Note: It is unclear whether this is a bug or an intentional restriction. This issue is filed to ask for clarification. If supervisors are not meant to edit case contacts through this path, the Edit button should be hidden from them in the UI.
Impacted User Types
Supervisors.
Environment
Any environment. This is a policy configuration issue in the Rails authorization layer, not specific to a browser or deployment.
Current Behavior
When a supervisor clicks Edit on a case contact (in either the old or new case contacts table), they are silently redirected away instead of reaching the edit form. The redirect chain is:
GET /case_contacts/:id/edit → 302 → /case_contacts/:id/form/details ✓GET /case_contacts/:id/form/details → 302 → / ✗ (Pundit authorization failure)GET / → 302 → /volunteers (supervisor default page)
The failure in step 2 occurs because CaseContacts::FormController#show calls authorize @case_contact, which Pundit resolves to CaseContactPolicy#show?. That policy only permits the creator or an admin — supervisors are excluded.
Relevant code in app/policies/case_contact_policy.rb:
def show?
creator_or_admin? # supervisors are NOT included
end
def update?
creator_or_supervisor_or_admin? # supervisors ARE included
end
alias_method :edit?, :update?
Expected Behavior
Either:
- If supervisors should be able to edit:
show? should include supervisors so the edit form is accessible, consistent with edit? / update?.
- If supervisors should not be able to edit: The Edit button should not be shown to supervisors in the UI.
How to Replicate
- Log in as a supervisor (e.g.
supervisor1@example.com)
- Navigate to
/case_contacts or /case_contacts/new_design
- Click Edit on any case contact
- Observe that the browser redirects to
/volunteers instead of the edit form
How to access the QA site
Login Details:
Link to QA site
Login Emails:
volunteer1@example.com — view site as a volunteersupervisor1@example.com — view site as a supervisorcasa_admin1@example.com — view site as an adminall_casa_admin1@example.com — view site as an all casa admin
- go to
/all_casa_admins/sign_in
Password for all users: 12345678
Questions? Join Slack
We highly recommend that you join us in slack #casa channel to ask questions quickly. And discord for office hours (currently Tuesday 5-7pm Pacific), stakeholder news, and upcoming new issues.
Note: It is unclear whether this is a bug or an intentional restriction. This issue is filed to ask for clarification. If supervisors are not meant to edit case contacts through this path, the Edit button should be hidden from them in the UI.
Impacted User Types
Supervisors.
Environment
Any environment. This is a policy configuration issue in the Rails authorization layer, not specific to a browser or deployment.
Current Behavior
When a supervisor clicks Edit on a case contact (in either the old or new case contacts table), they are silently redirected away instead of reaching the edit form. The redirect chain is:
GET /case_contacts/:id/edit→ 302 →/case_contacts/:id/form/details✓GET /case_contacts/:id/form/details→ 302 →/✗ (Pundit authorization failure)GET /→ 302 →/volunteers(supervisor default page)The failure in step 2 occurs because
CaseContacts::FormController#showcallsauthorize @case_contact, which Pundit resolves toCaseContactPolicy#show?. That policy only permits the creator or an admin — supervisors are excluded.Relevant code in
app/policies/case_contact_policy.rb:Expected Behavior
Either:
show?should include supervisors so the edit form is accessible, consistent withedit?/update?.How to Replicate
supervisor1@example.com)/case_contactsor/case_contacts/new_design/volunteersinstead of the edit formHow to access the QA site
Login Details:
Link to QA site
Login Emails:
volunteer1@example.com— view site as a volunteersupervisor1@example.com— view site as a supervisorcasa_admin1@example.com— view site as an adminall_casa_admin1@example.com— view site as an all casa admin/all_casa_admins/sign_inPassword for all users: 12345678
Questions? Join Slack
We highly recommend that you join us in slack #casa channel to ask questions quickly. And discord for office hours (currently Tuesday 5-7pm Pacific), stakeholder news, and upcoming new issues.