Route-Level Access Enforcement for Coordinator Screens
Every protected route in the application is guarded by a role route guard that checks the current resolved role against the route's permitted roles before rendering. If a coordinator attempts to navigate to an admin-only screen (e.g., global admin dashboard), the guard intercepts the navigation and redirects to the no-access screen with a contextual explanation. The no-access route guard specifically handles denial flows, and the access denial service provides the reason string and optional contact action rendered by the no-access screen widget.
User Story
Acceptance Criteria
- Given a coordinator is authenticated, When they attempt to navigate to a route permitted only for admins, Then they are redirected to the no-access screen
- Given a coordinator is on the no-access screen, When it renders, Then it displays a human-readable explanation and an option to contact support or switch roles
- Given a coordinator navigates to a route they are permitted to access, When the route guard evaluates, Then navigation proceeds without interruption
- Given the no-access config repository has a custom message for the blocked route, When the no-access screen renders, Then it displays that custom message rather than a generic one
Business Value
Preventing role boundary violations protects data integrity and user confidentiality. Coordinators must not access admin-level user management or billing screens, and peer mentors must not reach coordinator bulk registration flows. Robust route guarding is a MUST HAVE for all organizations in the pilot.
Components
- Role-Based Route Guard infrastructure
- No-Access Route Guard service
- No-Access Screen ui
- No-Access Screen ui
- Access Denial Service service
- No-Access Configuration Repository data
- URL Launcher Utility infrastructure