Add read-only indicators and access guards for declarative resources

[rajithacharith]

Purpose

Backend API list endpoints return an isReadOnly flag for declarative (file-based) resources. This PR wires up the frontend to visually indicate when a resource is read-only and prevent any mutation actions on those resources.

Affected resources: Applications, Agents, Groups, Roles, User Types, Users, Flows, Organization Units, Themes

---

Approach

List views

• Replaced the previous Chip-based "Read Only" label with a Lock icon button in the actions column (DataGrid lists) — clicking is disabled and hovering shows a "Read Only" tooltip.
• For read-only rows, the Edit and Delete action buttons are completely replaced by the single Lock icon.
• Row click navigation is blocked for read-only flows.

Organization Units (tree view)

• The OU list uses a RichTreeView rather than a DataGrid. For read-only items the Plus/Edit/Delete icon buttons in each tree node are replaced by a single Lock icon with a tooltip.
• isReadOnly is propagated through buildTreeItems → OrganizationUnitTreeItem → buildItemMap → CustomTreeItem.

Themes (card grid)

• The Themes page uses a card grid (ItemCard) instead of a table. For read-only themes:
  • A Lock badge is shown permanently in the top-right corner of the thumbnail.
  • Click is disabled and hover effects are suppressed.
• isReadOnly added to ThemeListItem model.

Edit pages

• An informational Alert banner is shown at the top of edit pages when the resource is read-only.
• Save, delete, and inline edit actions are disabled or hidden when isReadOnly is true.
• Organization Unit edit: ResourceAvatar made non-editable, inline name/description edit buttons hidden, delete section hidden, UnsavedChangesBar save button disabled.
• Flow builder: Save button disabled by passing onSave={undefined} when the flow is read-only.

Bug fixes

• Fixed missing Box and Chip imports in FlowsList.tsx and RolesList.tsx that caused render failures.

Related Issues

• N/A

Related PRs

• N/A

Checklist

• Followed the contribution guidelines.
• Manual test round performed and verified.
• Documentation provided. (Add links if there are any)
  • Ran Vale and fixed all errors and warnings
• Tests provided. (Add links if there are any)
  • Unit Tests
  • Integration Tests
• Breaking changes. (Fill if applicable)
  • Breaking changes section filled.
  • breaking change label added.

Security checks

• Followed secure coding standards in WSO2 Secure Coding Guidelines
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.

Summary by CodeRabbit

Release Notes

• New Features
  • Added read-only mode support for resources across agents, applications, flows, groups, roles, user types, organization units, users, and themes.
  • Read-only resources display a lock indicator instead of edit/delete actions, preventing accidental modifications.
  • Informational alerts notify users when viewing read-only resources.
  • Save operations are disabled for read-only resources.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds read-only resource protection across the console. It introduces an isReadOnly boolean field to domain models for agents, applications, flows, groups, roles, user types, identity providers, users, themes, and organization units. UI layers conditionally hide edit/delete controls, display lock icons in list grids, show informational alerts on edit pages, and disable save buttons when resources are marked read-only. Edit settings components make delete handlers optional and conditionally render delete sections.

