Bug in CPF template: System org users can see all navigation items, regardless of permissions

Hi there!

I noticed a bug in the CPF template where any user within the system organization (level 0) can see all navigation items, even if their permissions should restrict them. For example, if the White Label tab is configured to be visible only to the system tenancy and the admin role, a user with viewer permissions (such as a support agent) within the system org can still see it. The issue seems to stem from how the userLevel variable is checked in the cpf-element-nav workflow’s function block.

The original code:

if(userLevel) {
    itemsHierarchy.forEach(setVisibility);
}

Since the system organization has a userLevel of 0, this condition evaluates as falsy, allowing unintended visibility. Updating the condition to explicitly check for undefined and null ensures that 0 is treated correctly:

if(userLevel !== null) {
    itemsHierarchy.forEach(setVisibility);
}

This seems to resolve the issue and might be worth addressing in the next update!

There’s a few places within the CPF where members of the System group (level=0) are treated special and permission checks are skipped.

Therefore, it is not recommended to assign users to the System group and then attempt to limit their role. It should be assumed that every member of that group can do everything. The CPF doesn’t have a fully built concept of a system-wide view-level user.

The code you mentioned is designed to check for the system admin (treating zero has falsy). The function node will not be hit otherwise since the workflow ends higher up if the user is not a member in the hierarchy. So while that change may correctly hide the visibility of the nav item, there are many other actions that user can perform that you likely don’t want to them to.