App secret keys are visible to normal users #28514
Description
Self Checks
- I have read the Contributing Guide and Language Policy.
- This is only for bug report, if you would like to ask a question, please head to Discussions.
- I have searched for existing issues search for existing issues, including closed ones.
- I confirm that I am using English to submit this report, otherwise it will be closed.
- 【中文用户 & Non English User】请使用英语提交,否则会被关闭 :)
- Please do not modify this template :) and fill in all the required fields.
Dify version
1.10.0
Cloud or Self Hosted
Self Hosted (Source)
Steps to reproduce
- Sign in as a workspace member with the
normalrole (no edit permission). - Open an existing app in Studio.
- Click “API キー” (API key) in the top bar, then open the “API シークレットキー” modal.
- Observe that the secret key for the app is fully visible and the “コピー” button works, even though the user is only
normal.
✔️ Expected Behavior
A user with the normal role should not see any UI that exposes app secret keys.
They should only see the API documentation; the “APIキー” button or secret-key modal must be hidden/disabled for them.
❌ Actual Behavior
No response