Skip to content

[CHORE][UI]: Normalize team_id consistently across JS coercion checks and isTeamScopedView #3338

@crivetimihai

Description

@crivetimihai

Problem

isTeamScopedView() in admin.js:207 trims team_id before checking emptiness:

function isTeamScopedView() {
    const teamId = new URLSearchParams(window.location.search).get("team_id");
    return Boolean(teamId && teamId.trim() !== "");
}

But the visibility coercion logic in all 6 edit functions (editTool, editA2AAgent, editResource, editPrompt, editGateway, editServer) checks raw teamId truthiness without trimming:

const effectiveVisibility =
    window.ALLOW_PUBLIC_VISIBILITY === false &&
    visibility === "public" &&
    teamId          // ← raw truthiness, no trim
        ? "team"
        : visibility;

The server-side check in _check_public_visibility_allowed (admin.py:1306) also uses raw truthiness:

if not settings.allow_public_visibility and visibility == "public" and team_id:

Impact

With a malformed URL like ?team_id=%20 (whitespace-only):

  • isTeamScopedView() returns false (trimmed empty string)
  • Edit function coercion treats it as team-scoped (" " is truthy)
  • applyVisibilityRestrictions does NOT disable the public radio (relies on isTeamScopedView)
  • Result: coercion silently changes public→team, but the public radio appears enabled

Not a security issue (server still blocks public visibility submission), but produces confusing UX.

Suggested Fix

Make the edit function coercion checks use isTeamScopedView() instead of raw teamId truthiness. For functions that use a local _teamId variable solely for the coercion check (editResource, editPrompt, editServer), replace it with isTeamScopedView(). For the others, replace just the coercion condition.

Optionally, also normalize on the server side in _check_public_visibility_allowed with team_id and team_id.strip().

References

Metadata

Metadata

Assignees

Labels

COULDP3: Nice-to-have features with minimal impact if left out; included if time permitschoreLinting, formatting, dependency hygiene, or project maintenance choresuiUser Interface

Type

No fields configured for Task.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions