Skip to content

fix: hide Edit/Delete buttons for non-admin users on bounties page#271

Open
shengtenghou4-star wants to merge 6 commits into
algora-io:mainfrom
shengtenghou4-star:fix/bounty-permission-check
Open

fix: hide Edit/Delete buttons for non-admin users on bounties page#271
shengtenghou4-star wants to merge 6 commits into
algora-io:mainfrom
shengtenghou4-star:fix/bounty-permission-check

Conversation

@shengtenghou4-star
Copy link
Copy Markdown

@shengtenghou4-star shengtenghou4-star commented May 18, 2026
edited
Loading

Summary

Fix 7 bugs reported by users:

  1. [UI Bug] Unauthorized 'Edit' and 'Delete' buttons visible on /bounties page #238 - UI Bug: Hide Edit/Delete buttons for non-admin users on bounties page
  2. bug: unable to login to account #183 - Bug: Redirect to /home when last_context references non-existent user (GitHub username change)
  3. subdomain Enumaration via side channel alerting security bug which is critical #201 - Security: Lower alert severity from :critical to :info to prevent subdomain enumeration spam
  4. feature Request: Show Time Information on Bounties #175 - Feature: Show time info ('posted X ago') on bounty list items
  5. github bot reposts bounty comment each time a comment is edited #141 - Bug: Bot re-processes /attempt commands when comments are edited, causing duplicate responses
  6. Unable to withdraw job application #171 - Feature: Add withdraw functionality for job applications
  7. Confusing/incorrect number of bounties per prog. language #173 - Bug: Fix incorrect tech stack count on bounties page

Changes

  • lib/algora_web/live/org/bounties_live.ex: Add permission check for Edit/Delete buttons
  • lib/algora_web/controllers/user_auth.ex: Validate handle exists before redirect
  • lib/algora_web/endpoint.ex: Change alert severity to :info
  • lib/algora_web/components/bounties.ex: Add time_ago display
  • lib/algora_web/controllers/webhooks/github_controller.ex: Only process /attempt on comment creation
  • lib/algora/jobs/jobs.ex: Add withdraw_application function
  • lib/algora_web/live/jobs_live.ex: Add withdraw_job event handler and button

Test plan

Fixes #238
Fixes #183
Fixes #201
Fixes #175
Fixes #141
Fixes #171
Fixes #173

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented May 18, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@shengtenghou4-star
fix: hide Edit/Delete buttons for non-admin/org users on bounties page
626d41a 
Add permission check to only show Edit Amount and Delete buttons when
current_user_role is :admin or :mod. This prevents unauthorized users from
seeing buttons they cannot use, improving UX and avoiding confusion.

Fixes: algora-io#238
@shengtenghou4-star shengtenghou4-star force-pushed the fix/bounty-permission-check branch from e72c75b to 626d41a Compare May 18, 2026 15:28
@shengtenghou4-star
fix: redirect to /home when last_context references non-existent user
e9d9b4d 
When a user's GitHub username changes (e.g., from 'shravan20' to 'zhravan'),
their last_context still points to the old username. On login, the system
would redirect to /oldusername/dashboard causing a 404. Now it validates
the handle exists before redirecting, falling back to /home if not found.

Fixes: algora-io#183
@shengtenghou4-star
fix: lower alert severity to :info for subdomain lookups
2eee97a 
Prevent alert spamming from automated subdomain enumeration tools
(bug bounty scanners, security testing, etc.)

Fixes: algora-io#201
@shengtenghou4-star
feat: add time info to bounty list items
a19e4ba 
Show 'posted X ago' timestamp on bounties listing to help contributors
prioritize and identify new/active bounties.

Fixes: algora-io#175
@shengtenghou4-star
fix: don't process /attempt on edited comments
8f45c25 
The bot was re-processing /attempt commands when comments were edited,
causing duplicate bounty responses. Now only processes on comment creation.

Fixes: algora-io#141
@shengtenghou4-star
fix: add job application withdraw functionality
fc5733f 
Users can now withdraw their job applications. Added withdraw_application
function to Jobs module and withraw_job event handler to jobs_live.
Changed 'Applied' button to 'Withdraw' to allow cancellation.

Fixes: algora-io#171
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment