fix: review feedback on ForbiddenResult and dashboard 403 handling

James Blair · James Blair · commit 19a030e5d30e · 2026-04-14T08:55:31.000-06:00
- Remove unnecessary 'new' keyword on Result&lt;T&gt;.Forbidden (CS0109 warning)
- ForbiddenResult doc comment no longer references ProblemDetails (Kernel
  should be unconcerned with web serialization)
- Dashboard checks for requiredIal in 403 response body, not just status
  code, to distinguish IAL-related 403 from other authorization failures
diff --git a/src/SEBT.Portal.Kernel/Result.cs b/src/SEBT.Portal.Kernel/Result.cs
@@ -57,7 +57,7 @@ public static Result<T> ValidationFailed(string key, IEnumerable<ValidationError
     public new static Result<T> DependencyFailed(DependencyFailedReason reason, string? message = null)
         => new DependencyFailedResult<T>(reason, message);
 
-    public new static Result<T> Forbidden(string message, IDictionary<string, object?>? extensions = null)
+    public static Result<T> Forbidden(string message, IDictionary<string, object?>? extensions = null)
         => new ForbiddenResult<T>(message, extensions);
 
     public T Value => this switch
diff --git a/src/SEBT.Portal.Kernel/Results/ForbiddenResult.cs b/src/SEBT.Portal.Kernel/Results/ForbiddenResult.cs
@@ -8,7 +8,8 @@ public class ForbiddenResult(string message) : Result(false)
 public class ForbiddenResult<T>(string message, IDictionary<string, object?>? extensions = null) : Result<T>(false)
 {
     /// <summary>
-    /// Additional structured data to include in the ProblemDetails response.
+    /// Additional structured data describing why access was denied.
+    /// The API layer determines how to serialize this (e.g., as ProblemDetails extensions).
     /// </summary>
     public IDictionary<string, object?> Extensions { get; } = extensions ?? new Dictionary<string, object?>();
 
diff --git a/src/SEBT.Portal.Web/src/features/household/components/DashboardContent/DashboardContent.tsx b/src/SEBT.Portal.Web/src/features/household/components/DashboardContent/DashboardContent.tsx
@@ -25,9 +25,12 @@ export function DashboardContent() {
   const { data, isLoading, isError, error } = useHouseholdData()
   const { setPageData, setUserData, trackEvent } = useDataLayer()
 
-  // 403 means the user's IAL is below the minimum required by their cases.
-  // Redirect to ID proofing so they can reach the required level.
-  const requiresProofing = error instanceof ApiError && error.status === 403
+  // A 403 with requiredIal in the response body means the user's IAL is below
+  // the minimum required by their cases. Redirect to ID proofing.
+  const requiresProofing =
+    error instanceof ApiError &&
+    error.status === 403 &&
+    'requiredIal' in ((error.data as Record<string, unknown>) ?? {})
   useEffect(() => {
     if (requiresProofing) {
       router.push('/login/id-proofing')

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,8 @@ public class ForbiddenResult(string message) : Result(false)`
`8`	`8`	`public class ForbiddenResult<T>(string message, IDictionary<string, object?>? extensions = null) : Result<T>(false)`
`9`	`9`	`{`
`10`	`10`	`/// <summary>`
`11`		`- /// Additional structured data to include in the ProblemDetails response.`
	`11`	`+ /// Additional structured data describing why access was denied.`
	`12`	`+ /// The API layer determines how to serialize this (e.g., as ProblemDetails extensions).`
`12`	`13`	`/// </summary>`
`13`	`14`	`public IDictionary<string, object?> Extensions { get; } = extensions ?? new Dictionary<string, object?>();`
`14`	`15`