pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity
Files
100d2d72d0dee021790f3bf0927c5f5f4c7cd26b
nuzlocke-tracker/.beans/nuzlocke-tracker-5svj--expose-admin-status-to-frontend-via-user-api.md
Julian Tabel e8ded9184b
All checks were successful
CI / backend-tests (push) Successful in 32s
Details
CI / frontend-tests (push) Successful in 29s
Details
feat: auth-aware UI and role-based access control (#67) 
## Summary

- Add `is_admin` column to users table with Alembic migration and a `require_admin` FastAPI dependency that protects all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD)
- Expose admin status to frontend via user API and update AuthContext to fetch/store `isAdmin` after login
- Make navigation menu auth-aware (different links for logged-out, logged-in, and admin users) and protect frontend routes with `ProtectedRoute` and `AdminRoute` components, preserving deep-linking through redirects
- Fix test reliability: `drop_all` before `create_all` to clear stale PostgreSQL enums from interrupted test runs
- Fix test auth: add `admin_client` fixture and use valid UUID for mock user so tests pass with new admin-protected endpoints

## Test plan

- [x] All 252 backend tests pass
- [ ] Verify non-admin users cannot access admin write endpoints (games, pokemon, evolutions, bosses CRUD)
- [ ] Verify admin users can access admin endpoints normally
- [ ] Verify navigation shows correct links for logged-out, logged-in, and admin states
- [ ] Verify `/admin/*` routes redirect non-admin users with a toast
- [ ] Verify `/runs/new` and `/genlockes/new` redirect unauthenticated users to login, then back after auth

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #67
Co-authored-by: Julian Tabel <juliantabel.jt@gmail.com>
Co-committed-by: Julian Tabel <juliantabel.jt@gmail.com>
2026-03-21 11:44:05 +01:00

1.4 KiB
Raw Blame History

title, status, type, priority, created_at, updated_at, parent, blocked_by
title status type priority created_at updated_at parent blocked_by
Expose admin status to frontend via user API completed task normal 2026-03-21T10:06:20Z 2026-03-21T10:23:04Z nuzlocke-tracker-ce4o
nuzlocke-tracker-dwah

The frontend needs to know if the current user is an admin so it can show/hide the Admin nav link and protect admin routes client-side.

Checklist

  • Add is_admin field to the user response schema (/api/users/me endpoint)
  • Update AuthContext to fetch /api/users/me after login and store isAdmin in context
  • Expose isAdmin boolean from useAuth() hook
  • Handle edge case: user exists in Supabase but not yet in local DB (first login creates user row with is_admin=false)

Files to change

  • backend/src/app/schemas/user.py or equivalent — add is_admin to response
  • backend/src/app/api/users.py — ensure /me returns is_admin
  • frontend/src/contexts/AuthContext.tsx — fetch and store admin status

Summary of Changes

Added isAdmin field to frontend auth system:

  • Backend: Added is_admin: bool = False to UserResponse schema in backend/src/app/api/users.py
  • Frontend: Updated AuthContext to fetch /api/users/me after login and expose isAdmin boolean
  • Edge case handled: syncUserProfile returns false if API call fails (new user auto-created with is_admin=false by backend)
Reference in New Issue View Git Blame Copy Permalink