similar behavior with tax rates access:

• As a superadmin, create a seller account and assign him a role having no access to tax rates but an access to other settings (e.g. ReadTaxCategory enabled)
• Log in as the seller
• Go to Settings
• The "tax rates" section appears (expected: should not). Clicking on it triggers an error "You are not currently authorized to access "taxRates > items > 0 > customerGroup". Either you lack permissions, or your session has expired" & redirects to login page
• Subsequent login attempts as the same seller fail.

As this seems closely related to the original issue, I only leave a comment instead of opening another one

[zehawki]

Along similar lines:

1. Ive setup a channel admin with only 2 permissions under Channel - Read and Update.

2. Assigned the role:

3. Upon login, I see a blank screen, so thats totally puzzling:

4. Clicking on Settings > Channels shows me all channels, with tokens!! Which is quite wrong.

5. And then it logs out with an error message: You are not currently authorized to access "pendingSearchIndexUpdates". Either you lack permissions, or your session has expired.

[michaelbromley]

I think one issue that's going on here is that the permissions to read an entity are the same as those used to decide which UI menu items to display. However, sometimes we want to have them different.

@mpacary regarding your specific issue:

The "tax rates" section appears (expected: should not).

I just tried this on the latest master - I added the "ReadTaxCategory" permission to the built-in "Inventory Manager" role (which has CRUD on Catalog), and logging in as an admin with that role only shows the tax category menu item as expected:

I'm not sure whether this was something that was fixed in a newer version, but if you are able to reproduce the error from a clean install please detail the exact steps.

[yazfield]

Had a similar issue with facets, seller can create facets even though the seller role has only "readFacets" permission. I was able to create the facets using a seller account with no errors.

[dlhck]

Done together with #2903