Prototype illustrative role assignments project

prototype/RolesAssignments/readme.md

@@ -0,0 +1,27 @@
+# User → Student Assignments
+
+| User (X-User-Id)     | Student 101 (A)    | Student 102 (B)    | Student 103 (C)  | Student 104 (D)  |
+|----------------------|--------------------|--------------------|------------------|------------------|
+| **1 — Ms. Rivera**   | ✅ PrimaryTeacher  | ✅ PrimaryTeacher  | ❌ No access     | ❌ No access     |
+| **2 — Mr. Daniels**  | ✅ Paraeducator    | ❌ No access       | ❌ No access     | ❌ No access     |
+| **3 — Dr. Patel**    | ✅ Supervisor      | ✅ Supervisor      | ✅ Supervisor    | ✅ Supervisor    |
+
+# What Each Assignment Type Can Do
+
+| Action                 | PrimaryTeacher   | Paraeducator       | Supervisor  |
+|------------------------|------------------|--------------------|-------------|
+| View student           | ✅               | ✅                 | ✅          |
+| Create goal            | ✅               | ❌                 | ❌          |
+| Edit goal              | ✅               | ❌                 | ❌          |
+| Add progress entry     | ✅               | ✅                 | ❌          |
+| Edit progress entry    | ✅ any entry     | ✅ own entries only | ❌          |
+| Delete progress entry  | ✅ any entry     | ✅ own entries only | ❌          |
+
+# Quick Test Scenarios
+
+- **User 1, GET /api/students**             → sees A & B (not C or D)
+- **User 2, GET /api/students**             → sees A only
+- **User 3, GET /api/students**             → sees all four (A, B, C, D)
+- **User 2, POST goal for student 101**     → 403 Forbidden (paras can't create goals)
+- **User 2, PUT entry 2 for student 101**   → ✅ (it's his own entry)
+- **User 2, PUT entry 1 for student 101**   → 403 (entry 1 was created by user 1)