nuzlocke-tracker/.beans/nuzlocke-tracker-i2va--hide-edit-controls-for-non-owners-in-frontend.md

title, status, type, priority, created_at, updated_at, parent, blocked_by

title	status	type	priority	created_at	updated_at	parent	blocked_by
Hide edit controls for non-owners in frontend	in-progress	bug	critical	2026-03-21T12:18:38Z	2026-03-21T12:32:45Z	nuzlocke-tracker-wwnu	nuzlocke-tracker-73ba

Problem

RunEncounters.tsx has NO auth checks — all edit buttons (encounter modals, boss defeat, status changes, end run, shiny encounters, egg encounters, transfers, HoF team) are always visible, even to logged-out users viewing a public run.

RunDashboard.tsx has canEdit = isOwner || !run?.owner (line 70) which means unowned legacy runs are editable by anyone, including logged-out users.

Approach

1. Add useAuth and canEdit logic to RunEncounters.tsx, matching the pattern from RunDashboard.tsx but stricter: canEdit = isOwner (no fallback for unowned runs)
2. Update RunDashboard.tsx line 70 to canEdit = isOwner (remove || !run?.owner)
3. Conditionally render all mutation UI elements based on canEdit:
   • Encounter create/edit modals and triggers
   • Boss defeat buttons
   • Status change / End run buttons
   • Shiny encounter / Egg encounter modals
   • Transfer modal
   • HoF team modal
   • Visibility settings toggle
4. Show a read-only banner when viewing someone else's run

Checklist

• Add useAuth import and canEdit logic to RunEncounters.tsx
• Guard all mutation triggers in RunEncounters.tsx behind canEdit
• Update RunDashboard.tsx canEdit to be isOwner only (no unowned fallback)
• Guard all mutation triggers in RunDashboard.tsx behind canEdit
• Add read-only indicator/banner for non-owner viewers
• Verify logged-out users see no edit controls on public runs