π Bug Description
The /admin route is wrapped in ProtectedRoute, which only checks if the user is logged in. Any authenticated user (regardless of their UserRole.role) can access the admin panel, create/edit/delete quests, and manage bosses.
π Steps to Reproduce
- Register a regular user account
- Navigate to /admin
π― Expected Behavior
Only users with role == "Admin" can access /admin. Others get redirected to the home page (/dashboard).
πΈ Actual Behavior
Full admin panel is accessible to all logged-in users.
π Environment
All environments.
π Additional Context
App.jsx:40. UserRole model already has the role field (user_role.py:19). The /api/me response should include role, and ProtectedRoute (or a separate AdminRoute) should gate on it.
π Bug Description
The /admin route is wrapped in ProtectedRoute, which only checks if the user is logged in. Any authenticated user (regardless of their UserRole.role) can access the admin panel, create/edit/delete quests, and manage bosses.
π Steps to Reproduce
π― Expected Behavior
Only users with role == "Admin" can access /admin. Others get redirected to the home page (
/dashboard).πΈ Actual Behavior
Full admin panel is accessible to all logged-in users.
π Environment
All environments.
π Additional Context
App.jsx:40. UserRole model already has the role field (user_role.py:19). The /api/me response should include role, and ProtectedRoute (or a separate AdminRoute) should gate on it.