Changes

Read-Only Resource Protection

Layer / File(s)	Summary
Data models with isReadOnly field frontend/apps/console/src/features/agents/models/agent.ts, frontend/apps/console/src/features/applications/models/application.ts, frontend/apps/console/src/features/flows/models/responses.ts, frontend/apps/console/src/features/groups/models/group.ts, frontend/apps/console/src/features/roles/models/role.ts, frontend/apps/console/src/features/user-types/types/user-types.ts, frontend/apps/console/src/features/integrations/models/identity-provider.ts, frontend/packages/types/src/concepts/user.ts, frontend/packages/design/src/models/responses.ts, frontend/packages/configure-organization-units/src/models/organization-unit.ts, frontend/packages/configure-organization-units/src/models/organization-unit-tree.ts	Agent, application, flow, group, role, user type, identity provider, user, theme, and organization unit models gain optional isReadOnly?: boolean field.
List component actions with read-only lock icons frontend/apps/console/src/features/agents/components/AgentsList.tsx, frontend/apps/console/src/features/applications/components/ApplicationsList.tsx, frontend/apps/console/src/features/flows/components/FlowsList.tsx, frontend/apps/console/src/features/groups/components/GroupsList.tsx, frontend/apps/console/src/features/roles/components/RolesList.tsx, frontend/apps/console/src/features/user-types/components/UserTypesList.tsx, frontend/packages/configure-users/src/components/UsersList.tsx, frontend/packages/configure-organization-units/src/components/OrganizationUnitsTreeView.tsx	List and tree grids add Lock icon imports; conditionally render lock icon with read-only tooltip instead of edit/delete buttons; prevent row navigation when isReadOnly is true.
Edit/View pages: read-only alerts, disabled controls, and save prevention frontend/apps/console/src/features/agents/pages/AgentEditPage.tsx, frontend/apps/console/src/features/applications/pages/ApplicationEditPage.tsx, frontend/apps/console/src/features/groups/pages/GroupEditPage.tsx, frontend/apps/console/src/features/roles/pages/RoleEditPage.tsx, frontend/apps/console/src/features/user-types/pages/ViewUserTypePage.tsx, frontend/packages/configure-users/src/pages/UserEditPage.tsx, frontend/packages/configure-organization-units/src/pages/OrganizationUnitEditPage.tsx	Edit/view pages render informational read-only alerts, hide inline edit icon buttons, conditionally disable logo/avatar editing, and disable save buttons when isReadOnly is true.
Optional delete handler for edit settings components frontend/apps/console/src/features/groups/components/edit-group/general-settings/EditGeneralSettings.tsx, frontend/apps/console/src/features/roles/components/edit-role/general-settings/EditGeneralSettings.tsx, frontend/apps/console/src/features/user-types/components/edit-user-type/general-settings/EditGeneralSettings.tsx, frontend/packages/configure-organization-units/src/components/edit-organization-unit/general-settings/EditGeneralSettings.tsx	Make onDeleteClick prop optional; conditionally render Danger Zone delete sections only when delete handler is provided; support disabling deletion for read-only resources.
UI component updates and supporting changes frontend/apps/console/src/features/design/components/common/ItemCard.tsx, frontend/apps/console/src/features/design/pages/DesignPage.tsx, frontend/apps/console/src/features/applications/components/edit-application/general-settings/EditGeneralSettings.tsx, frontend/apps/console/src/features/login-flow/components/LoginFlowBuilder.tsx, frontend/apps/console/src/features/flows/components/visual-flow/DecoratedVisualFlow.tsx, frontend/packages/i18n/src/locales/en-US.ts, frontend/packages/configure-organization-units/src/utils/buildTreeItems.ts	ItemCard adds read-only prop with lock icon and disabled navigation; application danger zone visibility respects read-only flag; DecoratedVisualFlow save button accounts for missing onSave callback; LoginFlowBuilder disables save when flow is read-only; new translation key added for "Read Only" status; tree building utility propagates isReadOnly.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• thunder-id/thunderid#1350: Implements Organization Units read-only UI by conditionally rendering Lock icons and suppressing add/edit/delete actions in tree view when resource is read-only.

Suggested labels

Type/Improvement

Suggested reviewers

• jeradrutnam
• brionmario
• DonOmalVindula

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and specifically summarizes the main change: adding read-only indicators and access guards for declarative resources, which aligns with the comprehensive changeset across multiple resource types.
Description check	✅ Passed	The PR description provides a detailed and well-structured explanation covering purpose, approach (list views, tree views, card grids, edit pages, bug fixes), related issues/PRs, and a checklist. All required template sections are present and substantively filled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

frontend/apps/console/src/features/agents/components/AgentsList.tsx

ESLint skipped: missing config or dependency (missing-dependency). The ESLint configuration references a package that is not available in the sandbox.

frontend/apps/console/src/features/agents/models/agent.ts

ESLint skipped: the ESLint configuration for this file references a package that is not available in the sandbox.

frontend/apps/console/src/features/agents/pages/AgentEditPage.tsx

ESLint skipped: the ESLint configuration for this file references a package that is not available in the sandbox.

