Overview
src/app/api/admin/feature-flags/route.ts handles GET and POST requests for managing feature flags but does not check whether the requester has an ADMIN role. Any authenticated user (including students) can create, read, and modify feature flags, potentially enabling or disabling functionality across the platform.
Specifications
Features:
- Feature flag management requires ADMIN role
- Non-admin authenticated requests return HTTP 403
Tasks:
- Add
requireAuth() at the top of both GET and POST handlers
- Add
if (!hasPermission(user, 'ADMIN')) return forbidden() after authentication
- Write tests covering student and instructor role attempts returning 403
Impacted Files:
src/app/api/admin/feature-flags/route.tssrc/app/api/admin/feature-flags/[id]/route.tssrc/lib/authMiddleware.ts
Acceptance Criteria
- GET and POST requests without ADMIN role return HTTP 403
- Admin-role requests succeed
- Audit log records the actor for all flag mutations
Overview
src/app/api/admin/feature-flags/route.tshandles GET and POST requests for managing feature flags but does not check whether the requester has an ADMIN role. Any authenticated user (including students) can create, read, and modify feature flags, potentially enabling or disabling functionality across the platform.Specifications
Features:
Tasks:
requireAuth()at the top of both GET and POST handlersif (!hasPermission(user, 'ADMIN')) return forbidden()after authenticationImpacted Files:
src/app/api/admin/feature-flags/route.tssrc/app/api/admin/feature-flags/[id]/route.tssrc/lib/authMiddleware.tsAcceptance Criteria