Fix IDOR user test

[theiris6]

Ensure users can only access their own data unless they have teaching staff roles. Added a regression test.

Description

Implement proper authorisation checks in the user controller to prevent users from accessing other users' data by manipulating IDs.

Fixes # (issue)

1. The access check should ensure that only the user themselves or a teaching staff member can retrieve a user profile. Replace the outdated authorise? current_user, User, :admin_users check with Role.teaching_staff_ids.include?(current_user.role_id) so all teaching roles (e.g., tutors, convenors, admins) are covered.
2. Added a regression test ensuring a student cannot retrieve another student’s profile, expecting a 403 response

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

yes

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation if appropriate
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• I have created or extended unit tests to address my new additions
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

If you have any questions, please contact @macite or @jakerenzella.

[MillicentAmolo]

Nice work. This change strengthens authorization rules and improves clarity. Including a regression test is a good step for long term security.

[ibi420]

Hey Iris,
Good job on this. I can confirm this is non-breaking and functions as expected.