Julian Tabel
da33c62d62
- Wrap /runs/new and /genlockes/new with ProtectedRoute (requires login) - Create AdminRoute component that checks isAdmin, redirects non-admins with a toast notification - Wrap all /admin/* routes with AdminRoute - Deep-linking preserved: unauthenticated users redirect to login, then back to the original protected route after auth Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1.5 KiB
1.5 KiB
title, status, type, priority, created_at, updated_at
| title | status | type | priority | created_at | updated_at |
|---|---|---|---|---|---|
| Auth-aware UI and role-based access control | completed | epic | normal | 2026-03-21T10:05:52Z | 2026-03-21T10:18:47Z |
The app currently shows the same navigation menu to all users regardless of auth state. Logged-out users can navigate to protected pages (e.g., /runs/new, /admin) even though the backend rejects their requests. The admin interface has no role restriction — any authenticated user can access it.
Goals
- Auth-aware navigation: Menu items change based on login state (logged-out users only see public browsing options)
- Route protection: Protected routes redirect to login, admin routes require admin role
- Admin role system: Define which users are admins via a database field, enforce on both frontend and backend
- Backend admin enforcement: Admin API endpoints (games, pokemon, evolutions, bosses, routes) require admin role, not just authentication
Success Criteria
- Logged-out users see only: Home, Runs (public list), Genlockes, Stats, Sign In
- Logged-out users cannot navigate to /runs/new, /genlockes/new, or /admin/*
- Logged-in non-admin users see: New Run, My Runs, Genlockes, Stats (no Admin link)
- Admin users see the full menu including Admin
- Backend admin endpoints return 403 for non-admin authenticated users
- Admin role is stored in the
userstable (is_adminboolean column) - Admin status is exposed to the frontend via the user API or auth context