Refactor permissions logic in controllers and models for clarity, defining roles for students, instructors, TAs, and site admins.

[cycomachead]

General Info

• Pivotal Tracker Story
• Breaking?

Changes

This PR refactors the permissions logic across controllers, models, and views to implement a clear role-based access control (RBAC) system with four distinct permission tiers:

Role	Permissions
Students	Manage their own extensions only
Instructors & Lead TAs (course admins)	Manage everything in a course
Regular TAs	View everything, approve/deny requests, sync assignments/enrollments. Cannot update settings or extended circumstances.
Site Admins	Full access across all courses
Everyone	Can view the import course page

Key Changes

Course model — Added staff?(user) helper for all staff + site admins. Updated course_admin?(user) and user_role(user) to properly include site admins, ensuring they always receive instructor-level access.

ApplicationController — Replaced the single ensure_instructor_role with two distinct guards:

• ensure_course_admin — for settings, form configuration, and course deletion (instructors/lead TAs/site admins only)
• ensure_staff_role — for enrollments, approvals, and syncing (all staff + site admins)

set_course now also sets @is_course_admin and @is_staff instance variables for use in controllers and views.

CoursesController — enrollments and sync_enrollments are now accessible to all staff (previously instructor-only). edit and delete are restricted to course admins.

AssignmentsController — toggle_enabled now checks course_admin? instead of a raw role string comparison, and uses current_user directly rather than accepting a role via params.

CourseSettingsController & FormSettingsController — Switched from ensure_instructor_role to ensure_course_admin, so only instructors and lead TAs can modify course/form settings.

RequestsController & RequestService — Renamed check_instructor_permission → check_staff_permission. All staff can now approve/deny requests and create requests on behalf of students.

UserToCoursesController — ensure_course_admin now delegates to Course#course_admin? (which includes site admins) instead of checking the enrollment record directly.

Views — Sidebar Settings and Form links are conditionally shown only to course admins. The assignment toggle switch is disabled for non-course-admins. The enrollment sync button is shown to all staff.

Tests — Updated to use valid roles ('teacher' instead of 'instructor'), removed stale allow_any_instance_of stubs in favor of real database records, and updated the TA sync test to expect success (200) rather than forbidden (403).

Testing

• Existing controller specs were updated to reflect the new role model and now use real UserToCourse records rather than mocked user_role calls, making the tests more representative of actual behavior.
• New test cases were added for TAs attempting to toggle assignment enabled status (should be forbidden) and for students attempting to access form settings (should be redirected).
• Manually verified that TAs can access enrollments and approve/deny requests, while being blocked from settings and form configuration pages.

Documentation

No external documentation changes required. The permission model is documented inline via comments in Course model and ApplicationController.

Checklist

• Name of branch corresponds to story

---

Superconductor Ticket Implementation | App Preview | Guided Review