From e2bc37aa0c694d0ba6441f933e3d568635f83b00 Mon Sep 17 00:00:00 2001
From: cscguochang-agent <cscguochang@gmail.com>
Date: Sun, 1 Feb 2026 11:42:06 +0800
Subject: [PATCH] fix(ui): hide bounty management buttons from non-owners

- Added can_manage_bounties?/1 helper to check org membership.
- Wrapped 'Edit Amount' and 'Delete' buttons with authorization guard.

Fixes #179
---
 lib/algora_web/live/org/bounties_live.ex | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/lib/algora_web/live/org/bounties_live.ex b/lib/algora_web/live/org/bounties_live.ex
index f6a01b14..15972036 100644
--- a/lib/algora_web/live/org/bounties_live.ex
+++ b/lib/algora_web/live/org/bounties_live.ex
@@ -215,7 +215,7 @@ defmodule AlgoraWeb.Org.BountiesLive do
                       <% end %>
                     </td>
                     <td class="[&:has([role=checkbox])]:pr-0 p-4 align-middle">
-                      <div class="flex items-center justify-end gap-2">
+                      <div :if={can_manage_bounties?(assigns)} class="flex items-center justify-end gap-2">
                         <.button
                           phx-click="edit-bounty-amount"
                           phx-value-id={bounty.id}
@@ -618,6 +618,20 @@ defmodule AlgoraWeb.Org.BountiesLive do
     end)
   end
 
+  defp can_manage_bounties?(assigns) do
+    user = assigns[:current_user]
+    org = assigns[:current_org]
+
+    if user && org do
+      case Algora.Organizations.fetch_member(org.id, user.id) do
+        {:ok, member} -> member.role in [:admin, :mod]
+        _ -> false
+      end
+    else
+      false
+    end
+  end
+
   defp to_transaction_rows(transactions), do: transactions
 
   defp assign_more_bounties(socket) do