• 34 others

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

frontend/packages/configure-organization-units/src/components/OrganizationUnitsTreeView.tsx (1)

430-436: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Read-only OUs still expose an add-child action path.

fetchChildItems always prepends the synthetic add-child node, so expanding a read-only OU still allows creating children via that row. This bypasses the read-only access guard.

Suggested fix

   const result = await fetchChildPage(parentId, 0);
   const childOUs = result.organizationUnits;
   const parentItem = findTreeItem(treeItemsRef.current, parentId);
-  const addChildItem = buildAddChildItem(parentId, parentItem?.label ?? '', parentItem?.handle ?? '');
-  const items = childOUs.length > 0 ? [addChildItem, ...buildTreeItems(childOUs)] : [addChildItem];
+  const canAddChild = !parentItem?.isReadOnly;
+  const items = buildTreeItems(childOUs);
+
+  if (canAddChild) {
+    items.unshift(buildAddChildItem(parentId, parentItem?.label ?? '', parentItem?.handle ?? ''));
+  }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@frontend/packages/configure-organization-units/src/components/OrganizationUnitsTreeView.tsx`
around lines 430 - 436, The code always prepends the synthetic add-child node
(via buildAddChildItem) which lets users create children on read-only OUs;
change the logic after finding parentItem (findTreeItem/ treeItemsRef.current)
to only create/prepend addChildItem when the parent item is present and not
read-only (e.g., check parentItem?.readOnly === false or parentItem?.isReadOnly
=== false / or a capability flag like parentItem?.canCreateChildren), then
construct items as [addChildItem, ...buildTreeItems(childOUs)] only when that
check passes, otherwise return only buildTreeItems(childOUs) (or [ ] if none).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/apps/console/src/features/agents/components/AgentsList.tsx`:
- Around line 127-133: The row click handler is firing even for read-only rows;
update the onRowClick logic in AgentsList (where onRowClick currently always
navigates) to first check params.row.isReadOnly and return early if true, and
modify the Lock IconButton (the small IconButton rendered when
params.row.isReadOnly is true) to call event.stopPropagation() in its click
handler so clicks on the lock do not bubble to the row; ensure you reference
params.row.isReadOnly, the onRowClick function, and the IconButton/Lock render
branch when making the changes.

In
`@frontend/apps/console/src/features/applications/components/ApplicationsList.tsx`:
- Around line 135-139: The row click handler in ApplicationsList.tsx currently
navigates unconditionally and bypasses the read-only guard; update the handler
(e.g., the onRowClick or handleRowClick function that calls navigate) to check
params.row.isReadOnly and return/do nothing when true, mirroring the existing
isReadOnly check used for action buttons (where params.row.isReadOnly is used);
ensure this same guard is applied wherever navigation on row click occurs so
read-only applications cannot be opened by clicking the row.

In `@frontend/apps/console/src/features/groups/components/GroupsList.tsx`:
- Around line 113-119: The row click handler in GroupsList.tsx currently
navigates for every row and bypasses the lock icon's read-only intent; update
the row click handler (the onRowClick/handleRowClick function used for DataGrid
rows) to check params.row.isReadOnly and return early (no navigation) when true,
preserving the lock-only UI behavior; ensure you reference the same params.row
object used in the render cell (the isReadOnly property) so read-only rows are
not navigable.

In `@frontend/apps/console/src/features/roles/components/RolesList.tsx`:
- Around line 113-119: The row click handler currently navigates even for
read-only roles; update the onRowClick (or the function handling row activation)
to check params.row.isReadOnly and return early (no-op) when true so clicks on
locked rows do nothing; apply the same guard to the second occurrence referenced
(the other row click handler around the 174-181 block) and ensure any navigation
calls (e.g., history.push or navigate) are skipped for read-only rows.

---

Outside diff comments:
In
`@frontend/packages/configure-organization-units/src/components/OrganizationUnitsTreeView.tsx`:
- Around line 430-436: The code always prepends the synthetic add-child node
(via buildAddChildItem) which lets users create children on read-only OUs;
change the logic after finding parentItem (findTreeItem/ treeItemsRef.current)
to only create/prepend addChildItem when the parent item is present and not
read-only (e.g., check parentItem?.readOnly === false or parentItem?.isReadOnly
=== false / or a capability flag like parentItem?.canCreateChildren), then
construct items as [addChildItem, ...buildTreeItems(childOUs)] only when that
check passes, otherwise return only buildTreeItems(childOUs) (or [ ] if none).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: b03f7718-be0a-4d9d-a01c-03439509c467

📥 Commits

Reviewing files that changed from the base of the PR and between 3c41128 and 8ef4c0f.

📒 Files selected for processing (37)

• frontend/apps/console/src/features/agents/components/AgentsList.tsx
• frontend/apps/console/src/features/agents/models/agent.ts
• frontend/apps/console/src/features/agents/pages/AgentEditPage.tsx
• frontend/apps/console/src/features/applications/components/ApplicationsList.tsx
• frontend/apps/console/src/features/applications/components/edit-application/general-settings/EditGeneralSettings.tsx
• frontend/apps/console/src/features/applications/models/application.ts
• frontend/apps/console/src/features/applications/pages/ApplicationEditPage.tsx
• frontend/apps/console/src/features/design/components/common/ItemCard.tsx
• frontend/apps/console/src/features/design/pages/DesignPage.tsx
• frontend/apps/console/src/features/flows/components/FlowsList.tsx
• frontend/apps/console/src/features/flows/components/visual-flow/DecoratedVisualFlow.tsx
• frontend/apps/console/src/features/flows/models/responses.ts
• frontend/apps/console/src/features/groups/components/GroupsList.tsx
• frontend/apps/console/src/features/groups/components/edit-group/general-settings/EditGeneralSettings.tsx
• frontend/apps/console/src/features/groups/models/group.ts
• frontend/apps/console/src/features/groups/pages/GroupEditPage.tsx
• frontend/apps/console/src/features/integrations/models/identity-provider.ts
• frontend/apps/console/src/features/login-flow/components/LoginFlowBuilder.tsx
• frontend/apps/console/src/features/roles/components/RolesList.tsx
• frontend/apps/console/src/features/roles/components/edit-role/general-settings/EditGeneralSettings.tsx
• frontend/apps/console/src/features/roles/models/role.ts
• frontend/apps/console/src/features/roles/pages/RoleEditPage.tsx
• frontend/apps/console/src/features/user-types/components/UserTypesList.tsx
• frontend/apps/console/src/features/user-types/components/edit-user-type/general-settings/EditGeneralSettings.tsx
• frontend/apps/console/src/features/user-types/pages/ViewUserTypePage.tsx
• frontend/apps/console/src/features/user-types/types/user-types.ts
• frontend/packages/configure-organization-units/src/components/OrganizationUnitsTreeView.tsx
• frontend/packages/configure-organization-units/src/components/edit-organization-unit/general-settings/EditGeneralSettings.tsx
• frontend/packages/configure-organization-units/src/models/organization-unit-tree.ts
• frontend/packages/configure-organization-units/src/models/organization-unit.ts
• frontend/packages/configure-organization-units/src/pages/OrganizationUnitEditPage.tsx
• frontend/packages/configure-organization-units/src/utils/buildTreeItems.ts
• frontend/packages/configure-users/src/components/UsersList.tsx
• frontend/packages/configure-users/src/pages/UserEditPage.tsx
• frontend/packages/design/src/models/responses.ts
• frontend/packages/i18n/src/locales/en-US.ts
• frontend/packages/types/src/concepts/user.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Read-only rows are still navigable via row click.

Line 188 always navigates, so a read-only row (including clicking the lock icon) still opens edit. Gate onRowClick with isReadOnly and stop propagation on the lock button.

