From 9d548be01500dac40d9cb1a29f035775df5a6f52 Mon Sep 17 00:00:00 2001
From: bbimber <bbimber@gmail.com>
Date: Fri, 9 Jan 2026 11:40:54 -0800
Subject: [PATCH 1/3] Change default permission for Bulk Edit

---
 .../org/labkey/api/ldk/buttons/ShowBulkEditButton.java |  8 +++++++-
 .../labkey/api/ldk/security/DataAdminPermission.java   | 10 ++++++++++
 LDK/resources/views/apiBulkEdit.view.xml               |  2 +-
 .../src/org/labkey/laboratory/LaboratoryModule.java    |  2 +-
 .../laboratory/security/LaboratoryAdminRole.java       |  2 ++
 5 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100644 LDK/api-src/org/labkey/api/ldk/security/DataAdminPermission.java

diff --git a/LDK/api-src/org/labkey/api/ldk/buttons/ShowBulkEditButton.java b/LDK/api-src/org/labkey/api/ldk/buttons/ShowBulkEditButton.java
index 6b8542f4..de409f7e 100644
--- a/LDK/api-src/org/labkey/api/ldk/buttons/ShowBulkEditButton.java
+++ b/LDK/api-src/org/labkey/api/ldk/buttons/ShowBulkEditButton.java
@@ -19,6 +19,7 @@
 import org.labkey.api.module.Module;
 import org.labkey.api.query.DetailsURL;
 import org.labkey.api.security.permissions.AdminPermission;
+import org.labkey.api.security.permissions.Permission;
 
 /**
  * User: bimber
@@ -31,8 +32,13 @@ public class ShowBulkEditButton extends SimpleButtonConfigFactory
     protected String _queryName;
 
     public ShowBulkEditButton(Module owner, String schemaName, String queryName)
+    {
+        this(owner, schemaName, queryName, AdminPermission.class);
+    }
+
+    public ShowBulkEditButton(Module owner, String schemaName, String queryName, Class<? extends Permission> permission)
     {
         super(owner, "Bulk Edit", DetailsURL.fromString("/ldk/apiBulkEdit.view?schemaName=" + schemaName + "&queryName=" + queryName));
-        setPermission(AdminPermission.class);
+        setPermission(permission);
     }
 }
diff --git a/LDK/api-src/org/labkey/api/ldk/security/DataAdminPermission.java b/LDK/api-src/org/labkey/api/ldk/security/DataAdminPermission.java
new file mode 100644
index 00000000..b2a94600
--- /dev/null
+++ b/LDK/api-src/org/labkey/api/ldk/security/DataAdminPermission.java
@@ -0,0 +1,10 @@
+package org.labkey.api.ldk.security;
+
+import org.labkey.api.security.permissions.AbstractPermission;
+
+public class DataAdminPermission extends AbstractPermission
+{
+    public DataAdminPermission() {
+        super("DataAdminPermission", "Required for certain operations involving large-scale management of data");
+    }
+}
\ No newline at end of file
diff --git a/LDK/resources/views/apiBulkEdit.view.xml b/LDK/resources/views/apiBulkEdit.view.xml
index 8bf30bd4..38b3864c 100644
--- a/LDK/resources/views/apiBulkEdit.view.xml
+++ b/LDK/resources/views/apiBulkEdit.view.xml
@@ -1,6 +1,6 @@
 <view xmlns="http://labkey.org/data/xml/view" title="Bulk Edit Using Client API">
     <requiresPermissions>
-        <permissionClass name="org.labkey.api.security.permissions.AdminPermission"/>
+        <permissionClass name="org.labkey.api.ldk.security.DataAdminPermission"/>
     </requiresPermissions>
     <dependencies>
         <dependency path="ldk.context"/>
diff --git a/laboratory/src/org/labkey/laboratory/LaboratoryModule.java b/laboratory/src/org/labkey/laboratory/LaboratoryModule.java
index 99354f28..2835dcf2 100644
--- a/laboratory/src/org/labkey/laboratory/LaboratoryModule.java
+++ b/laboratory/src/org/labkey/laboratory/LaboratoryModule.java
@@ -196,7 +196,7 @@ protected void doStartupAfterSpringConfig(ModuleContext moduleContext)
         btn4.setPermission(UpdatePermission.class);
         LDKService.get().registerQueryButton(btn4, LaboratoryModule.SCHEMA_NAME, LaboratorySchema.TABLE_SAMPLES);
 
