nuzlocke-tracker/.beans/nuzlocke-tracker-f4d0--add-require-admin-dependency-and-protect-admin-end.md at f7731b0497934839f489662d3794c2363adc2da1

pokemon/nuzlocke-tracker

Fork 0

Files

Julian Tabel f7731b0497

CI / backend-tests (push) Failing after 31s

Details

CI / frontend-tests (push) Successful in 29s

Details

Fix local login flow, add new auth epic

2026-03-21 11:06:53 +01:00

1.3 KiB

Raw Blame History

title, status, type, priority, created_at, updated_at, parent, blocked_by

title

status

type

priority

created_at

updated_at

parent

blocked_by

Add require_admin dependency and protect admin endpoints

todo

task

normal

2026-03-21T10:06:19Z

2026-03-21T10:06:24Z

nuzlocke-tracker-ce4o

nuzlocke-tracker-dwah

Add a require_admin FastAPI dependency that checks the is_admin column on the users table. Apply it to all admin-facing API endpoints (games CRUD, pokemon CRUD, evolutions CRUD, bosses CRUD, route CRUD).

Checklist

Add require_admin dependency in backend/src/app/core/auth.py that:
- Requires authentication (reuses require_auth)
- Looks up the user in the users table by AuthUser.id
- Returns 403 if is_admin is not True
Apply require_admin to write endpoints in: games.py, pokemon.py, evolutions.py, bosses.py (all POST/PUT/PATCH/DELETE)
Keep read endpoints (GET) accessible to all authenticated users
Add tests for 403 response when non-admin user hits admin endpoints

Files to change

backend/src/app/core/auth.py — add require_admin
backend/src/app/api/games.py — replace require_auth with require_admin on mutations
backend/src/app/api/pokemon.py — same
backend/src/app/api/evolutions.py — same
backend/src/app/api/bosses.py — same

1.3 KiB Raw Blame History

Checklist

Files to change

1.3 KiB

Raw Blame History