29 lines
1.5 KiB
Markdown
29 lines
1.5 KiB
Markdown
---
|
|
# nuzlocke-tracker-ce4o
|
|
title: Auth-aware UI and role-based access control
|
|
status: completed
|
|
type: epic
|
|
priority: normal
|
|
created_at: 2026-03-21T10:05:52Z
|
|
updated_at: 2026-03-21T10:18:47Z
|
|
---
|
|
|
|
The app currently shows the same navigation menu to all users regardless of auth state. Logged-out users can navigate to protected pages (e.g., /runs/new, /admin) even though the backend rejects their requests. The admin interface has no role restriction — any authenticated user can access it.
|
|
|
|
## Goals
|
|
|
|
1. **Auth-aware navigation**: Menu items change based on login state (logged-out users only see public browsing options)
|
|
2. **Route protection**: Protected routes redirect to login, admin routes require admin role
|
|
3. **Admin role system**: Define which users are admins via a database field, enforce on both frontend and backend
|
|
4. **Backend admin enforcement**: Admin API endpoints (games, pokemon, evolutions, bosses, routes) require admin role, not just authentication
|
|
|
|
## Success Criteria
|
|
|
|
- [ ] Logged-out users see only: Home, Runs (public list), Genlockes, Stats, Sign In
|
|
- [x] Logged-out users cannot navigate to /runs/new, /genlockes/new, or /admin/*
|
|
- [ ] Logged-in non-admin users see: New Run, My Runs, Genlockes, Stats (no Admin link)
|
|
- [ ] Admin users see the full menu including Admin
|
|
- [x] Backend admin endpoints return 403 for non-admin authenticated users
|
|
- [ ] Admin role is stored in the `users` table (`is_admin` boolean column)
|
|
- [x] Admin status is exposed to the frontend via the user API or auth context
|