This bug is created based the following RFE:
See the RFE for further details.
Any updates here?
Created attachment 1673278 [details]
Normal User without Projects Visits Storage Classes page
Created attachment 1673279 [details]
Normal User Has Projects Visits Storage Classes page
Created attachment 1673280 [details]
Normal User Visits Storage Classes page by URL
1) Normal user can't see 'Create Storage' button on Storage Classes page
2) When normal user visit Storage Classes page via URL, he/she can still fill the form but got error message when he/she submit the form
I'm not sure if we can show error message once user visit the form creation page via URL, I know we can show error message when user submit the form, will wait for comments from Devs
1) First off, thanks @Yadan Pei for doing some checking on this as well.
2) As Yadan stated, non-admin users cannot see the "Create Storage Class" button so that is working as designed.
3) Now, if a non-admin user has a URL to an admin type of page (create storage class, create PV, operator hub, cluster config), they can get to that page but they will not be able to do anything because the API requires proper authorization.
4) Currently there is no mechanism that simply prevents non-admin users from seeing admin pages. If there is any data from an API call on those pages that is sensitive, the API will show an error due to lack of authorization.
I suggest we close this bug as working as designed.
This was an issue back in 4.1, but seems to have been fixed now in 4.3. I'm the one who requested the RFE back in August. This should be OK to close now.
If it has been resolved in recent versions, we can close the bug. Perhaps we can take some time & make sure we handle this consistently everywhere.