Fix challenge-scoped admin auth across admin screens and actions (#42)

Author: prazgaitis

.claude/napkin.md

@@ -64,3 +64,7 @@
 - Root layout auth preloads can execute during static prerender (`/_not-found`); guard token preload and fail open when auth env vars are absent at build time.
 - Vercel can ignore root `vercel.json` when project Root Directory is `apps/web`; keep an `apps/web/vercel.json` with the Convex deploy build command to avoid accidental `pnpm build` fallback.
 - For CLI work in this repo, prefer Bun runtime (`bun ...`) when feasible.
+| 2026-02-17 | self | Ran `ls` before reading napkin at session start | Always read `.claude/napkin.md` as the first command in every session |
+| 2026-02-17 | self | Ran `sed` on bracketed Next route paths without quoting, causing zsh `no matches found` | Always single-quote paths containing `[id]` before `sed`/`cat`/`rg` |
+| 2026-02-17 | self | Queried prod with `queries/users:getByEmailPublic` and failed because deployed function name was `queries/users:getByEmail` | When checking prod Convex, list available functions from error output and call the deployed name instead of assuming local function names |
+| 2026-02-17 | self | Missed a closing quote in a `sed` command for a bracketed path and got `unmatched '` | Double-check shell quoting when commands include `[id]` paths before execution |

apps/web/app/challenges/[id]/admin/activity-types/page.tsx

@@ -2,7 +2,6 @@ import { getConvexClient } from "@/lib/convex-server";
 import { api } from "@repo/backend";
 import type { Id } from "@repo/backend/_generated/dataModel";
 
-import { requireAuth } from "@/lib/auth";
 import { getChallengeOrThrow } from "@/lib/challenge-helpers";
 import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
 import { AdminActivityTypesTable } from "@/components/admin/admin-activity-types-table";
@@ -15,11 +14,14 @@ export default async function ActivityTypesAdminPage({
   params,
 }: ActivityTypesAdminPageProps) {
   const convex = getConvexClient();
-  const user = await requireAuth();
   const { id } = await params;
   const challenge = await getChallengeOrThrow(id);
 
-  if (challenge.creatorId !== user._id && user.role !== "admin") {
+  const adminStatus = await convex.query(api.queries.participations.isUserChallengeAdmin, {
+    challengeId: challenge.id as Id<"challenges">,
+  });
+
+  if (!adminStatus.isAdmin) {
     return null;
   }
 

apps/web/app/challenges/[id]/admin/flagged-activities/[activityId]/page.tsx

@@ -4,8 +4,6 @@ import { getConvexClient } from "@/lib/convex-server";
 import { api } from "@repo/backend";
 import type { Id } from "@repo/backend/_generated/dataModel";
 
-import { requireAuth } from "@/lib/auth";
-import { getChallengeOrThrow } from "@/lib/challenge-helpers";
 import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import { FlaggedActivityActions } from "@/components/admin/flagged-activity-actions";
@@ -34,7 +32,6 @@ export default async function FlaggedActivityDetailPage({
   params,
 }: FlaggedActivityDetailPageProps) {
   const convex = getConvexClient();
-  const user = await requireAuth();
   const { activityId } = await params;
 
   const detail = await convex.query(api.queries.admin.getFlaggedActivityDetail, {
@@ -45,9 +42,11 @@ export default async function FlaggedActivityDetailPage({
     notFound();
   }
 
-  const challenge = await getChallengeOrThrow(detail.activity.challengeId as string);
+  const adminStatus = await convex.query(api.queries.participations.isUserChallengeAdmin, {
+    challengeId: detail.activity.challengeId as Id<"challenges">,
+  });
 
-  if (challenge.creatorId !== user._id && user.role !== "admin") {
+  if (!adminStatus.isAdmin) {
     notFound();
   }
 

apps/web/app/challenges/[id]/admin/flagged-activities/page.tsx

@@ -4,7 +4,6 @@ import { getConvexClient } from "@/lib/convex-server";
 import { api } from "@repo/backend";
 import type { Id } from "@repo/backend/_generated/dataModel";
 
-import { requireAuth } from "@/lib/auth";
 import { getChallengeOrThrow } from "@/lib/challenge-helpers";
 import { flaggedActivitiesQuerySchema } from "@/lib/validations";
 import { Badge } from "@/components/ui/badge";
@@ -39,12 +38,15 @@ export default async function FlaggedActivitiesPage({
   searchParams,
 }: FlaggedActivitiesPageProps) {
   const convex = getConvexClient();
-  const user = await requireAuth();
   const { id } = await params;
   const searchParamsResolved = await searchParams;
   const challenge = await getChallengeOrThrow(id);
 
-  if (challenge.creatorId !== user._id && user.role !== "admin") {
+  const adminStatus = await convex.query(api.queries.participations.isUserChallengeAdmin, {
+    challengeId: challenge.id as Id<"challenges">,
+  });
+
+  if (!adminStatus.isAdmin) {
     return null;
   }
 

apps/web/app/challenges/[id]/admin/integrations/page.tsx

@@ -2,7 +2,6 @@ import { getConvexClient } from "@/lib/convex-server";
 import { api } from "@repo/backend";
 import type { Id } from "@repo/backend/_generated/dataModel";
 
-import { requireAuth } from "@/lib/auth";
 import { getChallengeOrThrow } from "@/lib/challenge-helpers";
 import { IntegrationsTabs } from "./integrations-tabs";
 