-        LDKService.get().registerQueryButton(new ShowBulkEditButton(this, LaboratoryModule.SCHEMA_NAME, LaboratorySchema.TABLE_SAMPLES), LaboratoryModule.SCHEMA_NAME, LaboratorySchema.TABLE_SAMPLES);
+        LDKService.get().registerQueryButton(new ShowBulkEditButton(this, LaboratoryModule.SCHEMA_NAME, LaboratorySchema.TABLE_SAMPLES, LaboratoryAdminPermission.class), LaboratoryModule.SCHEMA_NAME, LaboratorySchema.TABLE_SAMPLES);
 
         SimpleButtonConfigFactory btn5 = new SimpleButtonConfigFactory(this, "Manage Freezers", DetailsURL.fromString("/query/executeQuery.view?schemaName=laboratory&query.queryName=freezers"));
         btn5.setPermission(LaboratoryAdminPermission.class);
diff --git a/laboratory/src/org/labkey/laboratory/security/LaboratoryAdminRole.java b/laboratory/src/org/labkey/laboratory/security/LaboratoryAdminRole.java
index 082a0ab1..5d9260eb 100644
--- a/laboratory/src/org/labkey/laboratory/security/LaboratoryAdminRole.java
+++ b/laboratory/src/org/labkey/laboratory/security/LaboratoryAdminRole.java
@@ -1,6 +1,7 @@
 package org.labkey.laboratory.security;
 
 import org.labkey.api.laboratory.security.LaboratoryAdminPermission;
+import org.labkey.api.ldk.security.DataAdminPermission;
 import org.labkey.api.security.permissions.DeletePermission;
 import org.labkey.api.security.permissions.InsertPermission;
 import org.labkey.api.security.permissions.ReadPermission;
@@ -21,6 +22,7 @@ public LaboratoryAdminRole()
                 InsertPermission.class,
                 UpdatePermission.class,
                 DeletePermission.class,
+                DataAdminPermission.class,
                 LaboratoryAdminPermission.class
         );
     }

From 89920653514d511c74d523280b99490a2f2d1ebe Mon Sep 17 00:00:00 2001
From: bbimber <bbimber@gmail.com>
Date: Mon, 12 Jan 2026 05:56:41 -0800
Subject: [PATCH 2/3] Expand test coverage over button permissions (#55)

* Expand test coverage over button permissions
---
 .../ldk/table/SimpleButtonConfigFactory.java  | 12 +++++++++-
 .../ldk/query/DefaultTableCustomizer.java     |  5 ++++
 .../external/labModules/LabModulesTest.java   | 23 +++++++++++++++++++
 3 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/LDK/api-src/org/labkey/api/ldk/table/SimpleButtonConfigFactory.java b/LDK/api-src/org/labkey/api/ldk/table/SimpleButtonConfigFactory.java
index 9e6b332a..2ef837de 100644
--- a/LDK/api-src/org/labkey/api/ldk/table/SimpleButtonConfigFactory.java
+++ b/LDK/api-src/org/labkey/api/ldk/table/SimpleButtonConfigFactory.java
@@ -125,7 +125,17 @@ protected String getJsHandler(TableInfo ti)
     @Override
     public boolean isAvailable(TableInfo ti)
     {
-        return _owner == null || ti.getUserSchema().getContainer().getActiveModules().contains(_owner);
+        if (_owner != null && !ti.getUserSchema().getContainer().getActiveModules().contains(_owner))
+        {
+            return false;
+        }
+
+        if (_permission != null && !ti.getUserSchema().getContainer().hasPermission(ti.getUserSchema().getUser(), _permission))
+        {
+            return false;
+        }
+
+        return true;
     }
 
