feat: add require_admin dependency and protect admin endpoints

Add require_admin FastAPI dependency that checks is_admin column on users table. Apply it to all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD). Run-scoped endpoints remain protected by require_auth only since they manage user's own data. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-21 11:14:55 +01:00
parent 1042fff2b8
commit 2e66186fac
7 changed files with 226 additions and 27 deletions
--- a/backend/src/app/api/games.py
+++ b/backend/src/app/api/games.py
@@ -6,7 +6,7 @@ from sqlalchemy import delete, select, update
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload

-from app.core.auth import AuthUser, require_auth
+from app.core.auth import AuthUser, require_admin
 from app.core.database import get_session
 from app.models.boss_battle import BossBattle
 from app.models.game import Game
@@ -232,7 +232,7 @@ async def list_game_routes(
 async def create_game(
    data: GameCreate,
    session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
    existing = await session.execute(select(Game).where(Game.slug == data.slug))
    if existing.scalar_one_or_none() is not None:
@@ -252,7 +252,7 @@ async def update_game(
    game_id: int,
    data: GameUpdate,
    session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
    game = await session.get(Game, game_id)
    if game is None:
@@ -280,7 +280,7 @@ async def update_game(
 async def delete_game(
    game_id: int,
    session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
    result = await session.execute(
        select(Game).where(Game.id == game_id).options(selectinload(Game.runs))
@@ -338,7 +338,7 @@ async def create_route(
    game_id: int,
    data: RouteCreate,
    session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
    vg_id = await _get_version_group_id(session, game_id)

@@ -354,7 +354,7 @@ async def reorder_routes(
    game_id: int,
    data: RouteReorderRequest,
    session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
    vg_id = await _get_version_group_id(session, game_id)

@@ -381,7 +381,7 @@ async def update_route(
    route_id: int,
    data: RouteUpdate,
    session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
    vg_id = await _get_version_group_id(session, game_id)

@@ -402,7 +402,7 @@ async def delete_route(
    game_id: int,
    route_id: int,
    session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
    vg_id = await _get_version_group_id(session, game_id)

@@ -437,7 +437,7 @@ async def bulk_import_routes(
    game_id: int,
    items: list[BulkRouteItem],
    session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
    vg_id = await _get_version_group_id(session, game_id)