<Settings> emits routes for pages which fail the permission check
Description
So even if (say) you don't have the necessary ui-organization.settings.key-bindings permission that causes the Settings > Organization > Key bindings link to appear, you can still go directly to http://localhost:3000/settings/organization/keys and maintain those bindings. The route should not be generated.
Worse: the component associated with the first route that is generated also becomes the default page shows for the module's settings, so when you first go to the module's settings, you will see the first-listed settings page even if you don't have permission to see it.
This is ready to release, which I am keen to do because I don't want this bug in the demo. However, I can see that has done more work since v.1.6.0, and it's not mentioned in the change-log. I've asked him to update the changelog as soon as convenient, and let me know. I will then roll the release.
So even if (say) you don't have the necessary
ui-organization.settings.key-bindingspermission that causes the Settings > Organization > Key bindings link to appear, you can still go directly to http://localhost:3000/settings/organization/keys and maintain those bindings. The route should not be generated.Worse: the component associated with the first route that is generated also becomes the default page shows for the module's settings, so when you first go to the module's settings, you will see the first-listed settings page even if you don't have permission to see it.