pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity
Files
d8fec0e5d70138f467b87dfe7fc56c374658513a
nuzlocke-tracker/.beans/nuzlocke-tracker-i2va--hide-edit-controls-for-non-owners-in-frontend.md
Julian Tabel 118dbcafd9 chore: mark bean nuzlocke-tracker-i2va as completed 
Work was already committed (3bd24fc) and merged to develop.
Crash recovery bean nuzlocke-tracker-ks9c also resolved.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-22 10:03:22 +01:00

53 lines
2.2 KiB
Markdown
Raw Blame History

---
# nuzlocke-tracker-i2va
title: Hide edit controls for non-owners in frontend
status: completed
type: bug
priority: critical
tags:
- failed
created_at: 2026-03-21T12:18:38Z
updated_at: 2026-03-22T09:03:08Z
parent: nuzlocke-tracker-wwnu
blocked_by:
- nuzlocke-tracker-73ba
---
## Problem
`RunEncounters.tsx` has NO auth checks — all edit buttons (encounter modals, boss defeat, status changes, end run, shiny encounters, egg encounters, transfers, HoF team) are always visible, even to logged-out users viewing a public run.
`RunDashboard.tsx` has `canEdit = isOwner || !run?.owner` (line 70) which means unowned legacy runs are editable by anyone, including logged-out users.
## Approach
1. Add `useAuth` and `canEdit` logic to `RunEncounters.tsx`, matching the pattern from `RunDashboard.tsx` but stricter: `canEdit = isOwner` (no fallback for unowned runs)
2. Update `RunDashboard.tsx` line 70 to `canEdit = isOwner` (remove `|| !run?.owner`)
3. Conditionally render all mutation UI elements based on `canEdit`:
- Encounter create/edit modals and triggers
- Boss defeat buttons
- Status change / End run buttons
- Shiny encounter / Egg encounter modals
- Transfer modal
- HoF team modal
- Visibility settings toggle
4. Show a read-only banner when viewing someone else's run
## Checklist
- [x] Add `useAuth` import and `canEdit` logic to `RunEncounters.tsx`
- [x] Guard all mutation triggers in `RunEncounters.tsx` behind `canEdit`
- [x] Update `RunDashboard.tsx` `canEdit` to be `isOwner` only (no unowned fallback)
- [x] Guard all mutation triggers in `RunDashboard.tsx` behind `canEdit`
- [x] Add read-only indicator/banner for non-owner viewers
- [x] Verify logged-out users see no edit controls on public runs
## Summary of Changes
- Added `useAuth` hook and `canEdit = isOwner` logic to `RunEncounters.tsx`
- Updated `RunDashboard.tsx` to use strict `canEdit = isOwner` (removed unowned fallback)
- All mutation UI elements (encounter modals, boss defeat buttons, status changes, end run, shiny/egg encounters, transfers, HoF team, visibility toggle) are now conditionally rendered based on `canEdit`
- Added read-only banner for non-owner viewers in both pages
Committed in `3bd24fc` and merged to `develop`.
Reference in New Issue View Git Blame Copy Permalink