Restrict unauthorized access to project challenges page via direct URL by Copilot · Pull Request #1747

Restrict unauthorized access to project challenges page via direct URL by Copilot · Pull Request #1747 · topcoder-platform/work-manager

Non-members navigating directly to /projects/:projectId/challenges could view challenge listings for projects they don't belong to. Admins, copilots, and managers are unaffected.

Changes

Challenges container — After the project loads, checks whether the user is an admin/copilot/manager or a project member. If neither, renders an access-denied message instead of the challenges view.
- Adds projectLoadAttempted local state flag to guard against false positives on initial render (before any API call fires, hasProjectAccess starts as false).
- Maps hasProjectAccess and projectsIsLoading from the projects Redux slice to gate the check on load completion.
- Covers both the 403 case (API denies project fetch) and the non-member case (API returns project data but user is absent from members).

if (!dashboard && !selfService && projectId && this.state.projectLoadAttempted) {
  const isUserAuthorized = checkAdmin(auth.token) || checkCopilot(auth.token) || checkManager(auth.token)
  if (!isUserAuthorized && !projectsIsLoading) {
    const isProjectDetailForRequestedProject = reduxProjectInfo &&
      !_.isEmpty(reduxProjectInfo) && `${reduxProjectInfo.id}` === `${projectId}`
    if (!hasProjectAccess || (isProjectDetailForRequestedProject && !checkIsProjectMember(auth.token, reduxProjectInfo))) {
      return <Message>You don't have access to this project. Please contact <a href="mailto:support@topcoder.com">support@topcoder.com</a>.</Message>
    }
  }
}

Message component — Extended to accept JSX children alongside the existing warnMessage string prop, enabling the mailto link in the error message.

Original prompt

This section details on the original issue you should resolve

<issue_title>Restrict Unauthorized Project Access via URL</issue_title>
<issue_description>In the Work Manager App, if a user who is not part of a project attempts to access the project directly via its URL, they are currently able to view the project page with limited details such as challenge listings.

This behavior should be restricted. If a user does not have access to a project, the system must block access and display a validation message:

“You don’t have access to this project. Please contact support@topcoder.com.”

No project details should be exposed to unauthorized users.</issue_description>

<agent_instructions>Plan the implementation of this fix. Provide details fore review.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

Fixes Restrict Unauthorized Project Access via URL #1746

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.