diff --git a/Components/Layout/MainLayout.razor b/Components/Layout/MainLayout.razor
index b51fd15..94966aa 100644
--- a/Components/Layout/MainLayout.razor
+++ b/Components/Layout/MainLayout.razor
@@ -226,8 +226,8 @@
}
// If profile selected but no credentials → show modal (cert profiles never prompt)
- if (Session.HasProfile && !_hasCredentials && !CurrentProfileUsesCert && _credModal is not null)
- await _credModal.ShowAsync();
+ if (ShouldPromptForCredentials)
+ await _credModal!.ShowAsync();
}
// True when the selected profile authenticates app-only via a stored certificate —
@@ -235,6 +235,15 @@
private bool CurrentProfileUsesCert =>
Session.CurrentProfile is { } p && AppOnly.IsConfigured(p);
+ // Whether to auto-show the delegated sign-in modal. Only admins are ever asked to
+ // authenticate: standard technicians (TechN0/TechN1) operate under the profile's app
+ // (certificate) identity and must never be prompted when selecting a profile. A profile
+ // that isn't cert-configured is an admin setup concern, not a sign-in for the technician.
+ private bool ShouldPromptForCredentials =>
+ Session.HasProfile && !_hasCredentials && !CurrentProfileUsesCert
+ && UserContext.Role == UserRole.Admin
+ && _credModal is not null;
+
private async Task HandleOAuthCallbackAsync()
{
var uri = new Uri(Nav.Uri);
@@ -320,8 +329,9 @@
// operating on the old connection.
await RefreshCredentialState();
// New profile selected and no valid credentials for it → prompt to connect.
- if (Session.HasProfile && !_hasCredentials && _credModal is not null)
- await _credModal.ShowAsync();
+ // Standard technicians are never prompted (see ShouldPromptForCredentials).
+ if (ShouldPromptForCredentials)
+ await _credModal!.ShowAsync();
});
}
diff --git a/Components/Pages/Profiles.razor b/Components/Pages/Profiles.razor
index cf665fb..45af55b 100644
--- a/Components/Pages/Profiles.razor
+++ b/Components/Pages/Profiles.razor
@@ -79,6 +79,13 @@
{
@T["profiles.active"]
}
+ @if (!AppOnlyFactory.IsConfigured(p))
+ {
+
+ ⚠ No shared access
+
+ }