---
# nuzlocke-tracker-f4d0
title: Add require_admin dependency and protect admin endpoints
status: todo
type: task
priority: normal
created_at: 2026-03-21T10:06:19Z
updated_at: 2026-03-21T10:06:24Z
parent: nuzlocke-tracker-ce4o
blocked_by:
    - nuzlocke-tracker-dwah
---

Add a `require_admin` FastAPI dependency that checks the `is_admin` column on the `users` table. Apply it to all admin-facing API endpoints (games CRUD, pokemon CRUD, evolutions CRUD, bosses CRUD, route CRUD).

## Checklist

- [ ] Add `require_admin` dependency in `backend/src/app/core/auth.py` that:
  - Requires authentication (reuses `require_auth`)
  - Looks up the user in the `users` table by `AuthUser.id`
  - Returns 403 if `is_admin` is not `True`
- [ ] Apply `require_admin` to write endpoints in: `games.py`, `pokemon.py`, `evolutions.py`, `bosses.py` (all POST/PUT/PATCH/DELETE)
- [ ] Keep read endpoints (GET) accessible to all authenticated users
- [ ] Add tests for 403 response when non-admin user hits admin endpoints

## Files to change

- `backend/src/app/core/auth.py` — add `require_admin`
- `backend/src/app/api/games.py` — replace `require_auth` with `require_admin` on mutations
- `backend/src/app/api/pokemon.py` — same
- `backend/src/app/api/evolutions.py` — same  
- `backend/src/app/api/bosses.py` — same