fix: Token.PASS is now model-enforced as staff-only — Token.clean/save raise ValidationError when a non-staff user is the FK target. Staging bug 2026-05-21 — admin awarded a PASS to a non-admin via Django admin; row was created + showed in the user's wallet, but every game-side surface (gameboard, game-kit, gate-pad select_token, _select_my_sea_token) had always filtered PASS behind is_staff, so the token was unequippable + unusable. Five is_staff-gated PASS surfaces made PASS a deliberate staff-only trinket; the wallet was the lone outlier surfacing it. Bundled: wallet view (+ HTMX toggle partial) now gates pass_token behind is_staff mirroring the gameboard pattern — defense-in-depth in case any future bypass writes a stray row. TDD — new ITs: PassTokenStaffOnlyGuardTest (model raises for non-staff, accepts for staff, leaves other token types unaffected); WalletPassTokenVisibilityTest (3 cases pin wallet + HTMX gating); TokenAdminFormTest.test_pass_token_for_non_staff_user_is_invalid + test_pass_token_for_staff_user_is_valid. Adjusted 2 existing tests that incidentally exercised the now-blocked pattern (test_paid_draw_with_pass_does_not_consume, test_pass_token_is_not_consumed — both flip is_staff = True inline before Token.objects.create); dropped PASS from test_other_token_types_do_not_require_expires_at's loop (covered by the new dedicated tests). 1133 IT/UT green. A non-admin "boost-pass" variant lands as a distinct token_type later, NEVER by relaxing the staff gate — captured in [[feedback-pass-token-staff-only]]

Code architected by Disco DeDisco <discodedisco@outlook.com> Git commit message Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 00:35:55 -04:00
parent 97a6da28a5
commit 0f60c73f3b
6 changed files with 103 additions and 3 deletions
--- a/src/apps/lyric/models.py
+++ b/src/apps/lyric/models.py
@@ -2,6 +2,7 @@ import uuid

 from datetime import timedelta
 from django.contrib.auth.base_user import AbstractBaseUser, BaseUserManager
+from django.core.exceptions import ValidationError
 from django.db import models
 from django.db.models.signals import post_save
 from django.dispatch import receiver
@@ -250,6 +251,25 @@ class Token(models.Model):
    next_ready_at = models.DateTimeField(null=True, blank=True)
    slots_claimed = models.PositiveSmallIntegerField(default=0, blank=True)

+    def clean(self):
+        # PASS is admin-only — game-side surfaces (gameboard, game-kit, gate
+        # picker) all filter PASS behind user.is_staff, so a non-staff PASS
+        # row is invisible/unusable and just clutters the wallet. A non-admin
+        # variant ("Boost Pass" or similar) will land as a distinct token_type
+        # later — keep the rule strict here so the two never blur.
+        super().clean()
+        if self.token_type == self.PASS and self.user_id and not self.user.is_staff:
+            raise ValidationError(
+                {"token_type": "PASS is admin-only — staff users only."}
+            )
+
+    def save(self, *args, **kwargs):
+        if self.token_type == self.PASS and self.user_id and not self.user.is_staff:
+            raise ValidationError(
+                {"token_type": "PASS is admin-only — staff users only."}
+            )
+        super().save(*args, **kwargs)
+
    def tooltip_name(self):
        return self.get_token_type_display()