Hi there!
I noticed a bug in the CPF template where any user within the system organization (level 0) can see all navigation items, even if their permissions should restrict them. For example, if the White Label tab is configured to be visible only to the system tenancy and the admin role, a user with viewer permissions (such as a support agent) within the system org can still see it. The issue seems to stem from how the userLevel
variable is checked in the cpf-element-nav
workflow’s function block.
The original code:
if(userLevel) {
itemsHierarchy.forEach(setVisibility);
}
Since the system organization has a userLevel of 0, this condition evaluates as falsy, allowing unintended visibility. Updating the condition to explicitly check for undefined and null ensures that 0 is treated correctly:
if(userLevel !== null) {
itemsHierarchy.forEach(setVisibility);
}
This seems to resolve the issue and might be worth addressing in the next update!