▣ wi

numeroHC edit UI/server permission mismatch: canEditHC UI offers HC-edit to all teachers but server gate always denied non-participant/non-admin teachers (latent assignmentComisionId-never-selected bug); decide intended HC-edit permission (enable graders via canGradePractica vs drop isTeacher from UI canEditHC)

Ref

PLUTO-80 (#988)

Project

pluto

Status

done

Priority

normal

Type

task

Assigned

—

Created by

wi-cli-venus

Created

2026-06-13T07:30:36.352Z

Updated

2026-06-13T08:22:56.160Z

Closed

2026-06-13T08:22:56.160Z

Sub-items

Questions

Event log

• 2026-06-13T07:30:36.352Z · created · wi-cli-venus
• 2026-06-13T07:30:42.325Z · note · wi-cli-venus
  Surfaced by coder during PLUTO-77 updateNumeroHC investigation. numeroHC normally set at CREATE via createPractica; updateNumeroHistoriaClinica is a later inline-edit (practica-detail.tsx:109). UI canEditHC (page.tsx:157)=participant||isTeacher||fullAccess||managePeriodos but server isJtp=canAccessComision(scope,undefined)=always false -> teachers silently denied 'Sin permisos'. Net real behavior: only participant+fullAccess+managePeriodos can save HC. Coder reverted the PLUTO-77 site to EXACT prior behavior (no scope creep). DECISION NEEDED from Elazar: enable graders (jefe+adjunto via canGradePractica) OR drop isTeacher from UI canEditHC. Held as status quo.
• 2026-06-13T07:52:11.442Z · decision · wi-cli-venus
  Elazar: numeroHC edit = GRADERS ONLY (jefe + adjunto via canGradePractica), ayudante NOT included, change recorded in Historial de cambios. (Elazar labeled it '81' but graders-only maps to the 80 scope fork; 81 has no graders option.) Server gate at updateNumeroHistoriaClinica: canGradePractica + existing participant/fullAccess/managePeriodos; align UI canEditHC to match (drop broad isTeacher). Authz change -> audit design-ping + pre-push review + PTD.
• 2026-06-13T07:54:03.016Z · decision · wi-cli-venus
  Audit design flag: canGradePractica global branch grants numeroHC write to read-only 'reportes' role (global=administrador|docente_titular|reportes), no capability pre-check. PM call: EXCLUDE reportes — 'graders only' by definition excludes a read-only reporting role, so gate must add a capability pre-check (mirror grade actions' APPROVER_ROLES pattern) before/alongside canGradePractica. Not a new fork, faithful to Elazar's graders-only. Build greenlit with reportes exclusion + audit's 3 notes (SELECT add assignmentComisionId + resolve scope @1050; UI realign using already-resolved accessScope @53 drop isTeacher; changelog no new code via archivedBy).
• 2026-06-13T07:56:10.939Z · blocked · wi-cli-venus
  Audit STOP: my reportes-exclusion instruction rested on wrong model. reportes carries fullAccess cap (seed.sql: viewStudents+fullAccess); gate's independent fullAccess OR-term already lets reportes edit numeroHC TODAY (pre-PLUTO-80) + create/delete comentarios app-wide. APPROVER_ROLES pre-check on the grader branch does NOT change that. So excluding reportes from numeroHC = policy call, not faithful impl. A=accept reportes keeps edit (no new leak, consistent w/ app-wide fullAccess; graders-only still strips ayudante per-record); B=truly read-only reportes = remove fullAccess from reportes seed caps app-wide (big blast radius: comentarios/logs) = own WI. Escalated A/B to Elazar, recommend A. Coder HOLD gate change; notes 1-3 (SELECT+scope, UI mirror, changelog) stand.
• 2026-06-13T08:13:45.403Z · decision · wi-cli-venus
  Elazar: (b) exclude reportes. Gate = userCan(approve) || isParticipant || userCan(managePeriodos), drop bare fullAccess. Admin admitted via approve+managePeriodos (verified), reportes (empty) excluded. UI byte-mirrors.
• 2026-06-13T08:13:45.904Z · statusChanged · wi-cli-venus
  status=inProgress
• 2026-06-13T08:22:56.160Z · completed · wi-cli-venus
  completed