Skip to content

fix: hide unauthorized bounty action buttons (#238)#257

Open
minhduytran wants to merge 3 commits into
algora-io:mainfrom
minhduytran:fix/unauthorized-bounty-actions-visibility-238
Open

fix: hide unauthorized bounty action buttons (#238)#257
minhduytran wants to merge 3 commits into
algora-io:mainfrom
minhduytran:fix/unauthorized-bounty-actions-visibility-238

Conversation

@minhduytran
Copy link
Copy Markdown

@minhduytran minhduytran commented May 13, 2026

Summary

On the bounties listing page, the 'Edit Amount' and 'Delete' buttons, as well as the 'Edit Amount' Drawer, were being rendered for all users regardless of their permissions. While the backend correctly prevented these actions, the UI was misleading.

This PR implements a 'Zero Compromise' fix by:

  1. Using the Member authorization module to check for can_edit_bounty? and can_delete_bounty? permissions.
  2. Hiding action buttons in the UI for unauthorized users.
  3. Protecting the 'Edit Amount' Drawer from being rendered/accessed by unauthorized users.
  4. Adding an extra layer of server-side authorization in handle_event to default-deny unauthorized requests.

Test plan

  1. Log in as a non-admin/mod user.
  2. Navigate to an organization's bounties page.
  3. Verify that the 'Edit Amount'/'Delete' buttons and the Edit Drawer are no longer visible.
  4. Log in as an admin/mod user and verify full functionality.

Fixes #238

🤖 Generated with Claude Code

@minhtdC98 @claude
fix: hide unauthorized bounty action buttons (fixes algora-io#238)
2572577 
Hide 'Edit Amount' and 'Delete' buttons on the organization bounties page
for users without admin or mod roles to improve UX and prevent confusion.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented May 13, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

minhtdC98 added 2 commits May 13, 2026 16:58
@minhtdC98
fix: restore 💎 emoji encoding
42664b9 
Correct UTF-8 encoding for the bounty label emoji which was mangled
during the previous file write operation.
@minhtdC98
fix: enforce server-side authorization for all bounty management actions
ae2124b 
Extend 'Zero Compromise' security model to BountiesNewLive and BountyLive components. Refactor authorization predicates into Algora.Organizations.Member domain for a single source of truth.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[UI Bug] Unauthorized 'Edit' and 'Delete' buttons visible on /bounties page

3 participants

@minhduytran @CLAassistant @minhtdC98