Disable stories edit page for users with insufficient permissions

[RichDom2185]

Reported by a student; reworded and posted here as it is not a major security vulnerability (the API request would still be blocked correctly by the backend, i.e. saving will result in an error if the user has insufficient permissions). Thank you for the report!

Background

The backend already implements the correct access control checks to ensure this editing stories is not possible unless the user has sufficient permissions:

• https://github.com/source-academy/stories-backend/blob/984356ffc2cee02533ece59485d325ea366dd59f/controller/stories/update.go#L30-L36
• https://github.com/source-academy/stories-backend/blob/984356ffc2cee02533ece59485d325ea366dd59f/internal/permissiongroups/stories/stories.go#L23-L31
• https://github.com/source-academy/stories-backend/blob/984356ffc2cee02533ece59485d325ea366dd59f/internal/permissions/users/users.go#L24-L30

And the frontend also already hides the edit button in the stories table:

frontend/src/pages/stories/Stories.tsx

Lines 151 to 163 in 105a553

	storyActions={story => {
	const isAuthor = storiesUserId === story.authorId;
	const hasWritePermissions =
	storiesRole === StoriesRole.Moderator || storiesRole === StoriesRole.Admin;
	return (
	<StoryActions
	storyId={story.id}
	handleDeleteStory={handleDeleteStory}
	handleTogglePin={handleTogglePinStory}
	handleMovePinUp={handleMovePinUp}
	handleMovePinDown={handleMovePinDown}
	canView // everyone has view permissions, even anonymous users
	canEdit={isAuthor || hasWritePermissions}

But manually editing the URL from /view/<story_id> to /edit/<story_id> still results in the edit component showing.

Proposal

Redirect /edit/<story_id> → /view/<story_id> when the user has insufficient permissions to edit.

[sayomaki]

Could be related to #2632

[RichDom2185]

Could be related to #2632

Oh yes, might be a duplicate, thanks for that. Also, on second thought, I think it might be better to just disable the edit route (instead of redirecting), because if we redirect without any additional feedback to the user, there is a possibility that the user gets confused if they mistakenly believe that they have edit rights to a particular story.