Skip to content

feat(security): Gate course, instructor, and admin URL prefixes by role#96

Merged
ebouchut merged 1 commit into
devfrom
feat/course-security-foundation
Jul 13, 2026
Merged

feat(security): Gate course, instructor, and admin URL prefixes by role#96
ebouchut merged 1 commit into
devfrom
feat/course-security-foundation

Conversation

@ebouchut

@ebouchut ebouchut commented Jul 13, 2026

Copy link
Copy Markdown
Owner

Phase 1 of the course management by role plan:

  • SecurityConfig: /instructor/** requires ROLE_INSTRUCTOR, /admin/**
    requires ROLE_ADMIN, /courses/** requires authentication; method
    security enabled for upcoming service-level ownership rules; the
    ERROR dispatch is permitted so the error templates can render.
  • Styled error pages (403, 404, 500) on the shared layout with the
    RGAA wiring, replacing the Whitelabel fallback.
  • Role-aware navigation: Instructor and Admin entries appear only for
    their roles, with the aria-current wiring of the existing entries.
  • SecurityMatrixTest: access matrix per role and prefix (anonymous is
    redirected to login, wrong role gets 403, right role passes the
    gate); gate-pass asserts 404 until each controller phase lands.

Verified in the browser: anonymous /courses redirects to login, a
student gets the styled 403 on /instructor/courses, the Instructor nav
entry appears once the role is granted, and axe (WCAG 2.1 A/AA and
best-practice rules) reports zero violations on the 403 and 404 pages
(the flagged brand mark is a logotype, exempt under WCAG 1.4.3).


This is part 1 of 2 in a stack made with GitButler:

Phase 1 of the course management by role plan:

- SecurityConfig: /instructor/** requires ROLE_INSTRUCTOR, /admin/**
  requires ROLE_ADMIN, /courses/** requires authentication; method
  security enabled for upcoming service-level ownership rules; the
  ERROR dispatch is permitted so the error templates can render.
- Styled error pages (403, 404, 500) on the shared layout with the
  RGAA wiring, replacing the Whitelabel fallback.
- Role-aware navigation: Instructor and Admin entries appear only for
  their roles, with the aria-current wiring of the existing entries.
- SecurityMatrixTest: access matrix per role and prefix (anonymous is
  redirected to login, wrong role gets 403, right role passes the
  gate); gate-pass asserts 404 until each controller phase lands.

Verified in the browser: anonymous /courses redirects to login, a
student gets the styled 403 on /instructor/courses, the Instructor nav
entry appears once the role is granted, and axe (WCAG 2.1 A/AA and
best-practice rules) reports zero violations on the 403 and 404 pages
(the flagged brand mark is a logotype, exempt under WCAG 1.4.3).
@codecov

codecov Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.60%. Comparing base (e51af41) to head (b4e9bba).

Additional details and impacted files
@@             Coverage Diff              @@
##                dev      #96      +/-   ##
============================================
+ Coverage     81.30%   81.60%   +0.29%     
  Complexity       62       62              
============================================
  Files            23       23              
  Lines           246      250       +4     
  Branches         13       13              
============================================
+ Hits            200      204       +4     
  Misses           32       32              
  Partials         14       14              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ebouchut ebouchut merged commit a4833bd into dev Jul 13, 2026
7 checks passed
@ebouchut ebouchut deleted the feat/course-security-foundation branch July 13, 2026 09:38
@ebouchut ebouchut self-assigned this Jul 13, 2026
@ebouchut ebouchut added documentation Improvements or additions to documentation backend accessibility Accessibility (RGAA, WCAG) labels Jul 13, 2026
@ebouchut ebouchut moved this from Done to In Progress in learn-dev-project Jul 13, 2026
@ebouchut ebouchut added frontend auth Authentication & authorization (login, sessions, password reset, tokens) labels Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

accessibility Accessibility (RGAA, WCAG) auth Authentication & authorization (login, sessions, password reset, tokens) backend documentation Improvements or additions to documentation frontend

Projects

Status: In Progress

Development

Successfully merging this pull request may close these issues.

1 participant