Required Fixes
These fixes address the gaps between the current portal behavior and the intended RBAC design documented in the Permissions Reference.
Priority Summary
Section titled “Priority Summary”| Priority | Fix ID | Description | Effort |
|---|---|---|---|
| P0 | FIX-003 | Remove delete from Editor (except own Draft) | Backend RBAC change |
| P0 | FIX-001 | Strip Editor sidebar to 3 items | Seed/role config |
| P0 | FIX-002 | Strip Reviewer sidebar to 3 items | Seed/role config |
| P1 | FIX-004 | Add Media Library to CMS Manager | Seed/role config |
| P1 | FIX-005 | Role-aware dashboard Quick Actions | Frontend conditional |
| P2 | FIX-006 | Hide Content Pages card from Editor/Reviewer | Frontend conditional |
| P2 | FIX-008 | Hide Add Vehicle card from Editor | Frontend conditional |
| P3 | FIX-007 | 403 vs 404 distinction | Frontend + middleware |
P0 — Critical
Section titled “P0 — Critical”FIX-001: Remove Excessive Sidebar Items from Editor
Section titled “FIX-001: Remove Excessive Sidebar Items from Editor”Issue: Editor sees 10 sidebar items including Vehicles, System Configuration, and Media Library
Current sidebar:
Dashboard, Assessments, Protocols, Makes, Manufacturers, Test Requests,Lookup Tables, Child Restraints, Media LibraryCorrect sidebar:
Dashboard, Assessments, ProtocolsItems to remove:
- Vehicles > Makes
- Vehicles > Manufacturers
- Vehicles > Manufacturer Test Requests
- System Configuration > Lookup Tables
- System Configuration > Child Restraints
- Website Manager > Media Library
Effort: Seed/role configuration change
FIX-002: Remove Excessive Sidebar Items from Reviewer
Section titled “FIX-002: Remove Excessive Sidebar Items from Reviewer”Issue: Reviewer has identical sidebar to Editor (10 items)
Current: Same 10 items as Editor
Correct: Dashboard, Assessments, Protocols (3 items)
Items to remove: Same as FIX-001. Protocols can optionally be removed (Reviewer doesn’t need protocol reference — their job is to review content, not author it). If kept, it should be read-only.
Effort: Seed/role configuration change
FIX-003: Remove Delete Button from Editor (except own Drafts)
Section titled “FIX-003: Remove Delete Button from Editor (except own Drafts)”Issue: Editor sees trash icon on every assessment row including Published
Current: Delete icon on all rows regardless of status
Correct: Delete icon only on Draft assessments owned by the current editor
Implementation:
Check: assessment.status === 'Draft' && assessment.createdBy === currentUser.idEffort: Backend RBAC change
P1 — High
Section titled “P1 — High”FIX-004: Add Media Library to CMS Manager Sidebar
Section titled “FIX-004: Add Media Library to CMS Manager Sidebar”Issue: CMS Manager only sees 3 items (Dashboard, Pages, Protocols CMS). Media Library is missing.
Current: 3 sidebar items
Correct: 4 sidebar items (add Media Library)
Add: Website Manager > Media Library (/admin/content/media)
Effort: Seed/role configuration change
FIX-005: Remove Assessment-Related Quick Actions from Non-Assessment Roles
Section titled “FIX-005: Remove Assessment-Related Quick Actions from Non-Assessment Roles”Issue: Dashboard Quick Actions show “New Assessment” and “Add Vehicle” for roles that shouldn’t have these
Current: All roles see the same Quick Action cards
Correct per role:
| Role | Quick Actions |
|---|---|
| Editor | ”New Assessment” only |
| Reviewer | No quick actions (or “View Pending Reviews”) |
| CMS Manager | ”Content Pages” only |
| Admin | ”Content Pages” (optionally “View Pending Publish”) |
| Guest | No quick actions |
Effort: Frontend conditional rendering
P2 — Medium
Section titled “P2 — Medium”FIX-006: Remove “Content Pages” Quick Action from Editor/Reviewer
Section titled “FIX-006: Remove “Content Pages” Quick Action from Editor/Reviewer”Issue: Editor and Reviewer see “Content Pages” quick action card on dashboard but have no Pages access in sidebar
Current: Card is visible, clicking it may error
Correct: Hide the card for roles without Pages access
Effort: Frontend conditional rendering
FIX-008: Remove “Add Vehicle” Quick Action from Editor
Section titled “FIX-008: Remove “Add Vehicle” Quick Action from Editor”Issue: Editor’s dashboard shows “Add Vehicle” quick action, but Editor should not manage vehicles
Current: “Add Vehicle” card visible on Editor dashboard
Correct: Only Super Admin should see “Add Vehicle” quick action
Effort: Frontend conditional rendering
P3 — Low
Section titled “P3 — Low”FIX-007: Return 403 Instead of 404 for Restricted URLs
Section titled “FIX-007: Return 403 Instead of 404 for Restricted URLs”Issue: Unauthorized URL access shows “Page Not Found” instead of “Access Denied”
Current: Generic 404 page for both non-existent and restricted URLs
Correct: Show “Access Denied” page with clear message and “Go to Dashboard” button
Implementation: Frontend route guard + middleware to distinguish between 404 and 403 scenarios
Effort: Frontend + middleware change