Restrict VCL/CCP Metrics page to Admin and Leadership groups

Add requireGroup('Admin', 'Leadership') as router-level middleware on all VCL multi-vertical routes. Hide the CCP Metrics nav item from users not in those groups and guard the page render in App.js with a redirect fallback.
2026-06-17 09:27:01 -06:00
parent 2fed9221f1
commit 479c61b88f
3 changed files with 8 additions and 6 deletions
--- a/frontend/src/App.js
+++ b/frontend/src/App.js
@@ -186,7 +186,7 @@ const getSeverityDotColor = (severity) => {
 const severityLevels = ['All Severities', 'Critical', 'High', 'Medium', 'Low'];

 export default function App() {
-  const { isAuthenticated, loading: authLoading, canWrite, canDelete, canExport, isAdmin, getActiveTeamsParam, adminScope } = useAuth();
+  const { isAuthenticated, loading: authLoading, canWrite, canDelete, canExport, isAdmin, isInGroup, getActiveTeamsParam, adminScope } = useAuth();
  const [searchQuery, setSearchQuery] = useState('');
  const [selectedVendor, setSelectedVendor] = useState('All Vendors');
  const [selectedSeverity, setSelectedSeverity] = useState('All Severities');
@@ -1102,7 +1102,8 @@ export default function App() {
        {/* Page content */}
        {currentPage === 'triage'         && <VulnerabilityTriagePage filterDate={calendarFilter} filterEXC={reportingExcFilter} />}
        {currentPage === 'compliance'     && <CompliancePage onNavigate={setCurrentPage} />}
-        {currentPage === 'ccp-metrics'    && <CCPMetricsPage />}
+        {currentPage === 'ccp-metrics'    && isInGroup('Admin', 'Leadership') && <CCPMetricsPage />}
+        {currentPage === 'ccp-metrics'    && !isInGroup('Admin', 'Leadership') && (() => { setCurrentPage('home'); return null; })()}
        {currentPage === 'knowledge-base' && <KnowledgeBasePage />}
        {currentPage === 'exports'        && <ExportsPage />}
        {currentPage === 'jira'           && <JiraPage />}