From ddefc8424b6c59c8aa350d9c8fc6aa1516c82d4f Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Mon, 27 Apr 2026 05:13:27 +0800
Subject: [PATCH] fix: hide bounty admin actions from unauthorized users
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Alternative fix for #238 — adds :if={@current_user_role in [:admin, :mod]}
to each admin button individually instead of wrapping the parent div.

This ensures the permission check is explicit at the button level, matching
the backend authorization logic in handle_event handlers.
---
 lib/algora_web/live/org/bounties_live.ex | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/algora_web/live/org/bounties_live.ex b/lib/algora_web/live/org/bounties_live.ex
index 9dccffbd2..a72977637 100644
--- a/lib/algora_web/live/org/bounties_live.ex
+++ b/lib/algora_web/live/org/bounties_live.ex
@@ -222,6 +222,7 @@ defmodule AlgoraWeb.Org.BountiesLive do
                     <td class="[&:has([role=checkbox])]:pr-0 p-4 align-middle">
                       <div class="flex items-center justify-end gap-2">
                         <.button
+                          :if={@current_user_role in [:admin, :mod]}
                           phx-click="edit-bounty-amount"
                           phx-value-id={bounty.id}
                           variant="secondary"
@@ -230,6 +231,7 @@ defmodule AlgoraWeb.Org.BountiesLive do
                           Edit Amount
                         </.button>
                         <.button
+                          :if={@current_user_role in [:admin, :mod]}
                           phx-click="delete-bounty"
                           phx-value-id={bounty.id}
                           variant="destructive"