Current behavior
When a second user is added to a team and marked as isManager = true, they only receive the EMPLOYEE role.
As a result:
- They receive
403 Forbidden errors when calling:
GET /rolesGET /employee/pagination?where[tenantId]=...&where[organizationId]=...
- They cannot assign roles to projects or view team members, despite the "Manager" label.
- This creates a functional mismatch between the UI (expectation of authority) and the actual permissions.
This is not a system crash or broken feature, but a logical bug that breaks expected behavior and delegation workflows in teams.
Steps to reproduce
-
User A registers → creates workspace/team → is made Admin + Employee + isManager=true
-
User B is added to the same team with isManager=true
-
As User B:
- Try to create a project
- Try to assign a role to a team member
- Observe the following:
- 403 error on
GET /roles
- 403 error on
GET /employee/pagination?...
Environment
Browser
Operating System
Relevant logs
403 Forbidden
GET /roles
GET /employee/pagination?where[tenantId]=...&where[organizationId]=...
{
"timestamp": "2025-06-30T16:49:45.745Z",
"level": "ERROR",
"message": "🚨 CRITICAL: HTTP 403 Forbidden - GET /roles - Permission Denied",
"context": "HttpClient",
"details": {
"statusCode": 403,
"statusText": "",
"headers": {
"content-type": "application/json; charset=utf-8"
},
"data": {
"message": "Forbidden resource",
"error": "Forbidden",
"statusCode": 403
},
"errorMessage": "Request failed with status code 403",
"errorName": "AxiosError",
"stack": "AxiosError: Request failed with status code 403\n at settle (webpack-internal:///(app-pages-browser)/../../node_modules/axios/lib/core/settle.js:24:12)\n at XMLHttpRequest.onloadend (webpack-internal:///(app-pages-browser)/../../node_modules/axios/lib/adapters/xhr.js:73:66)",
"criticalError": true,
"endpoint": "/roles",
"method": "GET",
"timestamp": "2025-06-30T16:49:45.744Z",
"debugInfo": {
"message": "This 403 error indicates a permission/authorization issue",
"possibleCauses": [
"User lacks required permissions",
"Invalid or expired authentication token",
"Resource access restrictions",
"Role-based access control (RBAC) denial"
]
}
}
}
{
"timestamp": "2025-06-30T16:49:50.778Z",
"level": "ERROR",
"message": "🚨 CRITICAL: HTTP 403 Forbidden - GET /employee/pagination?where%5BtenantId%5D=e781cbc5-e1bb-422c-94dc-bceb62e0babb&where%5BorganizationId%5D=20d61ec0-8683-4202-b1c4-d54d7aa32c70&relations%5B0%5D=user - Permission Denied",
"context": "HttpClient",
"details": {
"statusCode": 403,
"statusText": "",
"headers": {
"content-type": "application/json; charset=utf-8"
},
"data": {
"message": "Forbidden resource",
"error": "Forbidden",
"statusCode": 403
},
"errorMessage": "Request failed with status code 403",
"errorName": "AxiosError",
"stack": "AxiosError: Request failed with status code 403\n at settle (webpack-internal:///(app-pages-browser)/../../node_modules/axios/lib/core/settle.js:24:12)\n at XMLHttpRequest.onloadend (webpack-internal:///(app-pages-browser)/../../node_modules/axios/lib/adapters/xhr.js:73:66)",
"criticalError": true,
"endpoint": "/employee/pagination?where%5BtenantId%5D=e781cbc5-e1bb-422c-94dc-bceb62e0babb&where%5BorganizationId%5D=20d61ec0-8683-4202-b1c4-d54d7aa32c70&relations%5B0%5D=user",
"method": "GET",
"timestamp": "2025-06-30T16:49:50.778Z",
"debugInfo": {
"message": "This 403 error indicates a permission/authorization issue",
"possibleCauses": [
"User lacks required permissions",
"Invalid or expired authentication token",
"Resource access restrictions",
"Role-based access control (RBAC) denial"
]
}
}
}error-2025-06-30.log
Additional information
After clarification with the Ever team:
- The
isManager flag is not a real system role, nor is it tied to role-based permission logic (RBAC).
- Therefore, permissions like
CHANGE_ROLES_PERMISSIONS or ORG_EMPLOYEES_VIEW are not granted to managers unless explicitly included in their role.
- The expectation that a team manager can assign roles or view team members is broken unless special case logic is implemented in backend APIs.
