URL Access Control

Expected URL Access Per Role

Legend: OK = Allowed (200) | 403 = Access Denied

URL	Editor	Reviewer	CMS Mgr	Admin	Super Admin	Guest
/admin/assessments	OK	OK	403	OK	OK	OK
/admin/protocols	OK	OK	403	OK	OK	403
/admin/vehicles/*	403	403	403	403	OK	403
/admin/admin/lookups	403	403	403	403	OK	403
/admin/admin/crs	403	403	403	403	OK	403
/admin/users	403	403	403	OK	OK	403
/admin/roles	403	403	403	403	OK	403
/admin/monitoring	403	403	403	403	OK	403
/admin/content/pages	403	403	OK	OK	OK	403
/admin/content/protocols	403	403	OK	OK	OK	403
/admin/content/media	403	403	OK	OK	OK	403
/admin/content/settings	403	403	403	OK	OK	403

Correct Response Behavior

The app should distinguish between three scenarios:

Scenario	Expected Response
URL does not exist	HTTP 404 — “Page Not Found”
URL exists but user lacks permission	HTTP 403 — “Access Denied — You don’t have permission to view this page” with a “Go to Dashboard” button
URL exists, user is not authenticated	HTTP 401 — Redirect to login page

Current Behavior (Incorrect)

ISS-006: 404 Instead of 403

Currently, when a user navigates to a URL they don’t have access to, the app shows a generic “Page Not Found” page with no sidebar. This is identical to the response for truly non-existent URLs.

This means:

• Users cannot distinguish between a non-existent page and a restricted page
• There’s no clear message explaining they lack permission
• No sidebar is rendered on the error page

Tested Examples (Editor Role)

URL	Expected	Actual
/admin/users	403 Access Denied	”Page Not Found”
/admin/monitoring	403 Access Denied	”Page Not Found”
/admin/administration	403 Access Denied	”Page Not Found”

Recommended Fix

See FIX-007 — implement a proper 403 page with:

• Clear “Access Denied” heading
• Message: “You don’t have permission to view this page”
• “Go to Dashboard” button
• Sidebar still rendered for context