The role page in Athenz UI breaks when a role has a group member that no longer exists. The UI calls getGroup for each group member in Promise.all(), and a single 404 causes the whole page to fail.
This can happen when a domain template containing groups is deleted via deleteDomainTemplate. The normal deleteGroup API runs groupMemberConsistencyCheck and would reject the deletion, but the template deletion path does not.
Steps to reproduce
- Apply a domain template that creates a group (e.g.,
tmpltest:group.mygroup)
- Add that group as a member to a role in another domain (e.g.,
victim:role.myrole)
- Delete the domain template via
deleteDomainTemplate
- Open
victim:role.myrole members page in UI
- Page fails:
getGroup: Group not found: 'tmpltest:group.mygroup'
What should happen
The role page should still load. The deleted group member can remain in the list without expanded details.
The role page in Athenz UI breaks when a role has a group member that no longer exists. The UI calls
getGroupfor each group member inPromise.all(), and a single 404 causes the whole page to fail.This can happen when a domain template containing groups is deleted via
deleteDomainTemplate. The normaldeleteGroupAPI runsgroupMemberConsistencyCheckand would reject the deletion, but the template deletion path does not.Steps to reproduce
tmpltest:group.mygroup)victim:role.myrole)deleteDomainTemplatevictim:role.myrolemembers page in UIgetGroup: Group not found: 'tmpltest:group.mygroup'What should happen
The role page should still load. The deleted group member can remain in the list without expanded details.