Management panel visibility (TS-2914)

[anttimaki]

No description provided.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This change updates the package management page to expand moderator access and refactor its data loading pipeline. The Manage Package UI block now displays for users with either manager or moderator permissions. The package edit page's clientLoader function is refactored to fetch listing data via getPrivateListing and parallel-load permissions and filters, with early error handling for authentication and authorization failures. A skeleton loading state is added via new CSS styling. Data structure access patterns throughout the component are updated to reflect the new loader schema.

Possibly related PRs

• Add package management tools #1507: Adds package permissions (including can_moderate/can_manage flags) that directly enable the expanded Manage Package block visibility in ManagementTools.
• Fix env variable issues and session revalidation #1513: Modifies the same clientLoader signature and data-loading behavior in packageEdit.tsx, affecting how session and permission state are sourced.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to assess relatedness to the changeset.	Add a description explaining the changes, such as: 'Allow moderators to access the management panel by checking both can_manage and can_moderate permissions.' Reference the ticket TS-2914 and highlight any broader impacts.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Management panel visibility (TS-2914)' clearly summarizes the primary change: broadening management UI visibility to moderators, aligning with the main objective of the PR.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[anttimaki]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/cyberstorm-remix/app/p/packageEdit.tsx (1)

82-93: Rules of Hooks violation: hooks called after conditional return.

Hooks (useOutletContext, useToast, useRevalidator) are called after the early return on line 86-87. This violates React's Rules of Hooks—hooks must be called unconditionally and in the same order on every render.

Move all hooks above the early return:

Proposed fix

 export default function PackageListing() {
   const loaderData = useLoaderData<typeof loader | typeof clientLoader>();
+  const outletContext = useOutletContext() as OutletContextShape;
+  const config = outletContext.requestConfig;
+  const toast = useToast();
+  const revalidator = useRevalidator();

   if (!loaderData) {
     return <SkeletonBox className="package-edit__skeleton" />;
   }

   const { listing, filters, permissions } = loaderData;
-  const outletContext = useOutletContext() as OutletContextShape;
-  const config = outletContext.requestConfig;
-  const toast = useToast();
-  const revalidator = useRevalidator();

🧹 Nitpick comments (1)

apps/cyberstorm-remix/app/p/packageEdit.tsx (1)

41-45: Module-level Response object.

The package404 Response is created once at module load time and reused. While this works in React Router (the thrown Response is used for status/headers), consider creating it inline within the throw statements for clarity and to avoid potential issues if the Response body is ever consumed.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7aa6c26 and dc065a2.

📒 Files selected for processing (3)

• apps/cyberstorm-remix/app/p/components/PackageListing/ManagementTools.tsx (1 hunks)
• apps/cyberstorm-remix/app/p/packageEdit.css (1 hunks)
• apps/cyberstorm-remix/app/p/packageEdit.tsx (8 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Test

🔇 Additional comments (4)

apps/cyberstorm-remix/app/p/components/PackageListing/ManagementTools.tsx (1)

84-100: LGTM!

The expanded permission check aligns with the authorization logic in packageEdit.tsx clientLoader. Moderators can now access the management panel as intended.

apps/cyberstorm-remix/app/p/packageEdit.css (1)

88-91: LGTM!

Clean skeleton style addition for the loading state.

apps/cyberstorm-remix/app/p/packageEdit.tsx (2)

204-244: LGTM!

Permission checks for individual actions (can_unlist, can_manage_deprecation) are appropriately granular, separate from page access permissions.

---

54-77: Incorrect error handling approach: ApiError doesn't have a status property.

The suggested fix references error.status, but ApiError has a response property instead. Check error.response.status to access the HTTP status code.

That said, the underlying concern has merit: if getPrivateListing or other API calls fail with 401/403, they're masked as 404. The explicit auth checks at lines 65–72 work correctly since they throw Response objects directly, but auth errors from the API calls would lose their status codes.

If preserving auth error responses is important, use error.response.status to distinguish:

} catch (error) {
  if (error instanceof ApiError) {
+   if (error.response.status === 401 || error.response.status === 403) {
+     throw new Response(error.message, { status: error.response.status });
+   }
    throw package404;
  }
  throw error;
}

Note: The current behavior might be intentional for security reasons.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 38 lines in your changes missing coverage. Please review.
✅ Project coverage is 11.76%. Comparing base (7aa6c26) to head (6e5f19e).

Files with missing lines	Patch %	Lines
apps/cyberstorm-remix/app/p/packageEdit.tsx	0.00%	37 Missing ⚠️
...pp/p/components/PackageListing/ManagementTools.tsx	0.00%	1 Missing ⚠️

Additional details and impacted files

@@                     Coverage Diff                      @@
##           version-dependency-merge    #1667      +/-   ##
============================================================
+ Coverage                     11.73%   11.76%   +0.03%     
============================================================
  Files                           320      320              
  Lines                         22796    22754      -42     
  Branches                        509      510       +1     
============================================================
+ Hits                           2676     2678       +2     
+ Misses                        20120    20076      -44     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Roffenlund]

Approved. Several changes are similar to what has been merged in #1670.