Julian Tabel
e8ded9184b
## Summary - Add `is_admin` column to users table with Alembic migration and a `require_admin` FastAPI dependency that protects all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD) - Expose admin status to frontend via user API and update AuthContext to fetch/store `isAdmin` after login - Make navigation menu auth-aware (different links for logged-out, logged-in, and admin users) and protect frontend routes with `ProtectedRoute` and `AdminRoute` components, preserving deep-linking through redirects - Fix test reliability: `drop_all` before `create_all` to clear stale PostgreSQL enums from interrupted test runs - Fix test auth: add `admin_client` fixture and use valid UUID for mock user so tests pass with new admin-protected endpoints ## Test plan - [x] All 252 backend tests pass - [ ] Verify non-admin users cannot access admin write endpoints (games, pokemon, evolutions, bosses CRUD) - [ ] Verify admin users can access admin endpoints normally - [ ] Verify navigation shows correct links for logged-out, logged-in, and admin states - [ ] Verify `/admin/*` routes redirect non-admin users with a toast - [ ] Verify `/runs/new` and `/genlockes/new` redirect unauthenticated users to login, then back after auth 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #67 Co-authored-by: Julian Tabel <juliantabel.jt@gmail.com> Co-committed-by: Julian Tabel <juliantabel.jt@gmail.com>
50 lines
2.1 KiB
Markdown
50 lines
2.1 KiB
Markdown
---
|
|
# nuzlocke-tracker-f4d0
|
|
title: Add require_admin dependency and protect admin endpoints
|
|
status: completed
|
|
type: task
|
|
priority: normal
|
|
created_at: 2026-03-21T10:06:19Z
|
|
updated_at: 2026-03-21T10:15:14Z
|
|
parent: nuzlocke-tracker-ce4o
|
|
blocked_by:
|
|
- nuzlocke-tracker-dwah
|
|
---
|
|
|
|
Add a `require_admin` FastAPI dependency that checks the `is_admin` column on the `users` table. Apply it to all admin-facing API endpoints (games CRUD, pokemon CRUD, evolutions CRUD, bosses CRUD, route CRUD).
|
|
|
|
## Checklist
|
|
|
|
- [x] Add `require_admin` dependency in `backend/src/app/core/auth.py` that:
|
|
- Requires authentication (reuses `require_auth`)
|
|
- Looks up the user in the `users` table by `AuthUser.id`
|
|
- Returns 403 if `is_admin` is not `True`
|
|
- [x] Apply `require_admin` to write endpoints in: `games.py`, `pokemon.py`, `evolutions.py`, `bosses.py` (all POST/PUT/PATCH/DELETE)
|
|
- [x] Keep read endpoints (GET) accessible to all authenticated users
|
|
- [x] Add tests for 403 response when non-admin user hits admin endpoints
|
|
|
|
## Files to change
|
|
|
|
- `backend/src/app/core/auth.py` — add `require_admin`
|
|
- `backend/src/app/api/games.py` — replace `require_auth` with `require_admin` on mutations
|
|
- `backend/src/app/api/pokemon.py` — same
|
|
- `backend/src/app/api/evolutions.py` — same
|
|
- `backend/src/app/api/bosses.py` — same
|
|
|
|
## Summary of Changes
|
|
|
|
Added `require_admin` FastAPI dependency to `backend/src/app/core/auth.py`:
|
|
- Depends on `require_auth` (returns 401 if not authenticated)
|
|
- Looks up user in `users` table by UUID
|
|
- Returns 403 if user not found or `is_admin` is not True
|
|
|
|
Applied `require_admin` to all admin-facing write endpoints:
|
|
- `games.py`: POST/PUT/DELETE for games and routes
|
|
- `pokemon.py`: POST/PUT/DELETE for pokemon and route encounters
|
|
- `evolutions.py`: POST/PUT/DELETE for evolutions
|
|
- `bosses.py`: POST/PUT/DELETE for game-scoped boss operations (run-scoped endpoints kept with `require_auth`)
|
|
|
|
Added tests in `test_auth.py`:
|
|
- Unit tests for `require_admin` (admin user, non-admin user, user not in DB)
|
|
- Integration tests for admin endpoint access (403 for non-admin, 201 for admin)
|