     @Override
diff --git a/LDK/src/org/labkey/ldk/query/DefaultTableCustomizer.java b/LDK/src/org/labkey/ldk/query/DefaultTableCustomizer.java
index 2b16fa5b..fab0c124 100644
--- a/LDK/src/org/labkey/ldk/query/DefaultTableCustomizer.java
+++ b/LDK/src/org/labkey/ldk/query/DefaultTableCustomizer.java
@@ -469,6 +469,11 @@ private static boolean configureMoreActionsBtn(TableInfo ti, List<ButtonConfigFa
         for (ButtonConfigFactory fact : buttons)
         {
             NavTree newButton = fact.create(ti);
+            if (!fact.isAvailable(ti) || !fact.isVisible(ti))
+            {
+                continue;
+            }
+
             if (!btnNameMap.containsKey(newButton.getText()))
             {
                 btnNameMap.put(newButton.getText(), newButton);
diff --git a/LDK/test/src/org/labkey/test/tests/external/labModules/LabModulesTest.java b/LDK/test/src/org/labkey/test/tests/external/labModules/LabModulesTest.java
index e51aa912..e367882e 100644
--- a/LDK/test/src/org/labkey/test/tests/external/labModules/LabModulesTest.java
+++ b/LDK/test/src/org/labkey/test/tests/external/labModules/LabModulesTest.java
@@ -240,6 +240,8 @@ public void testSteps() throws Exception
         urlGenerationTest();
         peptideTableTest();
         searchPanelTest();
+
+        testButtonPermissions();
     }
 
     protected void setUpTest() throws Exception
@@ -1877,4 +1879,25 @@ public void checkViews()
         //the module contains an R report tied to a specific assay name, so view check fails when an assay of that name isnt present
         //when module-based assays can supply reports this should be corrected
     }
+
+    protected void testButtonPermissions() throws Exception
+    {
+        goToProjectHome();
+        _helper.clickNavPanelItem("Samples:", "Browse All");
+
+        DataRegionTable dr = new DataRegionTable("query", this);
+        dr.checkAllOnPage();
+
+        dr.clickHeaderButton("More Actions");
+        assertElementPresent(Locator.tagWithText("a", "Bulk Edit"));
+
+        impersonateRole("Editor");
+        refresh();
+
+        dr = new DataRegionTable("query", this);
+        dr.checkAllOnPage();
+
+        dr.clickHeaderButton("More Actions");
+        assertElementNotPresent(Locator.tagWithText("a", "Bulk Edit"));
+    }
 }

From 3fa6f25bf4bb7d9888db24ec83e7911c7619e007 Mon Sep 17 00:00:00 2001
From: bbimber <bbimber@gmail.com>
Date: Mon, 12 Jan 2026 05:58:50 -0800
Subject: [PATCH 3/3] Stop impersonation in test

---
 .../labkey/test/tests/external/labModules/LabModulesTest.java   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/LDK/test/src/org/labkey/test/tests/external/labModules/LabModulesTest.java b/LDK/test/src/org/labkey/test/tests/external/labModules/LabModulesTest.java
index e367882e..393f9b3e 100644
--- a/LDK/test/src/org/labkey/test/tests/external/labModules/LabModulesTest.java
+++ b/LDK/test/src/org/labkey/test/tests/external/labModules/LabModulesTest.java
@@ -1899,5 +1899,7 @@ protected void testButtonPermissions() throws Exception
 
         dr.clickHeaderButton("More Actions");
         assertElementNotPresent(Locator.tagWithText("a", "Bulk Edit"));
+
+        stopImpersonating();
     }
 }