fix(permissions): expose GET /api/acks, /api/ta1-acks, /api/277ca-acks
The PERMISSIONS matrix only listed the POST /api/acks entry (parse-999 ingest). The GET list + detail endpoints for 999 / TA1 / 277CA acks were missing, so the matrix_gate (default-deny) returned 403 to every authenticated role, breaking the 999 ACKs / TA1 / 277CA inbox pages. Add the three GET entries as ALL_ROLES — they're read-only metadata surfaces that every authenticated operator needs to see. Add a regression test that logs in as admin via the public route and exercises the matrix; the existing test_existing_endpoints_require_auth suite only checks the unauthenticated 401 path, which is why this slipped through. Fixes the live-verification 'Couldn't load ACKs from the backend / forbidden' error reported against the UI.
This commit is contained in:
@@ -44,6 +44,9 @@ PERMISSIONS: dict[tuple[str, str], set[Role]] = {
|
||||
("GET", "/api/inbox/export.csv"): ALL_ROLES,
|
||||
("GET", "/api/reconcile"): ALL_ROLES,
|
||||
("GET", "/api/reconciliation"): ALL_ROLES,
|
||||
("GET", "/api/acks"): ALL_ROLES,
|
||||
("GET", "/api/ta1-acks"): ALL_ROLES,
|
||||
("GET", "/api/277ca-acks"): ALL_ROLES,
|
||||
("GET", "/api/audit-log"): ADMIN_ONLY,
|
||||
|
||||
# Write endpoints (admin + user, no viewer).
|
||||
|
||||
Reference in New Issue
Block a user