fix(auth): enforce surface isolation and repair dashboard logout

Author: AAdewunmi

accounts/mixins.py

@@ -40,9 +40,6 @@ def user_has_surface_access(user, role: str) -> bool:
     if not getattr(user, "is_authenticated", False):
         return False
 
-    if is_admin_user(user):
-        return True
-
     surface_group_lookup = {
         ROLE_OPS: GROUP_NAMES[ROLE_OPS],
         ROLE_CUSTOMER: GROUP_NAMES[ROLE_CUSTOMER],
@@ -52,6 +49,9 @@ def user_has_surface_access(user, role: str) -> bool:
     if role not in surface_group_lookup:
         return False
 
+    if role == ROLE_ADMIN:
+        return is_admin_user(user)
+
     return user_in_group(user, surface_group_lookup[role])
 
 

accounts/services/surface_redirects.py

@@ -27,9 +27,6 @@ def get_primary_surface(user):
 
 def user_can_access_path(user, path):
     """Return True when the user may land on the requested relative path."""
-    if is_admin_user(user):
-        return True
-
     for role, prefixes in SURFACE_ALLOWED_PREFIXES.items():
         if path.startswith(prefixes):
             return user_has_surface_access(user, role)

templates/console/admin_dashboard.html

@@ -16,7 +16,6 @@ <h1>Operate the platform shell with one clear management entry point.</h1>
         </p>
         <div class="rh-hero-actions">
           <a class="btn btn-primary rh-btn-primary" href="/admin/">Open Django admin</a>
-          <a class="btn btn-outline-secondary rh-btn-secondary" href="{% url 'landing' %}">Return to landing page</a>
         </div>
       </div>
       <aside class="rh-hero-visual" aria-label="Admin console summary">

templates/partials/_app_nav.html

@@ -38,9 +38,12 @@
         <div class="rh-topbar-meta" aria-label="Signed-in user">
           <span class="rh-header-note">{{ request.user.get_username }}</span>
         </div>
-        <a class="btn btn-outline-secondary btn-sm rh-topbar-secondary" href="{% url 'accounts:logout' %}">
-          Sign out
-        </a>
+        <form method="post" action="{% url 'accounts:logout' %}" class="m-0">
+          {% csrf_token %}
+          <button type="submit" class="btn btn-outline-secondary btn-sm rh-topbar-secondary">
+            Sign out
+          </button>
+        </form>
       {% endif %}
     </div>
   </div>

tests/test_accounts_auth.py

@@ -105,12 +105,13 @@ def test_user_has_surface_access_returns_false_for_unknown_role() -> None:
     assert user_has_surface_access(ops_user, "unknown") is False
 
 
-def test_user_has_surface_access_returns_true_for_superuser() -> None:
-    """Superusers should be allowed onto every surface."""
+def test_user_has_surface_access_limits_superuser_to_admin_surface() -> None:
+    """Superusers should not automatically bypass non-admin surface boundaries."""
 
     admin_user = UserFactory(is_superuser=True, is_staff=True)
 
-    assert user_has_surface_access(admin_user, "ops") is True
+    assert user_has_surface_access(admin_user, "admin") is True
+    assert user_has_surface_access(admin_user, "ops") is False
 
 
 def test_user_has_surface_access_returns_false_for_anonymous_user() -> None:

tests/test_console_access.py

@@ -66,3 +66,14 @@ def test_ops_can_access_ops_console(client):
 
     assert response.status_code == 200
     assert b"Work the live return queue inside the same shared ReturnHub shell." in response.content
+
+
+def test_logout_view_accepts_post_and_redirects(client):
+    """Logout should work through a POST request from the shared dashboard nav."""
+    user = create_user_for_role("ops.logout", ROLE_OPS)
+    client.force_login(user)
+
+    response = client.post(reverse("accounts:logout"))
+
+    assert response.status_code == 302
+    assert response.headers["Location"] == reverse("landing")

tests/test_console_shell.py

@@ -157,3 +157,33 @@ def test_merchant_console_renders_for_merchant_user(client) -> None:
     assert response.status_code == 200
     assert "Merchant Console" in body
     assert "Review linked cases" in body
+
+
+@pytest.mark.django_db
+def test_authenticated_console_nav_uses_post_logout_form(client) -> None:
+    """The shared console nav should submit logout via POST instead of a GET link."""
+    ops_user = UserFactory(email="console-logout@example.com")
+    add_group(ops_user, "Ops")
+
+    client.force_login(ops_user)
+    response = client.get("/console/ops/")
+
+    body = response.content.decode()
+    assert response.status_code == 200
+    assert 'method="post"' in body
+    assert 'action="/logout/"' in body
+    assert "Sign out" in body
+
+
+@pytest.mark.django_db
+def test_admin_console_does_not_render_return_to_landing_button(client) -> None:
+    """The admin dashboard should not show a landing-page return action."""
+    admin_user = UserFactory(email="console-admin@example.com", is_superuser=True, is_staff=True)
+    add_group(admin_user, "Admin")
+
+    client.force_login(admin_user)
+    response = client.get("/console/admin/")
+
+    body = response.content.decode()
+    assert response.status_code == 200
+    assert "Return to landing page" not in body

tests/test_console_views.py

@@ -91,15 +91,14 @@ def test_console_routes_forbid_wrong_role(client) -> None:
 
 
 @pytest.mark.django_db
-def test_superuser_can_access_console_routes_without_group_membership(client) -> None:
-    """Superusers should bypass group checks for authenticated console routes."""
+def test_superuser_without_admin_group_gets_403_on_ops_console(client) -> None:
+    """Superusers without the admin role should not bypass non-admin console boundaries."""
     admin_user = UserFactory(is_superuser=True, is_staff=True)
 
     client.force_login(admin_user)
     response = client.get(reverse("console:ops-dashboard"))
 
-    assert response.status_code == 200
-    assert "Ops Console" in response.content.decode()
+    assert response.status_code == 403
 
 
 @pytest.mark.django_db

tests/test_surface_smoke.py

@@ -32,17 +32,17 @@ def test_admin_can_open_admin_console(client, seeded_data):
     assert console_response.status_code == 200
 
 
-def test_admin_can_open_customer_portal_pages(client, seeded_data):
-    """Admin should be able to inspect customer portal page 1 and page 2."""
+def test_admin_gets_403_on_customer_portal_pages(client, seeded_data):
+    """Admin should not be able to open customer-only portal pages."""
     login_response = login(client, "/login/admin/", "admin.demo")
     assert login_response.status_code == 302
     assert login_response.headers["Location"] == "/console/admin/"
 
     customer_page_1 = client.get("/customer/?page=1")
     customer_page_2 = client.get("/customer/?page=2")
 
-    assert customer_page_1.status_code == 200
-    assert customer_page_2.status_code == 200
+    assert customer_page_1.status_code == 403
+    assert customer_page_2.status_code == 403
 
 
 def test_ops_can_open_console_and_ops_page_one_and_two(client, seeded_data):