Admin‑Configurable Access Denied Message

[vivche]

Overview

Adds a user‑facing message shown on the home page when a signed‑in user lacks required roles. Admins can set and update this message in Admin Settings; the value is persisted in Azure Cosmos DB. A stable, hard‑coded default remains in place when no admin override is set.

Purpose

• Allow tenant admins to clarify the next steps for users who land in the app but don’t have access.
• Keep default behavior predictable across environments (no dependency on App Service env vars).

Technical Specification

• Default value is defined in application/single_app/functions_settings.py under default_settings['access_denied_message'].
• Admin Settings form posts access_denied_message and persists it via update_settings() to Cosmos.
• Home page template reads sanitized app_settings and renders the message with HTML escaping and newline‑to‑<br> conversion.

Files Touched

• application/single_app/route_frontend_admin_settings.py — Added access_denied_message processing and persistence in Admin Settings POST handling.
• application/single_app/templates/admin_settings.html — Added the access_denied_message textarea field to the Admin Settings UI.
• application/single_app/templates/index.html — Rendered the message on the home page.
• application/single_app/functions_settings.py — Default value is defined here

Usage

• Navigate to Admin Settings.
• Find "Access Denied Message" and enter your text.
• Use Enter to create line breaks; they render as visible line breaks in the UI.

Limitations

• Typed literal HTML like <br> in the Admin textarea may display as text rather than a line break.
  • Recommended: Enter the entire message without line breaks (single line).

Testing & Validation

• Verified:
  • Hard‑coded default appears when no override exists.
  • Admin override persists to Cosmos and is used at runtime.
  • Newlines render as line breaks.
• Known issue: literal <br> in the stored message can still display as text in some input paths.

[Bionic711]

@vivche Please update the default message from "Please submit a ticket to request access." to "Please contact an administrator for access."

Not all teams may use a ticketing system.

[vivche]

@vivche Please update the default message from "Please submit a ticket to request access." to "Please contact an administrator for access."

Not all teams may use a ticketing system.

@Bionic711 Done.

[Copilot]

Pull request overview

This PR introduces an admin-configurable access denied message feature that allows tenant administrators to customize the message shown to authenticated users who lack the required roles to access the application. The implementation includes a hardcoded default message in functions_settings.py, an admin UI field in the Settings page to override this message, proper persistence to Cosmos DB, and rendering on the home page with support for line breaks.

Changes:

• Added access_denied_message setting with a default value and admin override capability
• Implemented form field in Admin Settings for message configuration
• Updated home page template to display the customizable message with HTML escaping and newline-to-<br> conversion

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
application/single_app/functions_settings.py	Added default access_denied_message setting with hardcoded fallback value
application/single_app/route_frontend_admin_settings.py	Added form data processing to persist access_denied_message from Admin Settings
application/single_app/templates/admin_settings.html	Added textarea field for editing the access denied message
application/single_app/templates/index.html	Updated to render customizable access denied message with HTML escaping and line break support

[Copilot]

The default message here differs from the fallback in index.html template (line 65). The index.html fallback says "Please submit a ticket to request access" while this default says "Please contact an administrator for access." This inconsistency means users will see different messages depending on whether settings exist in Cosmos DB. Either both should match, or the fallback in the template should be removed entirely to always use this default.

Suggested change

	'access_denied_message': 'You are logged in but do not have the required permissions to access this application.\nPlease contact an administrator for access.',
	'access_denied_message': 'You are logged in but do not have the required permissions to access this application.\nPlease submit a ticket to request access.',

[Copilot]

The filter chain here has a potential issue with the order of operations. The current chain is: '| e | replace('\n','
') | safe'. This means HTML entities are escaped first (including any literal '
' in the text), then newlines are replaced with '
', then marked as safe. However, since the replacement happens after escaping, any literal '
' typed by the admin will be double-escaped and display as text rather than rendering as a line break. Consider using the 'nl2br' filter if available, or ensure the replacement happens before escaping.

Suggested change

	{{ (app_settings.access_denied_message or 'You are logged in but do not have the required permissions to access this application. Please submit a ticket to request access.') | e | replace('\n','<br>') | safe }}
	{{ (app_settings.access_denied_message or 'You are logged in but do not have the required permissions to access this application. Please submit a ticket to request access.') | e | nl2br }}