@@ -14,11 +13,14 @@ export default async function IntegrationsAdminPage({
   params,
 }: IntegrationsAdminPageProps) {
   const convex = getConvexClient();
-  const user = await requireAuth();
   const { id } = await params;
   const challenge = await getChallengeOrThrow(id);
 
-  if (challenge.creatorId !== user._id && user.role !== "admin") {
+  const adminStatus = await convex.query(api.queries.participations.isUserChallengeAdmin, {
+    challengeId: challenge.id as Id<"challenges">,
+  });
+
+  if (!adminStatus.isAdmin) {
     return null;
   }
 

packages/backend/mutations/admin.ts

@@ -1,6 +1,43 @@
 import { internalMutation, mutation } from "../_generated/server";
 import { v } from "convex/values";
 import { getCurrentUser } from "../lib/ids";
+import type { Id } from "../_generated/dataModel";
+
+async function requireChallengeAdminForActivity(
+  ctx: { db: any; auth: any },
+  activityId: Id<"activities">,
+) {
+  const user = await getCurrentUser(ctx as any);
+  if (!user) {
+    throw new Error("Not authenticated");
+  }
+
+  const activity = await ctx.db.get(activityId);
+  if (!activity || activity.deletedAt) {
+    throw new Error("Activity not found");
+  }
+
+  const challenge = await ctx.db.get(activity.challengeId);
+  if (!challenge) {
+    throw new Error("Challenge not found");
+  }
+
+  const isGlobalAdmin = user.role === "admin";
+  const isCreator = challenge.creatorId === user._id;
+  const participation = await ctx.db
+    .query("userChallenges")
+    .withIndex("userChallengeUnique", (q: any) =>
+      q.eq("userId", user._id).eq("challengeId", activity.challengeId),
+    )
+    .first();
+  const isChallengeAdmin = participation?.role === "admin";
+
+  if (!isGlobalAdmin && !isCreator && !isChallengeAdmin) {
+    throw new Error("Not authorized - challenge admin required");
+  }
+
+  return { user, activity };
+}
 
 // Internal mutation to delete a challenge and all related data (for scripts/migrations)
 export const deleteChallenge = internalMutation({
@@ -84,28 +121,7 @@ export const updateFlagResolution = mutation({
     notes: v.optional(v.string()),
   },
   handler: async (ctx, args) => {
-    const user = await getCurrentUser(ctx);
-    if (!user || user.role !== "admin") {
-      throw new Error("Not authorized - admin only");
-    }
-
-    const activity = await ctx.db.get(args.activityId);
-    if (!activity || activity.deletedAt) {
-      throw new Error("Activity not found");
-    }
-
-    // Check if user can manage this challenge
-    const challenge = await ctx.db.get(activity.challengeId);
-    if (!challenge) {
-      throw new Error("Challenge not found");
-    }
-
-    const canManage =
-      user.role === "admin" || challenge.creatorId === user._id;
-
-    if (!canManage) {
-      throw new Error("Not authorized to manage this challenge");
-    }
+    const { user } = await requireChallengeAdminForActivity(ctx, args.activityId);
 
     const now = Date.now();
 
@@ -143,28 +159,10 @@ export const addAdminComment = mutation({
     visibility: v.union(v.literal("internal"), v.literal("participant")),
   },
   handler: async (ctx, args) => {
-    const user = await getCurrentUser(ctx);
-    if (!user || user.role !== "admin") {
-      throw new Error("Not authorized - admin only");
-    }
-
-    const activity = await ctx.db.get(args.activityId);
-    if (!activity || activity.deletedAt) {
-      throw new Error("Activity not found");
-    }
-
-    // Check if user can manage this challenge
-    const challenge = await ctx.db.get(activity.challengeId);
-    if (!challenge) {
-      throw new Error("Challenge not found");
-    }
-
-    const canManage =
-      user.role === "admin" || challenge.creatorId === user._id;
-
-    if (!canManage) {
-      throw new Error("Not authorized to manage this challenge");
-    }
+    const { user, activity } = await requireChallengeAdminForActivity(
+      ctx,
+      args.activityId,
+    );
 
     const now = Date.now();
 
@@ -216,28 +214,10 @@ export const adminEditActivity = mutation({
     metrics: v.optional(v.any()),
   },
   handler: async (ctx, args) => {
-    const user = await getCurrentUser(ctx);
-    if (!user || user.role !== "admin") {
-      throw new Error("Not authorized - admin only");
-    }
-
-    const activity = await ctx.db.get(args.activityId);
-    if (!activity || activity.deletedAt) {
-      throw new Error("Activity not found");
-    }
-
-    // Check if user can manage this challenge
-    const challenge = await ctx.db.get(activity.challengeId);
-    if (!challenge) {
-      throw new Error("Challenge not found");
-    }
-
-    const canManage =
-      user.role === "admin" || challenge.creatorId === user._id;
-
-    if (!canManage) {
-      throw new Error("Not authorized to manage this challenge");
-    }
+    const { user, activity } = await requireChallengeAdminForActivity(
+      ctx,
+      args.activityId,
+    );
 
     const now = Date.now();
     const updates: Record<string, unknown> = {

tasks/2026-02-17-admin-scope-prod-verification.md

@@ -0,0 +1,8 @@
+# 2026-02-17 Admin Scope Prod Verification
+
+- [x] Identify where admin access is scoped in code (backend + web checks)
+- [x] Verify production data for `prazgaitis@gmail.com` (user + admin role bindings)
+- [x] Confirm prod environment configuration used by admin checks
+- [x] Pinpoint mismatch between code and data causing missing admin access
+- [x] Implement/fix code if needed and validate
+- [x] Summarize findings and exact remediation steps