Enforce run ownership and show owner info #74

TheFurya · 2026-03-21T14:06:21+01:00

TheFurya commented

2026-03-21 14:06:21 +01:00

Summary

Enforce run ownership checks on all mutation endpoints (runs, encounters, bosses, genlockes) so only the owner can modify their data
Hide edit controls (rename, delete, encounter editing) in the frontend for non-owners
Show owner display name in admin pages for runs and genlockes

Test plan

Verify non-owners cannot modify runs, encounters, or bosses via API
Verify edit controls are hidden when viewing another user's run
Verify admin pages display owner info correctly

🤖 Generated with Claude Code

## Summary - Enforce run ownership checks on all mutation endpoints (runs, encounters, bosses, genlockes) so only the owner can modify their data - Hide edit controls (rename, delete, encounter editing) in the frontend for non-owners - Show owner display name in admin pages for runs and genlockes ## Test plan - [ ] Verify non-owners cannot modify runs, encounters, or bosses via API - [ ] Verify edit controls are hidden when viewing another user's run - [ ] Verify admin pages display owner info correctly 🤖 Generated with [Claude Code](https://claude.com/claude-code)

TheFurya added 3 commits 2026-03-21 14:06:22 +01:00

fix: enforce run ownership on all mutation endpoints eeb1609452

Add require_run_owner helper in auth.py that enforces ownership on
mutation endpoints. Unowned (legacy) runs are now read-only.

Applied ownership checks to:
- All 4 encounter mutation endpoints
- Both boss result mutation endpoints
- Run update/delete endpoints
- All 5 genlocke mutation endpoints (via first leg's run owner)

Also sets owner_id on run creation in genlockes.py (create_genlocke,
advance_leg) and adds 22 comprehensive ownership enforcement tests.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

fix: hide edit controls for non-owners in frontend 3bd24fcdb0

- Add useAuth and canEdit logic to RunEncounters.tsx
- Guard all mutation triggers (Log Shiny, Log Egg, End Run, Randomize All,
  HoF Edit, Boss Battle, route/team clicks, Advance to Next Leg)
- Update RunDashboard.tsx canEdit to be isOwner only (no unowned fallback)
- Add read-only banner for non-owner viewers in both pages

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat: show owner info in admin pages

CI / backend-tests (pull_request) Successful in 29s

Details

CI / frontend-tests (pull_request) Successful in 29s

Details

a3f332f82b

- Add Owner column to AdminRuns.tsx and AdminGenlockes.tsx
- Add owner filter dropdown to both admin pages
- Add owner field to GenlockeListItem schema (resolved from first leg's run)
- Update frontend types for GenlockeListItem

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

TheFurya referenced this pull request

2026-03-21 14:06:45 +01:00

Infer genlocke visibility from first leg's run #77

TheFurya added 2 commits 2026-03-22 09:15:22 +01:00

feat: infer genlocke visibility from first leg's run a4fa5bf1e4

Genlockes now inherit visibility from their first leg's run:
- Private runs make genlockes hidden from public listings
- All genlocke read endpoints now accept optional auth
- Returns 404 for private genlockes to non-owners

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Merge pull request 'Infer genlocke visibility from first leg's run' (#77 ) from feature/infer-genlocke-visibility-from-first-legs-run into feature/enforce-run-ownership-on-all-mutation-endpoints

CI / backend-tests (pull_request) Successful in 29s

Details

CI / frontend-tests (pull_request) Successful in 29s

Details

596393d5b8