MARS-90 Unauthenticated /practicas/[id] click → notFound() (bare 404) instead of /login?returnTo; MARS-89 friendly branch is session-gated so logged-out email-clicks bypass it

MARS-90 · mars

Unauthenticated /practicas/[id] click → notFound() (bare 404) instead of /login?returnTo; MARS-89 friendly branch is session-gated so logged-out email-clicks bypass it

No sub-items.

No questions.

2026-06-10T01:13:03.358Z · created · wi-cli-venus
2026-06-10T01:15:08.360Z · note · wi-cli-venus

Premise corrected (db, 2026-06-10): original 'unauthenticated click → notFound' hypothesis WRONG — both observed clickers are isAuthenticated=TRUE (f223ef93=alumno on a HARD-deleted práctica; d30f3e41=Flavia/ayudante on a correctly SOFT-deleted práctica, clicking a pre-MARS-76 Mailgun email ~5d old). Real gap: MARS-89's friendly branch is (a) gated to non-staff roles so ayudante/staff fall through to notFound(), and (b) likely requires the práctica row to exist so a hard-deleted/null id falls through. Revised fix: ANY authenticated user hitting /practicas/[id] for a deleted/nonexistent/not-visible práctica → friendly 'no disponible' 200 page instead of notFound(), all roles, soft+hard delete. Stops both errscan signals + better UX. MARS-91 (returnTo) and the !session path are NOT relevant here (clickers are authenticated).
2026-06-10T01:26:28.533Z · completed · wi-cli-venus

Role-agnostic práctica-route guard: any authenticated viewer hitting a deleted/missing/no-access práctica → friendly 'no disponible' 200 + dead-link logged at INFO (practica-link-dead, off the error/warn pager, feeds MARS-83 miner) instead of notFound(). Closes the staff-viewer gap MARS-89's non-staff guard left (d30f3e41 ayudante case). Live v2.15.15 9473c28, audit PASS