fix: hide Edit/Delete buttons from unauthorized users (#238) and respect email opt-out (#241)#248
Open
yihangwu539-png wants to merge 2 commits intoalgora-io:mainfrom
Conversation
…io#238) Add `:if={@current_user_role in [:admin, :mod]}` condition to the "Edit Amount" and "Delete" buttons in the org bounties listing page. The backend already rejects unauthorized requests, but the buttons should not be rendered at all for users who can't use them.
…ls (algora-io#241) Check the user's `opt_out_algora` flag before scheduling job match notification emails. Users who have explicitly opted out should not receive recruitment spam from the platform.
This was referenced May 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes two issues:
Issue #238 - [UI Bug] Unauthorized 'Edit' and 'Delete' buttons visible
File changed:
lib/algora_web/live/org/bounties_live.exThe "Edit Amount" and "Delete" buttons were rendered for all users on the org bounties listing page. While the backend correctly rejected unauthorized requests (showing "You are not authorized" toast messages), the buttons should not be visible at all to users who cannot use them.
Fix: Added
:if={@current_user_role in [:admin, :mod]}guards to both buttons, matching the authorization check already present in theedit-bounty-amountanddelete-bountyevent handlers.Issue #241 - Platform emails users who have opted out
File changed:
lib/algora/cloud.exThe
notify_match/1function was scheduling job match notification emails (viaAlgoraCloud.EmailScheduler) without checking if the user had setopt_out_algoratotrue. This caused users who explicitly opted out of Algora communications to still receive recruitment emails.Fix: Added a check for the user's
opt_out_algoraflag before scheduling the email. If the user has opted out, the email is skipped with{:ok, :skipped}.