feat(access-control): Restrict machine creation to admins #875
Conversation
Restricts the ability to create new pinball machines to users with the 'admin' role. This is implemented by: - Adding a server-side check in the `createMachineAction` to ensure the user is an admin. - Conditionally rendering the "Add Machine" button on the machines list page based on the user's role. - Adding a server-side redirect on the new machine page to prevent non-admins from accessing it directly. Co-authored-by: timothyfroehlich <5819722+timothyfroehlich@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Restricts machine creation to admin users by enforcing role checks in the server action and guarding related UI/routes.
Changes:
- Enforced admin-only authorization in
createMachineAction(reject non-admins withUNAUTHORIZED). - Hid “Add Machine” entry points on the machines list page for non-admin users.
- Added a server-side redirect guard on
/m/newfor non-admin users and updated the unit test to use an admin role.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/app/(app)/m/actions.ts | Adds an explicit admin role check before allowing machine creation; simplifies owner resolution since caller is guaranteed admin. |
| src/app/(app)/m/page.tsx | Fetches current user role and conditionally renders “Add Machine” UI only for admins (including empty state). |
| src/app/(app)/m/new/page.tsx | Redirects non-admin users away from the new machine page before loading admin-only data. |
| src/test/unit/machine-actions.test.ts | Updates the create-machine success test to reflect new admin-only behavior. |
Comments suppressed due to low confidence (1)
src/test/unit/machine-actions.test.ts:123
- The new admin-only guard in
createMachineActionisn’t covered by tests. This suite only verifies the admin success path; please add a test asserting that a non-admin (e.g.,role: "member") receives anUNAUTHORIZEDresult and that no insert is attempted (and optionally thatlog.warnis called).
it("should successfully create a machine", async () => {
// Mock profile found
vi.mocked(db.query.userProfiles.findFirst).mockResolvedValue({
role: "admin",
} as any);
// Mock successful insert
const mockMachine = { id: "machine-123", initials: "MM" };
chain.returning.mockResolvedValue([mockMachine]);
const formData = new FormData();
formData.append("name", "Medieval Madness");
formData.append("initials", "MM");
try {
await createMachineAction(initialState, formData);
} catch (e: any) {
expect(e.message).toBe("NEXT_REDIRECT");
}
expect(db.insert).toHaveBeenCalled();
expect(chain.values).toHaveBeenCalledWith(
expect.objectContaining({
name: "Medieval Madness",
initials: "MM",
ownerId: mockUser.id,
})
);
});
This change restricts machine creation to admin users only. It secures the server action, hides the "Add Machine" button from non-admins, and adds a redirect to the new machine page to prevent direct access.
Fixes #854
PR created automatically by Jules for task 16764075703825932791 started by @timothyfroehlich