pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity
Files
c7259a429a65116c8fd763eee093c4f01c6d1def
nuzlocke-tracker/.beans/nuzlocke-tracker-f4d0--add-require-admin-dependency-and-protect-admin-end.md
Julian Tabel 2e66186fac feat: add require_admin dependency and protect admin endpoints 
Add require_admin FastAPI dependency that checks is_admin column on users
table. Apply it to all admin-facing write endpoints (games, pokemon,
evolutions, bosses, routes CRUD). Run-scoped endpoints remain protected
by require_auth only since they manage user's own data.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-21 11:14:55 +01:00

2.1 KiB
Raw Blame History

title, status, type, priority, created_at, updated_at, parent, blocked_by
title status type priority created_at updated_at parent blocked_by
Add require_admin dependency and protect admin endpoints in-progress task normal 2026-03-21T10:06:19Z 2026-03-21T10:14:36Z nuzlocke-tracker-ce4o
nuzlocke-tracker-dwah

Add a require_admin FastAPI dependency that checks the is_admin column on the users table. Apply it to all admin-facing API endpoints (games CRUD, pokemon CRUD, evolutions CRUD, bosses CRUD, route CRUD).

Checklist

  • Add require_admin dependency in backend/src/app/core/auth.py that:
    • Requires authentication (reuses require_auth)
    • Looks up the user in the users table by AuthUser.id
    • Returns 403 if is_admin is not True
  • Apply require_admin to write endpoints in: games.py, pokemon.py, evolutions.py, bosses.py (all POST/PUT/PATCH/DELETE)
  • Keep read endpoints (GET) accessible to all authenticated users
  • Add tests for 403 response when non-admin user hits admin endpoints

Files to change

  • backend/src/app/core/auth.py — add require_admin
  • backend/src/app/api/games.py — replace require_auth with require_admin on mutations
  • backend/src/app/api/pokemon.py — same
  • backend/src/app/api/evolutions.py — same
  • backend/src/app/api/bosses.py — same

Summary of Changes

Added require_admin FastAPI dependency to backend/src/app/core/auth.py:

  • Depends on require_auth (returns 401 if not authenticated)
  • Looks up user in users table by UUID
  • Returns 403 if user not found or is_admin is not True

Applied require_admin to all admin-facing write endpoints:

  • games.py: POST/PUT/DELETE for games and routes
  • pokemon.py: POST/PUT/DELETE for pokemon and route encounters
  • evolutions.py: POST/PUT/DELETE for evolutions
  • bosses.py: POST/PUT/DELETE for game-scoped boss operations (run-scoped endpoints kept with require_auth)

Added tests in test_auth.py:

  • Unit tests for require_admin (admin user, non-admin user, user not in DB)
  • Integration tests for admin endpoint access (403 for non-admin, 201 for admin)
Reference in New Issue View Git Blame Copy Permalink