Flask 403 Error: Unauthorized Access When Accessing '/get_class_codes' Route

Question

I am encountering a 403 Forbidden error when trying to access the /get_class_codes route in my Flask application. Here's the error message I see in my logs:

2025-01-24 14:02:25,740 - INFO - 127.0.0.1 - - [24/Jan/2025 14:02:25] "GET /get_class_codes HTTP/1.1" 403 -

I have the following route defined:

@main.route('/get_class_codes', methods=['GET'])
@login_required
def get_class_codes():
    if current_user.role == 'teacher':
        class_codes = ClassCode.query.filter_by(creator_id=current_user.id).all()
    elif current_user.role == 'student':
        class_codes = (
            db.session.query(StudentClassCode, ClassCode)
            .join(ClassCode, StudentClassCode.class_code_id == ClassCode.id)
            .filter(StudentClassCode.student_id == current_user.id)
            .all()
        )
        class_codes = [c[1] for c in class_codes]
    else:
        return jsonify({'message': f'Unauthorized role: {current_user.role}'}), 403

    if not class_codes:
        return jsonify({'message': 'No class codes available'}), 404

    result = [{'code': c.code, 'description': c.description} for c in class_codes]
    return jsonify({'class_codes': result}), 200

Also, I have followed the user's role from inside the route defined:

@main.route('/dashboard', methods=['GET', 'POST'])
@login_required
def dashboard():
    if current_user.role == 'student':
        return render_template('student_dashboard.html', user=current_user)
    elif current_user.role == 'teacher':
        return render_template('teacher_dashboard.html', user=current_user)
    elif current_user.role == 'employee':
        form = EmployeeForm()  # Create an instance of the form
        
        # Retrieve class codes created by the employee
        class_codes = ClassCode.query.filter_by(creator_id=current_user.id).all()
        
        return render_template('employee_dashboard.html', 
                               user=current_user, 
                               form=form,
                               class_codes=class_codes)  # Pass class codes to the template
    elif current_user.role == 'parent':
        return render_template('parent_dashboard.html', user=current_user)
    else:
        flash('Unauthorized role!', 'danger')
        return redirect(url_for('main.index'))

The route is decorated with @login_required to restrict access to logged-in users, but when I try to access it, the error persists. My expectation is that if the user is logged in and has the appropriate role (either 'teacher' or 'student'), the route should return the relevant class codes.

Here are some details about the setup:

1. I am using Flask-Login for user management.
2. The current_user.role is being correctly set, as I am able to print the user’s role in other parts of the application.
3. The user is logged in correctly when trying to access this route, and the CSRF token is not an issue because other routes work as expected.

Could anyone help me figure out why this route is returning a 403 error?

Thank you in advance for your help!