#17753: fix: Control UI unusable over HTTP - missing scopes
app: web-ui
stale
size: XS
trusted-contributor
Cluster:
Device Pairing and Gateway Fixes
## Summary
Fixed Control UI scope issues that made it unusable over HTTP:
- Added missing operator.read and operator.write scopes to the Control UI scope list
Note: The gateway scope-clearing fix (checking allowControlUiBypass) is already present in the source code at `src/gateway/server/ws-connection/message-handler.ts` but the dist files are outdated and need rebuilding.
## Changes
- Added operator.read and operator.write to the hardcoded scope list in Control UI (`ui/src/ui/gateway.ts`)
## Testing
- Verified the fix adds the missing scopes that were causing node.list, chat.history, and other RPC calls to fail with "missing scope: operator.read" errors
Fixes openclaw/openclaw#17750
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Added missing `operator.read` and `operator.write` scopes to the Control UI's hardcoded scope list in `ui/src/ui/gateway.ts`. This fixes Control UI failures over HTTP when using bypass modes (`allowInsecureAuth` or `dangerouslyDisableDeviceAuth`) where the gateway preserves requested scopes but the UI was only requesting `["operator.admin", "operator.approvals", "operator.pairing"]`.
The gateway's scope preservation logic for Control UI bypass modes (at `src/gateway/server/ws-connection/message-handler.ts:430`) was already correct, but the Control UI frontend was missing the necessary scopes to call read methods like `node.list` and `chat.history` (which require `operator.read` per `src/gateway/server-methods.ts:76,78,126-127`) and write methods like `chat.send` (which require `operator.write` per `src/gateway/server-methods.ts:94,129-130`).
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with minimal risk
- The change is a straightforward addition of two missing scopes to an array that matches the authorization requirements defined in the gateway's server-methods.ts. The fix directly addresses the root cause of the reported issue where Control UI RPC calls were failing with "missing scope: operator.read" errors over HTTP. The change is minimal, well-understood, and aligns with existing patterns used in other clients (iOS app requests the same scopes at `apps/ios/Sources/Model/NodeAppModel.swift:1753`)
- No files require special attention
<sub>Last reviewed commit: a01b6c0</sub>
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#20089: fix(gateway): preserve control-ui scopes when dangerouslyDisableDev...
by vashkartik · 2026-02-18
88.6%
#17127: fix(webchat): include operator.read and operator.write in connect s...
by brandonwise · 2026-02-15
85.9%
#17195: fix: Add operator.read/write scopes to Dashboard auto-pairing
by MisterGuy420 · 2026-02-15
85.4%
#17605: fix: preserve scopes when disableControlUiDeviceAuth is enabled
by MisterGuy420 · 2026-02-16
85.1%
#21622: fix(gateway): include read/write in CLI default operator scopes
by zerone0x · 2026-02-20
82.7%
#17572: fix: make dangerouslyDisableDeviceAuth bypass device identity checks
by gitwithuli · 2026-02-15
82.7%
#12802: fix(gateway): default unscoped operator connections to read-only
by yubrew · 2026-02-09
81.6%
#17205: fix: enforce full operator scopes for Control UI and Webchat auto-p...
by Limitless2023 · 2026-02-15
81.1%
#22583: fix(gateway): add operator.write to scope hierarchy (#22574)
by lailoo · 2026-02-21
80.6%
#21476: fix(cli): include operator.read in default CLI scopes
by heyrtl · 2026-02-20
80.2%