hashicorp · hashishaw · Mar 7, 2024 · Mar 5, 2024
diff --git a/changelog/25766.txt b/changelog/25766.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: call resultant-acl without namespace header when user mounted at root namespace
+```
diff --git a/ui/app/adapters/permissions.js b/ui/app/adapters/permissions.js
@@ -7,7 +7,7 @@ import ApplicationAdapter from './application';
 
 export default ApplicationAdapter.extend({
   query() {
-    const namespace = this.namespaceService.userRootNamespace || this.namespaceService.path;
+    const namespace = this.namespaceService.userRootNamespace ?? this.namespaceService.path;
     return this.ajax(this.urlForQuery(), 'GET', { namespace });
   },
 

diff --git a/ui/tests/unit/adapters/permissions-test.js b/ui/tests/unit/adapters/permissions-test.js
@@ -34,4 +34,29 @@ module('Unit | Adapter | permissions', function (hooks) {
     });
     await adapter.query();
   });
+  test('it calls resultant-acl with the users root namespace when root', async function (assert) {
+    assert.expect(1);
+    const adapter = this.owner.lookup('adapter:permissions');
+    const nsService = this.owner.lookup('service:namespace');
+    const auth = this.owner.lookup('service:auth');
+    nsService.setNamespace('admin');
+    auth.setCluster('1');
+    auth.set('tokens', ['vault-_root_☃1']);
+    auth.setTokenData('vault-_root_☃1', { userRootNamespace: '', backend: { mountPath: 'token' } });
+
+    this.server.get('/sys/internal/ui/resultant-acl', (schema, request) => {
+      assert.false(
+        Object.keys(request.requestHeaders).includes('X-Vault-Namespace'),
+        'request is called without namespace'
+      );
+
+      return {
+        data: {
+          exact_paths: {},
+          glob_paths: {},
+        },
+      };
+    });
+    await adapter.query();
+  });
 });