fix(ui): add secret approval request role to allow users view CR other than theirs

[IgorHorta]

Context

Resolves SECRETS-72

Adds SecretApprovalRequest.Read permission that allows users to view all secret approval requests in a project, not just ones where they are committer or approver.

Permission	Access
None (default)	Only requests where user is committer/approver
SecretApprovalRequest.Read	All requests in the project

Note: Secret values still respect secret.ReadValue permissions per environment/path. Admins get this permission by default.

Screenshots

Steps to verify the change

Test Case 1: No Permission (Default)

1. Create a custom role with NO SecretApprovalRequest permissions
2. Assign role to a test user
3. Create an approval request with a different user
4. Expected: Test user only sees requests where they are committer or approver
5. Expected: Counter only shows their own requests

Test Case 2: Read Permission

1. Create a custom role with SecretApprovalRequest.Read
2. Assign role to a test user (also give them Secrets.ReadValue for /dev/ but NOT /prod/)
3. Create an approval request containing secrets from both /dev/ and /prod/
4. Expected: Test user sees ALL requests in the list view
5. Expected: Counter shows ALL requests
6. Expected: Test user can click and view the request details
7. Expected: In the details view:
   • Secrets from /dev/ have values visible
   • Secrets from /prod/ have values masked as <hidden-by-infisical>

Test Case 3: Admin Role

1. Log in as Admin
2. Expected: Admin sees all requests and all details (Read permission granted by default)

Test Case 4: Committer/Approver Access (Unchanged)

1. User A creates an approval request
2. User B is an approver on the policy
3. User C has no permissions and is not committer/approver
4. Expected: User A and B can see the request and its details
5. Expected: User C cannot see the request at all (unless they have Read permission)

Test Case 5: Mixed Secrets with Different Permissions

1. Create a role with SecretApprovalRequest.Read + Secrets.ReadValue for /dev/ only
2. Create an approval request that modifies secrets in both /dev/api/ and /prod/database/
3. Expected: User can view the request details
4. Expected:
   • Secret in /dev/api/ shows its value
   • Secret in /prod/database/ shows value masked as <hidden-by-infisical>

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows conventional commit format
• Tested locally
• Updated docs
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

Added SecretApprovalRequest.Read permission to allow users to view all secret approval requests in a project, not just ones where they are committer or approver.

Key Changes:

• New permission subject secret-approval-request with read action
• Admin role receives this permission by default
• User access filtering made conditional - bypassed when user has Read permission
• Secret values still respect secrets.readValue permissions per environment/path
• Frontend UI updated to support configuring this permission in custom roles
• Documentation added explaining permission behavior

Security Model:

• Project isolation maintained - all queries still filter by projectId
• Secret values are controlled by existing secrets.readValue permissions, not overridden by this new permission
• Permission only grants visibility to request metadata and details, not automatic access to secret values
• Users without permission continue to see only requests where they are committer/approver (existing behavior)

Confidence Score: 5/5

• This PR is safe to merge with no critical issues found
• The implementation is well-structured with proper security controls: project isolation is maintained, secret values are protected by existing permissions, OR queries are properly grouped, and the permission model is correctly integrated throughout the stack
• No files require special attention

Important Files Changed

Filename	Overview
backend/src/ee/services/permission/project-permission.ts	Added new SecretApprovalRequest subject and Read action to permission system for viewing all approval requests
backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts	Made userId optional and extracted user access filter to helper function, properly grouped OR conditions
backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts	Added permission checks to conditionally show all requests vs user-specific requests based on new permission
frontend/src/pages/project/RoleDetailsBySlugPage/components/ProjectRoleModifySection.utils.tsx	Added UI support for configuring SecretApprovalRequest.Read permission in role editor, includes fix to skip empty permissions

[greptile-apps]

_{6 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[IgorHorta]

Didn't add the Describe permission since it would be essentially the same as read.. since read does not allow users to see secret value by default, unless they have permission to see that secret

[greptile-apps]

_{8 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (3)

backend/src/ee/services/license/license-fns.ts
[P0] Unrelated on-prem feature flags flipped to true by default

In getDefaultOnPremFeatures, several EE features (e.g. secretApproval, secretRotation, secretAccessInsights, enterpriseSecretSyncs, secretShareExternalBranding) were changed from false to true (e.g. backend/src/ee/services/license/license-fns.ts:55-116). If this function is used as the baseline feature set for unlicensed/default on-prem installs, this would effectively enable paid/enterprise features without an explicit license grant. That’s likely unintended for an RBAC permission PR and could have billing/security implications (features exposed without entitlement).

---

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
[P1] Group approvers may lose details-view access due to mismatched approver checks

getSecretApprovals/DAL filtering treats a user as having access if they’re in an approver group (via UserGroupMembership), but the details endpoint gates access with !policy.approvers.find(({ userId }) => userId === actorId) (see backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts:313-320). If a policy approver is defined via group (no direct userId), a legitimate group-based approver could see the request in the list but get a 403 when opening details unless they also have SecretApprovalRequest.Read or are Admin/committer. That inconsistency is user-visible and likely not intended.

---

frontend/src/pages/project/RoleDetailsBySlugPage/components/ProjectRoleModifySection.utils.tsx
[P3] return inside forEach callback is easy to misread

In formRolePermission2API, the new early-exit (if (caslActions.length === 0) return;) only returns from the inner rules.forEach callback (not formRolePermission2API), which is correct but can be misread during maintenance (frontend/src/pages/project/RoleDetailsBySlugPage/components/ProjectRoleModifySection.utils.tsx:1539-1549). Consider using continue-like control via a plain for...of loop, or add a small comment clarifying the intent, to avoid accidental refactors that change behavior.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[scott-ray-wilson]

Functionally this works great! few comments and thoughts

[scott-ray-wilson]

LGTM, tested permission behavior with outlined scenarios