Unauthorized Access to 'Edit Config' Option in Users & Authentication Section for Users Without Sufficient Permissions

[aalves08]

Internal reference: SURE-8160

Setup

• Rancher version: 2.7.10 (also reproducible in 2.8.3)
• Rancher UI Extensions: n/a
• Browser type & version: n/a

Describe the bug

When a non-admin user, whether with a local auth provider or external auth provider, navigates through Rancher UI -> Users&Authentication, he can see his user object there.

If the user clicks on the 'Edit Config' option and tries to edit any value like a password, a permission error is shown to the user.
The 'Edit config' option should not be shown to the users unless they are admins or have the correct permissions.

To Reproduce

Login to the Rancher UI using a local auth user or IDP user and navigate through Rancher UI -> Users&Authentication

After clicking the three dots, the user will see the 'Edit config' option. However, if a user tries to edit anything (password for example), it will show a 'Forbidden: permission denied' error.

Result
A user with insufficient permissions can see the 'Edit config' option for the user object.

Expected Result

The 'Edit config' option for user objects should not be available for users who do not have the right permissions.

Screenshots

Additional context

Happens to users with Global Permissions Standard User and User-Base

[aalves08]

UPDATE: This will need investigation to see if schemas have the correct information in terms of RBAC. If so, then the proposed UX solution is:

Yes, disabling the Edit functionality for these users is correct. I don't think we need to add any additional information, or banner, etc.

Based on SURE information