[Security Solution][Bug] An inappropriate error message is shown on deleting added notes when user is having READ permission

[divyaaghi-qasource]

Describe the bug:
Delete button is clickable for deleting the added notes with READ permission. Moreover an inappropriate error message is shown on deleting added notes when user is having READ permission

Kibana/Elasticsearch Stack version:

VERSION: 9.3.0

BUILD: 94544

COMMIT: bf8c75b853e390db94045bdc41c8fc553ac848b9

Pre Conditions:
1.Kibana v9.3.0 snapshot must be present.
2. Some notes must be added.
3.User must have only READ permission for Notes.

Steps to reproduce:

1.Login with the user created.
2.Navigate to More>Investigations>Notes
3.Select the note added.
4.Click on Bulk actions>Delete selected note.
5.Observe that delete button is clickable
6.On clicking, an inappropriate error message is shown on deleting added notes when user is having READ permission

Current behavior:
Delete button is clickable for deleting the added notes with READ permission. Moreover an inappropriate error message is shown on deleting added notes when user is having READ permission

Expected behavior:
Delete button should not be clickable for deleting the added notes with READ permission and a user friendly error message should be shown on deleting added notes when user is having READ permission

Screenshots (if relevant):

Screen recording:

Notes.-.Kibana.-.Google.Chrome.2025-12-15.13-08-09.mp4

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[divyaaghi-qasource]

Suggestion to address the issue:

Version: Copilot- GPT-4.1:

---

Summary of changes

• Add a small hook that exposes whether the current user can delete notes.
• Use that hook to disable the Delete action in the Notes bulk actions UI (and show a tooltip explaining why).
• Improve error handling in the delete-notes flow to detect 403/forbidden and show a friendly toast message instead of an unhelpful error.

Files to add/modify

• x-pack/plugins/security_solution/public/common/hooks/use_notes_permissions.ts
• x-pack/plugins/security_solution/public/timelines/components/actions/bulk_actions.tsx
• x-pack/plugins/security_solution/public/timelines/components/actions/use_delete_notes.ts

Notes on paths and adjustments

• The exact import paths and capability keys may differ in the repository (capabilities may live under a different namespace).
• If the plugin uses a central privileges hook (e.g., useUserPrivileges or useKibana().services.application.capabilities.), adapt the capability checks in use_notes_permissions.ts to match the app's actual capability keys.
• Replace any placeholder names (notesApiClient, actual file/component names, or relative import paths) to match the real code in your repo.
• The three shown files are representative and intended to be placed near the existing Notes/timeline components in security_solution.

Why this fixes the bug

Disables the UI affordance (Delete selected) for users who do not have delete rights, fulfilling the expected UX behavior.
Handles permission errors returned by the server and shows a clear, actionable message rather than a generic or confusing error.

Testing steps

Build the plugin and run Kibana with these changes.
Create or log in as a user who has READ-only permission for Notes.
Navigate to More > Investigations > Notes (or the exact page).
Select a note and open Bulk actions.

Expected: "Delete selected" is disabled and has a tooltip "You do not have permission to delete notes".

(Optional) If you try to directly invoke the delete API (or if UI somehow still calls it), the UI should show a friendly toast:
Title: "Unable to delete note(s)"
Body: "You do not have permission to delete notes. Contact your administrator."
Re-run the same scenario with a user who has delete privileges to confirm normal behavior.

Additional suggestions

If you have a centralized privilege/roles service (e.g., a single hook that returns many privileges), add canDelete to that service instead of a new hook to avoid duplication.

Add unit tests to ensure:

When canDelete === false, Delete menu item is disabled and tooltip content appears.
When the delete API returns 403, the permission toast is shown.

---

[divyaaghi-qasource]

@chetnarajput-qasource Kindly review!

[chetnarajput-qasource]

Reviewed and assigned to @vgomez-el