From b4e77e2c8f027c8238271dc14a4258d4a6b81c04 Mon Sep 17 00:00:00 2001
From: Francisco Lopez <flowpez117@gmail.com>
Date: Fri, 22 May 2026 14:38:07 -0500
Subject: [PATCH] fix: hide bounty admin actions and stop subdomain handle
 oracle

Only show Edit Amount and Delete controls to org admins and mods on the
bounties table. Remove critical alerts when a subdomain matches a user
handle so attackers cannot enumerate valid profiles via side channels.

Fixes algora-io/algora#238
Fixes algora-io/algora#201

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 lib/algora_web/endpoint.ex               | 1 -
 lib/algora_web/live/org/bounties_live.ex | 5 ++++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/algora_web/endpoint.ex b/lib/algora_web/endpoint.ex
index b4eabc806..8497d8d65 100644
--- a/lib/algora_web/endpoint.ex
+++ b/lib/algora_web/endpoint.ex
@@ -124,7 +124,6 @@ defmodule AlgoraWeb.Endpoint do
         conn.request_path
 
       _user ->
-        Algora.Activities.alert("👀 Someone is viewing https://#{sub}.algora.io", :critical)
         Path.join(["/#{sub}/candidates", conn.request_path])
     end
   end
diff --git a/lib/algora_web/live/org/bounties_live.ex b/lib/algora_web/live/org/bounties_live.ex
index 9dccffbd2..3b98c717a 100644
--- a/lib/algora_web/live/org/bounties_live.ex
+++ b/lib/algora_web/live/org/bounties_live.ex
@@ -220,7 +220,10 @@ defmodule AlgoraWeb.Org.BountiesLive do
                       <% end %>
                     </td>
                     <td class="[&:has([role=checkbox])]:pr-0 p-4 align-middle">
-                      <div class="flex items-center justify-end gap-2">
+                      <div
+                        :if={@current_user_role in [:admin, :mod]}
+                        class="flex items-center justify-end gap-2"
+                      >
                         <.button
                           phx-click="edit-bounty-amount"
                           phx-value-id={bounty.id}