pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity
Files
7ff271efba9c039446f26c0f55c1eb60734ceec8
nuzlocke-tracker/.beans/nuzlocke-tracker-f4d0--add-require-admin-dependency-and-protect-admin-end.md
Julian Tabel 7ff271efba chore(auth-aware-ui-and-role-based-access-control): Expose admin status to frontend via user API 
The frontend needs to know if the current user is an admin so it can show/hide the Admin nav link and protect admin routes client-side.

Bean: nuzlocke-tracker-5svj

chore: Update beans
2026-03-21 11:23:54 +01:00

2.1 KiB
Raw Blame History

title, status, type, priority, created_at, updated_at, parent, blocked_by
title status type priority created_at updated_at parent blocked_by
Add require_admin dependency and protect admin endpoints completed task normal 2026-03-21T10:06:19Z 2026-03-21T10:15:14Z nuzlocke-tracker-ce4o
nuzlocke-tracker-dwah

Add a require_admin FastAPI dependency that checks the is_admin column on the users table. Apply it to all admin-facing API endpoints (games CRUD, pokemon CRUD, evolutions CRUD, bosses CRUD, route CRUD).

Checklist

  • Add require_admin dependency in backend/src/app/core/auth.py that:
    • Requires authentication (reuses require_auth)
    • Looks up the user in the users table by AuthUser.id
    • Returns 403 if is_admin is not True
  • Apply require_admin to write endpoints in: games.py, pokemon.py, evolutions.py, bosses.py (all POST/PUT/PATCH/DELETE)
  • Keep read endpoints (GET) accessible to all authenticated users
  • Add tests for 403 response when non-admin user hits admin endpoints

Files to change

  • backend/src/app/core/auth.py — add require_admin
  • backend/src/app/api/games.py — replace require_auth with require_admin on mutations
  • backend/src/app/api/pokemon.py — same
  • backend/src/app/api/evolutions.py — same
  • backend/src/app/api/bosses.py — same

Summary of Changes

Added require_admin FastAPI dependency to backend/src/app/core/auth.py:

  • Depends on require_auth (returns 401 if not authenticated)
  • Looks up user in users table by UUID
  • Returns 403 if user not found or is_admin is not True

Applied require_admin to all admin-facing write endpoints:

  • games.py: POST/PUT/DELETE for games and routes
  • pokemon.py: POST/PUT/DELETE for pokemon and route encounters
  • evolutions.py: POST/PUT/DELETE for evolutions
  • bosses.py: POST/PUT/DELETE for game-scoped boss operations (run-scoped endpoints kept with require_auth)

Added tests in test_auth.py:

  • Unit tests for require_admin (admin user, non-admin user, user not in DB)
  • Integration tests for admin endpoint access (403 for non-admin, 201 for admin)
Reference in New Issue View Git Blame Copy Permalink