Suggested Backend-Side Solutions:
- Add logic such as:
if (user.isManager && user.teamId === requestedTeamId) {
// allow sensitive actions like GET /roles or GET /employee/pagination
}
- Or centralize "Manager access logic" in one utility/service to handle this properly for all endpoints.
Note: As explained by @evereq, we should not create a TEAM_MANAGER role, since a person may be manager in one team but not others.
This is about scoped delegation logic, not system-wide RBAC roles.
Let’s define these backend cases more clearly to avoid confusion for future users and contributors.
CC: @evereq @CREDO23 @rahul-rocket @samuelmbabhazi
Current behavior
When a second user is added to a team and marked as isManager = true, they only receive the EMPLOYEE role.
As a result:
403 Forbiddenerrors when calling:GET /rolesGET /employee/pagination?where[tenantId]=...&where[organizationId]=...Steps to reproduce
User A registers → creates workspace/team → is made Admin + Employee + isManager=true
User B is added to the same team with isManager=true
As User B:
GET /rolesGET /employee/pagination?...Environment
Browser
Operating System
Relevant logs
{ "timestamp": "2025-06-30T16:49:45.745Z", "level": "ERROR", "message": "🚨 CRITICAL: HTTP 403 Forbidden - GET /roles - Permission Denied", "context": "HttpClient", "details": { "statusCode": 403, "statusText": "", "headers": { "content-type": "application/json; charset=utf-8" }, "data": { "message": "Forbidden resource", "error": "Forbidden", "statusCode": 403 }, "errorMessage": "Request failed with status code 403", "errorName": "AxiosError", "stack": "AxiosError: Request failed with status code 403\n at settle (webpack-internal:///(app-pages-browser)/../../node_modules/axios/lib/core/settle.js:24:12)\n at XMLHttpRequest.onloadend (webpack-internal:///(app-pages-browser)/../../node_modules/axios/lib/adapters/xhr.js:73:66)", "criticalError": true, "endpoint": "/roles", "method": "GET", "timestamp": "2025-06-30T16:49:45.744Z", "debugInfo": { "message": "This 403 error indicates a permission/authorization issue", "possibleCauses": [ "User lacks required permissions", "Invalid or expired authentication token", "Resource access restrictions", "Role-based access control (RBAC) denial" ] } } } { "timestamp": "2025-06-30T16:49:50.778Z", "level": "ERROR", "message": "🚨 CRITICAL: HTTP 403 Forbidden - GET /employee/pagination?where%5BtenantId%5D=e781cbc5-e1bb-422c-94dc-bceb62e0babb&where%5BorganizationId%5D=20d61ec0-8683-4202-b1c4-d54d7aa32c70&relations%5B0%5D=user - Permission Denied", "context": "HttpClient", "details": { "statusCode": 403, "statusText": "", "headers": { "content-type": "application/json; charset=utf-8" }, "data": { "message": "Forbidden resource", "error": "Forbidden", "statusCode": 403 }, "errorMessage": "Request failed with status code 403", "errorName": "AxiosError", "stack": "AxiosError: Request failed with status code 403\n at settle (webpack-internal:///(app-pages-browser)/../../node_modules/axios/lib/core/settle.js:24:12)\n at XMLHttpRequest.onloadend (webpack-internal:///(app-pages-browser)/../../node_modules/axios/lib/adapters/xhr.js:73:66)", "criticalError": true, "endpoint": "/employee/pagination?where%5BtenantId%5D=e781cbc5-e1bb-422c-94dc-bceb62e0babb&where%5BorganizationId%5D=20d61ec0-8683-4202-b1c4-d54d7aa32c70&relations%5B0%5D=user", "method": "GET", "timestamp": "2025-06-30T16:49:50.778Z", "debugInfo": { "message": "This 403 error indicates a permission/authorization issue", "possibleCauses": [ "User lacks required permissions", "Invalid or expired authentication token", "Resource access restrictions", "Role-based access control (RBAC) denial" ] } } }error-2025-06-30.log
Additional information
After clarification with the Ever team:
isManagerflag is not a real system role, nor is it tied to role-based permission logic (RBAC).CHANGE_ROLES_PERMISSIONSorORG_EMPLOYEES_VIEWare not granted to managers unless explicitly included in their role.Suggested Backend-Side Solutions:
This is about scoped delegation logic, not system-wide RBAC roles.
Let’s define these backend cases more clearly to avoid confusion for future users and contributors.
CC: @evereq @CREDO23 @rahul-rocket @samuelmbabhazi