pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity
Files
renovate/tanstack-react-query-5.x
nuzlocke-tracker/.beans/nuzlocke-tracker-i2va--hide-edit-controls-for-non-owners-in-frontend.md
Julian Tabel 118dbcafd9 chore: mark bean nuzlocke-tracker-i2va as completed 
Work was already committed (3bd24fc) and merged to develop.
Crash recovery bean nuzlocke-tracker-ks9c also resolved.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-22 10:03:22 +01:00

2.2 KiB
Raw Permalink Blame History

title, status, type, priority, tags, created_at, updated_at, parent, blocked_by
title status type priority tags created_at updated_at parent blocked_by
Hide edit controls for non-owners in frontend completed bug critical
failed
2026-03-21T12:18:38Z 2026-03-22T09:03:08Z nuzlocke-tracker-wwnu
nuzlocke-tracker-73ba

Problem

RunEncounters.tsx has NO auth checks — all edit buttons (encounter modals, boss defeat, status changes, end run, shiny encounters, egg encounters, transfers, HoF team) are always visible, even to logged-out users viewing a public run.

RunDashboard.tsx has canEdit = isOwner || !run?.owner (line 70) which means unowned legacy runs are editable by anyone, including logged-out users.

Approach

  1. Add useAuth and canEdit logic to RunEncounters.tsx, matching the pattern from RunDashboard.tsx but stricter: canEdit = isOwner (no fallback for unowned runs)
  2. Update RunDashboard.tsx line 70 to canEdit = isOwner (remove || !run?.owner)
  3. Conditionally render all mutation UI elements based on canEdit:
    • Encounter create/edit modals and triggers
    • Boss defeat buttons
    • Status change / End run buttons
    • Shiny encounter / Egg encounter modals
    • Transfer modal
    • HoF team modal
    • Visibility settings toggle
  4. Show a read-only banner when viewing someone else's run

Checklist

  • Add useAuth import and canEdit logic to RunEncounters.tsx
  • Guard all mutation triggers in RunEncounters.tsx behind canEdit
  • Update RunDashboard.tsx canEdit to be isOwner only (no unowned fallback)
  • Guard all mutation triggers in RunDashboard.tsx behind canEdit
  • Add read-only indicator/banner for non-owner viewers
  • Verify logged-out users see no edit controls on public runs

Summary of Changes

  • Added useAuth hook and canEdit = isOwner logic to RunEncounters.tsx
  • Updated RunDashboard.tsx to use strict canEdit = isOwner (removed unowned fallback)
  • All mutation UI elements (encounter modals, boss defeat buttons, status changes, end run, shiny/egg encounters, transfers, HoF team, visibility toggle) are now conditionally rendered based on canEdit
  • Added read-only banner for non-owner viewers in both pages

Committed in 3bd24fc and merged to develop.

Reference in New Issue View Git Blame Copy Permalink