Skip to content

UI Improvements for Read-Only User Experience in Publisher Portal #1168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

UI Improvements for Read-Only User Experience in Publisher Portal #1168

wants to merge 4 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Oct 9, 2025
edited
Loading

Overview

This PR implements 8 UI/UX improvements to enhance the read-only user experience in the WSO2 API Manager Publisher portal. Read-only users (with internal/observer role) should have a clear, consistent experience where all editing capabilities are properly disabled with appropriate visual feedback.

Problem Statement

Read-only users with scopes apim:api_view and apim:publisher_settings encountered several UX issues:

  • Interactive elements appeared clickable but were non-functional
  • Loading states persisted indefinitely when operations failed due to lack of permissions
  • Missing visual feedback indicating why certain actions were disabled
  • Drag-and-drop functionality was still active despite users lacking edit permissions

Changes Implemented

1. Deployments Page

File: DeploymentOnbording.jsx

Disabled the "Add a description" buttons for revision deployment by adding disabled={isCreateOrPublishRestricted()} prop, preventing read-only users from attempting to add descriptions.

2. Basic Info - Labels Section

File: DesignConfigurations.jsx

Disabled the "Attach Labels" IconButton with disabled={isAccessRestricted()}, preventing read-only users from opening the label selection dialog.

3. Runtime Configurations - Audience Validation

File: Audience.jsx

  • Imported isRestricted from AuthManager
  • Added disabled={isAccessRestricted()} to both the Audience Validation Switch and the Allowed Audience ChipInput
  • Prevents read-only users from modifying audience validation settings

4. MCP Tools - Delete Button

File: Tools.jsx

Changed disableDelete={false} to disableDelete={disableUpdate} to ensure the delete button respects the same read-only restrictions as other editing operations.

5. Tryout Console - API Key Generation

File: TryOutConsole.jsx

  • Imported isRestricted from AuthManager
  • Added permission check before auto-generating API key on page load
  • For read-only users, skip key generation and mark the task as completed to prevent infinite loading spinner
  • Fixes the infinite loading issue and empty API key problem

6. Scopes Page - Edit Button Feedback

File: Scopes.jsx

  • Wrapped the Edit button with a Tooltip that displays "You do not have permission to edit scopes" when the button is disabled
  • Wrapped the button in a <span> to ensure tooltip works with disabled button
  • Provides clear visual feedback to users about why the action is unavailable

7. Global Policy Page

File: Listing.tsx

No changes required - existing implementation already shows appropriate onboarding message: "Please contact a privileged user to create a global policy" when users lack apim:gateway_policy_manage permission.

8. API Policies - Drag and Drop

Files: DraggablePolicyCard.tsx, PolicyList.tsx, TabPanel.tsx (both API-specific and shared)

  • Added isReadOnly prop to DraggablePolicyCard interface
  • Implemented canDrag: !isReadOnly in the useDrag hook configuration
  • Changed cursor style to 'default' instead of 'move' for read-only users
  • Conditionally attached drag ref only when user has edit permissions
  • Propagated isReadOnly prop through component hierarchy (PolicyList → TabPanel → TabPanelShared → DraggablePolicyCard)
  • Prevents read-only users from dragging policies while still allowing them to view policy details

Technical Approach

  • All permission checks use the existing AuthManager.isRestricted() method with appropriate scopes
  • Changes follow the established codebase patterns for handling read-only restrictions
  • Implementation is minimal and surgical, modifying only what's necessary
  • No new dependencies or utility functions added

Testing Recommendations

  1. Create a read-only user with Internal/observer role
  2. Login and verify:
    • All buttons mentioned above are disabled with appropriate visual feedback
    • Tryout console loads without infinite spinner and shows disabled state
    • Scopes edit button shows tooltip on hover
    • API policies cannot be dragged but can be viewed
    • Global policies show appropriate message when empty

Files Changed

  • 10 files modified
  • 81 insertions, 24 deletions
  • All changes are backwards compatible

Fixes #[issue_number]

Original prompt

This section details on the original issue you should resolve

<issue_title>Possible UI improvements for read-only view</issue_title>
<issue_description>### Current Limitation

The read only user have the following scopes - apim:api_view and apim:publisher_settings. WSO2 API-M provides a pre-defined role named internal/observer, which is used to group all the read-only users. In read only mode, the publisher portal functionalities should be disabled.

Steps to create a read only user: https://apim.docs.wso2.com/en/latest/manage-apis/design/api-security/authorization/publisher-portal-in-read-only-mode/#step-1-create-a-read-only-user

Suggested Improvement

Here are some minor UI/UX improvements that can be done to the read-only user view.

  1. Disable the description button on deployments page
Image

  1. Disable the add label button in basic info page
Image

  1. Disable the audience validation config in runtime configurations page
Image

  1. Disable the delete button in MCP tools page
Image



  1. Fix the infinite loading issue and empty API key in Tryout page. Need a better way to imply that the user doesn't have the required permission
Screen.Recording.2025-09-16.at.18.18.47.mov
  1. In scopes page, show that the option is disabled. Currently it looks clickable and nothing happens when clicking
Screen.Recording.2025-09-16.at.18.15.31.mov
  1. The global policy page looks empty. Need a better way to show that the user doesn't have the required permission.
Image
  1. Disable the drag and drop feature in API policy page. Read only user should be able to view the policies, but not to use the drag and drop functionality.
Image

Version

4.6.0</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes wso2/api-manager#4278

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@CLAassistant
Copy link

CLAassistant commented Oct 9, 2025

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 9, 2025

Please retry analysis of this Pull-Request directly on SonarQube Cloud

@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 9, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
3.2% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

Copilot AI changed the title [WIP] Update UI for read-only user view UI Improvements for Read-Only User Experience in Publisher Portal Oct 9, 2025
Copilot AI requested a review from HeshanSudarshana October 9, 2025 20:45
Copilot finished work on behalf of HeshanSudarshana October 9, 2025 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HeshanSudarshana HeshanSudarshana Awaiting requested review from HeshanSudarshana

@lasanthaS lasanthaS Awaiting requested review from lasanthaS lasanthaS will be requested when the pull request is marked ready for review lasanthaS is a code owner

@Krishanx92 Krishanx92 Awaiting requested review from Krishanx92 Krishanx92 will be requested when the pull request is marked ready for review Krishanx92 is a code owner

@tharikaGitHub tharikaGitHub Awaiting requested review from tharikaGitHub tharikaGitHub will be requested when the pull request is marked ready for review tharikaGitHub is a code owner

@piyumaldk piyumaldk Awaiting requested review from piyumaldk piyumaldk will be requested when the pull request is marked ready for review piyumaldk is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@HeshanSudarshana HeshanSudarshana

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Possible UI improvements for read-only view

3 participants

@CLAassistant @HeshanSudarshana