pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity

feat: infer genlocke visibility from first leg's run

Browse Source 
Genlockes now inherit visibility from their first leg's run:
- Private runs make genlockes hidden from public listings
- All genlocke read endpoints now accept optional auth
- Returns 404 for private genlockes to non-owners

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Julian Tabel
2026-03-21 13:47:05 +01:00
parent a3f332f82b
commit a4fa5bf1e4
3 changed files with 383 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
.beans/nuzlocke-tracker-i0rn--infer-genlocke-visibility-from-first-legs-run.md Normal file
View File

@@ -0,0 +1,54 @@
---
# nuzlocke-tracker-i0rn
title: Infer genlocke visibility from first leg's run
status: completed
type: feature
created_at: 2026-03-21T12:46:56Z
updated_at: 2026-03-21T12:46:56Z
---
## Problem
Genlockes are always public — they have no visibility setting. They should inherit visibility from their first leg's run, so if a user makes their run private, the genlocke is also hidden from public listings.
## Approach
Rather than adding a `visibility` column to the `genlockes` table, infer it from the first leg's run at query time. This avoids sync issues and keeps the first leg's run as the source of truth.
### Backend
- `list_genlockes` endpoint: filter out genlockes whose first leg's run is private (unless the requesting user is the owner)
- `get_genlocke` endpoint: return 404 if the first leg's run is private and the user is not the owner
- Add optional auth (not required) to genlocke read endpoints to check ownership
### Frontend
- No changes needed — private genlockes simply won't appear in listings for non-owners
## Files modified
- `backend/src/app/api/genlockes.py` — add visibility filtering to all read endpoints
## Checklist
- [x] Add `get_current_user` (optional auth) dependency to genlocke read endpoints
- [x] Filter private genlockes from `list_genlockes` for non-owners
- [x] Return 404 for private genlockes in `get_genlocke` for non-owners
- [x] Apply same filtering to graveyard, lineages, survivors, and retired-families endpoints
- [x] Test: private run's genlocke hidden from unauthenticated users
- [x] Test: owner can still see their private genlocke
## Summary of Changes
- Added `_is_genlocke_visible()` helper function to check visibility based on first leg's run
- Added optional auth (`get_current_user`) to all genlocke read endpoints:
- `list_genlockes`: filters out private genlockes for non-owners
- `get_genlocke`: returns 404 for private genlockes to non-owners
- `get_genlocke_graveyard`: returns 404 for private genlockes
- `get_genlocke_lineages`: returns 404 for private genlockes
- `get_leg_survivors`: returns 404 for private genlockes
- `get_retired_families`: returns 404 for private genlockes
- Added 9 new tests in `TestGenlockeVisibility` class covering:
- Private genlockes hidden from unauthenticated list
- Private genlockes visible to owner in list
- 404 for all detail endpoints when accessed by unauthenticated users
- 404 for private genlockes when accessed by different authenticated user
- Owner can still access their private genlocke