---
# nuzlocke-tracker-i0rn
title: Infer genlocke visibility from first leg's run
status: completed
type: feature
created_at: 2026-03-21T12:46:56Z
updated_at: 2026-03-21T12:46:56Z
---

## Problem

Genlockes are always public — they have no visibility setting. They should inherit visibility from their first leg's run, so if a user makes their run private, the genlocke is also hidden from public listings.

## Approach

Rather than adding a `visibility` column to the `genlockes` table, infer it from the first leg's run at query time. This avoids sync issues and keeps the first leg's run as the source of truth.

### Backend
- `list_genlockes` endpoint: filter out genlockes whose first leg's run is private (unless the requesting user is the owner)
- `get_genlocke` endpoint: return 404 if the first leg's run is private and the user is not the owner
- Add optional auth (not required) to genlocke read endpoints to check ownership

### Frontend
- No changes needed — private genlockes simply won't appear in listings for non-owners

## Files modified

- `backend/src/app/api/genlockes.py` — add visibility filtering to all read endpoints

## Checklist

- [x] Add `get_current_user` (optional auth) dependency to genlocke read endpoints
- [x] Filter private genlockes from `list_genlockes` for non-owners
- [x] Return 404 for private genlockes in `get_genlocke` for non-owners
- [x] Apply same filtering to graveyard, lineages, survivors, and retired-families endpoints
- [x] Test: private run's genlocke hidden from unauthenticated users
- [x] Test: owner can still see their private genlocke

## Summary of Changes

- Added `_is_genlocke_visible()` helper function to check visibility based on first leg's run
- Added optional auth (`get_current_user`) to all genlocke read endpoints:
  - `list_genlockes`: filters out private genlockes for non-owners
  - `get_genlocke`: returns 404 for private genlockes to non-owners
  - `get_genlocke_graveyard`: returns 404 for private genlockes
  - `get_genlocke_lineages`: returns 404 for private genlockes
  - `get_leg_survivors`: returns 404 for private genlockes
  - `get_retired_families`: returns 404 for private genlockes
- Added 9 new tests in `TestGenlockeVisibility` class covering:
  - Private genlockes hidden from unauthenticated list
  - Private genlockes visible to owner in list
  - 404 for all detail endpoints when accessed by unauthenticated users
  - 404 for private genlockes when accessed by different authenticated user
  - Owner can still access their private genlocke