The role designed to run manual matching, MENTORSHIP_ADMIN, cannot use the "Mentorship → Manual Matching" page. The page calls GET /admin/mentorship/matches/recommendations, which is the only endpoint on the controller gated by @RequiresRole({ADMIN, LEADER}) instead of @RequiresPermission(MATCH_MANAGE). MENTORSHIP_ADMIN holds MATCH_MANAGE and every sibling endpoint accepts them — this one returns 403.
Steps to reproduce
- Log in as a user whose only role is
MENTORSHIP_ADMIN.
- Open "Mentorship" in the top navigation.
Expected
/matches/recommendations allows MENTORSHIP_ADMIN like every other endpoint on the controller. All six tabs render data.
Actual
/matches/recommendations returns 403. The first three tabs (Recommendations, Unmatched Mentors, Unmatched Mentees) render misleading "Role denied." copy.
The role designed to run manual matching,
MENTORSHIP_ADMIN, cannot use the "Mentorship → Manual Matching" page. The page callsGET /admin/mentorship/matches/recommendations, which is the only endpoint on the controller gated by@RequiresRole({ADMIN, LEADER})instead of@RequiresPermission(MATCH_MANAGE).MENTORSHIP_ADMINholdsMATCH_MANAGEand every sibling endpoint accepts them — this one returns403.Steps to reproduce
MENTORSHIP_ADMIN.Expected
/matches/recommendationsallowsMENTORSHIP_ADMINlike every other endpoint on the controller. All six tabs render data.Actual
/matches/recommendationsreturns403. The first three tabs (Recommendations, Unmatched Mentors, Unmatched Mentees) render misleading "Role denied." copy.