From 143d194cdba6e25cef34593278e161ca08001194 Mon Sep 17 00:00:00 2001
From: Blitblank <pmcgeee03@gmail.com>
Date: Tue, 21 Apr 2026 19:18:54 -0500
Subject: [PATCH] fix: policy mismatch

---
 api/src/Controllers/UsersController.cs | 6 +++---
 scripts/DEV_README.md                  | 3 ++-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/api/src/Controllers/UsersController.cs b/api/src/Controllers/UsersController.cs
index bf1ca7d..b1e0519 100644
--- a/api/src/Controllers/UsersController.cs
+++ b/api/src/Controllers/UsersController.cs
@@ -20,7 +20,7 @@ public class UsersController : ControllerBase {
         service_ = service;
     }
 
-    [Authorize(Policy = "RequireAdmin")]
+    [Authorize(Policy = "SensitiveDataRead")]
     [HttpGet]
     public async Task<ActionResult<List<User>>> getUsers() {
         List<User> rawArray = await service_.GetAll();
@@ -42,7 +42,7 @@ public class UsersController : ControllerBase {
         return Ok(dtoArray);
     }
 
-    [Authorize(Policy = "RequireAdmin")]
+    [Authorize(Policy = "SensitiveDataRead")]
     [HttpGet("{id:int}")]
     public async Task<ActionResult<User>> getUser(int id) {
 
@@ -60,7 +60,7 @@ public class UsersController : ControllerBase {
         return Ok(newDto);
     }
 
-    [Authorize(Policy = "RequireSuperuser")]
+    [Authorize(Policy = "SensitiveDataModify")]
     [HttpDelete("{id}")]
     public async Task<ActionResult> deleteUser(int id) {
 
diff --git a/scripts/DEV_README.md b/scripts/DEV_README.md
index bfee97f..71b6400 100644
--- a/scripts/DEV_README.md
+++ b/scripts/DEV_README.md
@@ -13,7 +13,8 @@ To see live logs:
 sudo docker logs -f -t agologum-api
 
 public user:
-> username=bard
+> username=bard (admin)
+> username=xvbard (superuser)
 > password=Public*890
 
 chrome dev tools troubleshooting