Skip to content

Fix: Unreviewed Prereq badge granted access to further claims#45

Merged
ottonomy merged 1 commit intomainfrom
feature/permissions-fix
Feb 12, 2026
Merged

Fix: Unreviewed Prereq badge granted access to further claims#45
ottonomy merged 1 commit intomainfrom
feature/permissions-fix

Conversation

@ottonomy
Copy link
Copy Markdown
Contributor

@ottonomy ottonomy commented Feb 12, 2026

Resolves #38

Users can claim the "Member" achievement (which requires review) and immediately use it as a prerequisite to claim other badges, even though the claim hasn't been reviewed/approved yet. The prerequisite check only verifies claim existence, not validity.

Root Cause

The getUserClaim() function in src/lib/data/achievementClaim.ts returns any claim without validating:

  • validFrom is set (claim has been reviewed/approved)
  • claimStatus is 'ACCEPTED'
  • Claim hasn't expired (validUntil is null or in the future)

This function is used in prerequisite checks in:
src/routes/achievements/[id]/claim/+page.server.ts (lines 38-41, 87-90)
src/routes/claims/[claimId]/+page.server.ts (lines 44-47)

@ottonomy ottonomy merged commit a911e0b into main Feb 12, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Badge "To be reviewed" gives access

1 participant

@ottonomy