From 084cc58df057549c1897da3a8d51cf5fc60115fc Mon Sep 17 00:00:00 2001
From: shiyi <yihangwu539@gmail.com>
Date: Sat, 2 May 2026 14:54:06 +0800
Subject: [PATCH 1/2] fix: hide Edit/Delete bounty buttons from unauthorized
 users (#238)

Add `:if={@current_user_role in [:admin, :mod]}` condition to the
"Edit Amount" and "Delete" buttons in the org bounties listing page.
The backend already rejects unauthorized requests, but the buttons
should not be rendered at all for users who can't use them.
---
 lib/algora_web/live/org/bounties_live.ex | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/algora_web/live/org/bounties_live.ex b/lib/algora_web/live/org/bounties_live.ex
index 9dccffbd2..a72977637 100644
--- a/lib/algora_web/live/org/bounties_live.ex
+++ b/lib/algora_web/live/org/bounties_live.ex
@@ -222,6 +222,7 @@ defmodule AlgoraWeb.Org.BountiesLive do
                     <td class="[&:has([role=checkbox])]:pr-0 p-4 align-middle">
                       <div class="flex items-center justify-end gap-2">
                         <.button
+                          :if={@current_user_role in [:admin, :mod]}
                           phx-click="edit-bounty-amount"
                           phx-value-id={bounty.id}
                           variant="secondary"
@@ -230,6 +231,7 @@ defmodule AlgoraWeb.Org.BountiesLive do
                           Edit Amount
                         </.button>
                         <.button
+                          :if={@current_user_role in [:admin, :mod]}
                           phx-click="delete-bounty"
                           phx-value-id={bounty.id}
                           variant="destructive"

From 416709033d5b7d8622e77a13c99936e6be639aa4 Mon Sep 17 00:00:00 2001
From: shiyi <yihangwu539@gmail.com>
Date: Sat, 2 May 2026 14:54:41 +0800
Subject: [PATCH 2/2] fix: respect user opt_out_algora flag before sending
 recruitment emails (#241)

Check the user's `opt_out_algora` flag before scheduling job match
notification emails. Users who have explicitly opted out should not
receive recruitment spam from the platform.
---
 lib/algora/cloud.ex | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/lib/algora/cloud.ex b/lib/algora/cloud.ex
index 87ec69b98..243401b19 100644
--- a/lib/algora/cloud.ex
+++ b/lib/algora/cloud.ex
@@ -1,6 +1,10 @@
 defmodule Algora.Cloud do
   @moduledoc false
 
+  alias Algora.Repo
+  alias Algora.Accounts.User
+  alias Algora.Matches.JobMatch
+
   def top_contributions(github_handles) do
     call(AlgoraCloud, :top_contributions, [github_handles], [])
   end
@@ -46,9 +50,18 @@ defmodule Algora.Cloud do
   end
 
   def notify_match(attrs) do
-    # call(AlgoraCloud.Talent.Jobs.SendJobMatchEmail, :send, [attrs])
-    match = Algora.Repo.get_by(Algora.Matches.JobMatch, user_id: attrs.user_id, job_posting_id: attrs.job_posting_id)
-    call(AlgoraCloud.EmailScheduler, :schedule_email, [:job_drip, match.id], {:ok, :skipped})
+    match = Repo.get_by(JobMatch, user_id: attrs.user_id, job_posting_id: attrs.job_posting_id)
+
+    if match && !user_opted_out?(match.user_id) do
+      call(AlgoraCloud.EmailScheduler, :schedule_email, [:job_drip, match.id], {:ok, :skipped})
+    else
+      {:ok, :skipped}
+    end
+  end
+
+  defp user_opted_out?(user_id) do
+    user = Repo.get(User, user_id)
+    user && user.opt_out_algora
   end
 
   def notify_candidate_like(_attrs) do