From 88179ce4304edbfa1ce8d82769daf6285897110b Mon Sep 17 00:00:00 2001
From: lizardflaco <lizardflaco@users.noreply.github.com>
Date: Thu, 21 May 2026 14:27:06 -0400
Subject: [PATCH] Hide bounty actions from unauthorized org viewers

---
 lib/algora_web/live/org/bounties_live.ex      |  2 +-
 .../live/org/bounties_live_test.exs           | 39 +++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 test/algora_web/live/org/bounties_live_test.exs

diff --git a/lib/algora_web/live/org/bounties_live.ex b/lib/algora_web/live/org/bounties_live.ex
index 9dccffbd2..76351f26b 100644
--- a/lib/algora_web/live/org/bounties_live.ex
+++ b/lib/algora_web/live/org/bounties_live.ex
@@ -220,7 +220,7 @@ defmodule AlgoraWeb.Org.BountiesLive do
                       <% end %>
                     </td>
                     <td class="[&:has([role=checkbox])]:pr-0 p-4 align-middle">
-                      <div class="flex items-center justify-end gap-2">
+                      <div :if={@current_user_role in [:admin, :mod]} class="flex items-center justify-end gap-2">
                         <.button
                           phx-click="edit-bounty-amount"
                           phx-value-id={bounty.id}
diff --git a/test/algora_web/live/org/bounties_live_test.exs b/test/algora_web/live/org/bounties_live_test.exs
new file mode 100644
index 000000000..062c3864a
--- /dev/null
+++ b/test/algora_web/live/org/bounties_live_test.exs
@@ -0,0 +1,39 @@
+defmodule AlgoraWeb.Org.BountiesLiveTest do
+  use AlgoraWeb.ConnCase, async: true
+
+  import Algora.Factory
+  import Phoenix.LiveViewTest
+
+  alias AlgoraWeb.UserAuth
+
+  setup %{conn: conn} do
+    conn = Phoenix.ConnTest.init_test_session(conn, %{})
+    org = insert!(:organization)
+    repo = insert!(:repository, user: org, name: "algora")
+    ticket = insert!(:ticket, repository: repo, number: 238, title: "Hide unauthorized bounty actions")
+    bounty = insert!(:bounty, owner: org, creator: org, ticket: ticket, amount: Money.new!(2500, :USD))
+
+    %{conn: conn, org: org, bounty: bounty}
+  end
+
+  test "hides bounty management actions from non-members", %{conn: conn, org: org} do
+    user = insert!(:user)
+    conn = UserAuth.put_current_user(conn, user)
+
+    assert {:ok, _view, html} = live(conn, "/#{org.handle}/bounties")
+    assert html =~ "Hide unauthorized bounty actions"
+    refute html =~ "Edit Amount"
+    refute html =~ "delete-bounty"
+  end
+
+  test "shows bounty management actions to org admins", %{conn: conn, org: org, bounty: bounty} do
+    admin = insert!(:user)
+    insert!(:member, user: admin, org: org, role: :admin)
+    conn = UserAuth.put_current_user(conn, admin)
+
+    assert {:ok, _view, html} = live(conn, "/#{org.handle}/bounties")
+    assert html =~ "Edit Amount"
+    assert html =~ ~s(phx-value-id="#{bounty.id}")
+    assert html =~ "delete-bounty"
+  end
+end