🏠 Overview 👥 User Roles 📖 Peer Mentor View Is Restricted to Personal Data Sc...

Peer Mentor View Is Restricted to Personal Data Scope Only

When a user is authenticated as a Peer Mentor, the Permission Guard and Role Authorization Service enforce a data scope that limits all queries and routes to resources owned by or assigned to the current user. The peer mentor cannot navigate to coordinator dashboards, bulk registration screens, or any other routes requiring elevated permissions. All data fetched through the User Role Repository and other data services is automatically filtered to the peer mentor's user ID and organizational context, ensuring data isolation at both the route and data layers.

CRITICAL story-role-based-access-control-peer-mentor-005 5 pts
5
Story Points
Critical
Priority
Role-Based Access Control
Feature

User Story

As a Peer Mentor (Likeperson)
I want the app to restrict my view to only my own activities, contacts, assignments, and expense claims
So that So that I cannot accidentally view or modify another peer mentor's data, and sensitive data about other users is protected in compliance with GDPR and organizational privacy requirements

Acceptance Criteria

  • Given a user authenticated as a Peer Mentor, when they attempt to navigate to a coordinator-only route such as bulk registration or approval queue, then the Permission Guard redirects them to the No-Access Screen
  • Given a user authenticated as a Peer Mentor, when they view their activity list, then only activities registered by or assigned to them are displayed
  • Given a user authenticated as a Peer Mentor, when they view their contacts, then only their own assigned contacts are shown
  • Given a user authenticated as a Peer Mentor, when they view expense claims, then only their own submitted claims are visible
  • Given a user authenticated as a Peer Mentor, when they attempt to access another user's profile or data via a direct navigation path, then the Permission Guard blocks the request and redirects to the No-Access Screen

Business Value

GDPR compliance and organizational trust require that peer mentors cannot access other users' sensitive data, including contact information, health notes, and encrypted assignments. A data breach caused by insufficient access controls would be catastrophic for an organization handling sensitive personal information about vulnerable individuals. This client-side scoping provides defense in depth alongside Supabase Row Level Security policies enforced at the database layer.

Components

Role-Based Access Control
Related Feature
Peer Mentor (Likeperson)
User Role