feat(ui): allow non-owner users to authorize on accessible OAuth gateways

[kimsehwan96]

🔗 Related Issue

Closes #3934

---

📝 Summary

Non-owner team members and public gateway users cannot see the "🔐 Authorize" button on OAuth gateways, preventing them from completing the OAuth flow. The backend already stores tokens per-user (oauth_tokens.app_user_email), so this is purely a UI visibility fix.

• Add can_authorize template variable (broader than can_modify) for Authorize/Fetch Tools buttons
• Keep can_modify for Edit/Deactivate/Delete (unchanged)

---

🏷️ Type of Change

• Bug fix
• Feature / Enhancement
• Documentation
• Refactor
• Chore (deps, CI, tooling)
• Other (describe below)

---

🧪 Verification

Check	Command	Status
Lint suite	make lint	pass
Unit tests	make test	pass
Coverage ≥ 80%	make coverage

---

✅ Checklist

• Code formatted (make black isort pre-commit)
• Tests added/updated for changes
• Documentation updated (if applicable)
• No secrets or credentials committed

---

📓 Notes (optional)

Changed files:

• gateways_partial.html: 1 line added + 1 line modified
• test_admin.py: 5 tests added (2 positive, 2 regression, 1 negative)

Visibility logic:

  ┌─────────────────────────────────┬───────────┬─────────────┐
  │            User type            │ Authorize │ Edit/Delete │
  ├─────────────────────────────────┼───────────┼─────────────┤
  │ Admin                           │    ✅     │     ✅      │
  ├─────────────────────────────────┼───────────┼─────────────┤
  │ Gateway owner                   │    ✅     │     ✅      │
  ├─────────────────────────────────┼───────────┼─────────────┤
  │ Team member (non-gateway-owner) │    ✅     │     ❌      │
  ├─────────────────────────────────┼───────────┼─────────────┤
  │ Any user (public gw)            │    ✅     │     ❌      │
  ├─────────────────────────────────┼───────────┼─────────────┤
  │ Non-member (team gw)            │    ❌     │     ❌      │
  └─────────────────────────────────┴───────────┴─────────────┘

Screenshot as team member but not the mcp owner.

(AWS Docs MCP set as no auth type)

E2E Verification (manual):

• Built and deployed from this commit to a live K8s cluster
• Tested as a team member who is not the gateway owner
• Confirmed Authorize button is visible and OAuth flow completes successfully
• As team owner: authorization, tool fetch, and tool invocation all work with the user's own token
• As team member: authorization works, but tool fetch/invocation is blocked due to missing tools.execute permission (pending feat(rbac): add tools.execute permission to team-scoped viewer role #3882)

[marekdano]

@kimsehwan96 - thanks for your contribution!!!

Summary

Fixes a UI gap where non-owner team members and users of public gateways could not see the "Authorize" button on OAuth gateways, even though the backend already stores tokens per user. The change is clean and minimal — one new Jinja
variable, one guarded block updated — with solid test coverage.

Findings

• tests/unit/mcpgateway/test_admin.py:19151 — Test coverage gap in existing test

  The existing test_gateways_hides_buttons_for_non_owner uses authType: "none", so it doesn't exercise the OAuth path for a non-owner. Low risk since Authorize is gated on authType == 'oauth', but there's a small gap in the negative-case matrix. Worth adding a case with authType: "oauth" and a non-owner to confirm the Authorize link is absent when it should be (e.g. a non-member on a team gateway).

• fix pre-commit check for .secrets.baseline issue

Notes (no action required)

• The five new tests cover the matrix well: two positive (team member, public gateway), two regression (owner, admin), one negative (non-member). Good shape.
• The can_authorize logic — can_modify OR public OR team-member — is correct and the short-circuit order is sound.
• Template-only change; the OAuth endpoint at /oauth/authorize/{gateway_id} retains responsibility for backend authorization enforcement.
• No linter issues observed in the patch.

[marekdano]

Summary

This is a clean, well-tested UI fix that correctly broadens OAuth authorization button visibility to team members and public gateway users while maintaining proper access control for destructive operations.

---

What Changed

Template Change (gateways_partial.html)

• Added can_authorize variable: can_modify OR public OR team-member
• Changed Authorize button condition from can_modify to can_authorize
• Edit/Delete/Deactivate remain gated by can_modify (unchanged)

Test Coverage (test_admin.py)

• ✅ 5 new OAuth-specific tests added
• ✅ Covers positive cases (team member, public gateway)
• ✅ Covers regression cases (owner, admin)
• ✅ Covers negative case (non-member on team gateway)

Security Analysis

✅ No Security Concerns:

• Template-only change, no backend logic modified
• Destructive operations (Edit/Delete) remain properly gated
• OAuth authorization is a per-user operation (not destructive)
• Backend token storage is already per-user (oauth_tokens.app_user_email)
• Non-members correctly blocked from team gateways

LGTM 🚀

[kimsehwan96]

Thanks! @marekdano

I can rebase and resolve the .secrets.baseline conflict, but it will likely conflict again as other PRs get merged (the baseline shifts with every line-number change in test files).

Feel free to rebase this branch right before merge it.

[gcgoncalves]

@marekdano Rebased and got through CI.

[marekdano]

LGTM 🚀