Suggested fix

             onRowClick={(params) => {
-              handleEditClick((params.row as BasicAgent).id);
+              if (!(params.row as BasicAgent).isReadOnly) {
+                handleEditClick((params.row as BasicAgent).id);
+              }
             }}

             {params.row.isReadOnly ? (
               <Tooltip title={t('common:status.readOnly', 'Read Only')}>
-                <IconButton size="small" disableRipple sx={{cursor: 'default'}}>
+                <IconButton
+                  size="small"
+                  disableRipple
+                  sx={{cursor: 'default'}}
+                  onClick={(e) => e.stopPropagation()}
+                >
                   <Lock size={16} />
                 </IconButton>
               </Tooltip>

Also applies to: 188-190

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/apps/console/src/features/agents/components/AgentsList.tsx` around
lines 127 - 133, The row click handler is firing even for read-only rows; update
the onRowClick logic in AgentsList (where onRowClick currently always navigates)
to first check params.row.isReadOnly and return early if true, and modify the
Lock IconButton (the small IconButton rendered when params.row.isReadOnly is
true) to call event.stopPropagation() in its click handler so clicks on the lock
do not bubble to the row; ensure you reference params.row.isReadOnly, the
onRowClick function, and the IconButton/Lock render branch when making the
changes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Row-click bypasses the read-only guard.

Line 198 navigates unconditionally, so read-only applications can still be opened from row click. Add the same isReadOnly check used in actions.

Suggested fix

            onRowClick={(params) => {
-              handleEditClick((params.row as BasicApplication).id);
+              if (!(params.row as BasicApplication).isReadOnly) {
+                handleEditClick((params.row as BasicApplication).id);
+              }
            }}

Also applies to: 198-200

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@frontend/apps/console/src/features/applications/components/ApplicationsList.tsx`
around lines 135 - 139, The row click handler in ApplicationsList.tsx currently
navigates unconditionally and bypasses the read-only guard; update the handler
(e.g., the onRowClick or handleRowClick function that calls navigate) to check
params.row.isReadOnly and return/do nothing when true, mirroring the existing
isReadOnly check used for action buttons (where params.row.isReadOnly is used);
ensure this same guard is applied wherever navigation on row click occurs so
read-only applications cannot be opened by clicking the row.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Read-only groups can still be opened via row click.

The row handler (Line 174 onward) navigates without checking isReadOnly, so the lock-only action state is bypassed.

Suggested fix

            onRowClick={(params) => {
-              const groupId = (params.row as GroupBasic).id;
+              if ((params.row as GroupBasic).isReadOnly) {
+                return;
+              }
+              const groupId = (params.row as GroupBasic).id;
               (async (): Promise<void> => {
                 await navigate(`/groups/${groupId}`);
               })().catch((_error: unknown) => {
                 logger.error('Failed to navigate to group', {error: _error, groupId});
               });
             }}

Also applies to: 174-181

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/apps/console/src/features/groups/components/GroupsList.tsx` around
lines 113 - 119, The row click handler in GroupsList.tsx currently navigates for
every row and bypasses the lock icon's read-only intent; update the row click
handler (the onRowClick/handleRowClick function used for DataGrid rows) to check
params.row.isReadOnly and return early (no navigation) when true, preserving the
lock-only UI behavior; ensure you reference the same params.row object used in
the render cell (the isReadOnly property) so read-only rows are not navigable.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Read-only role guard is bypassed on row click.

The row click path still navigates regardless of isReadOnly, which undermines the lock-only action rendering.

Suggested fix

            onRowClick={(params) => {
+              if ((params.row as RoleSummary).isReadOnly) {
+                return;
+              }
               const roleId = (params.row as RoleSummary).id;
               (async (): Promise<void> => {
                 await navigate(`/roles/${roleId}`);
               })().catch((_error: unknown) => {
                 logger.error('Failed to navigate to role', {error: _error, roleId});
               });
             }}

Also applies to: 174-181

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/apps/console/src/features/roles/components/RolesList.tsx` around
lines 113 - 119, The row click handler currently navigates even for read-only
roles; update the onRowClick (or the function handling row activation) to check
params.row.isReadOnly and return early (no-op) when true so clicks on locked
rows do nothing; apply the same guard to the second occurrence referenced (the
other row click handler around the 174-181 block) and ensure any navigation
calls (e.g., history.push or navigate) are skipped for read-only rows.

[codecov]

Codecov Report

❌ Patch coverage is 94.93671% with 4 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
.../console/src/features/roles/pages/RoleEditPage.tsx	55.55%	4 Missing ⚠️

📢 Thoughts on this report? Let us know!