chore: db snapshot with product-only images

feat: allow anonymous public wishlist viewing
2026-05-04 00:09:50 +00:00 · 2026-05-04 00:09:43 +00:00
7 changed files with 31 additions and 39 deletions
--- a/app/[slug]/page.tsx
+++ b/app/[slug]/page.tsx
@@ -202,7 +202,7 @@ function PublicWishlistContent() {
                const maxForMe = item.remainingQuantity + (myClaim?.quantity ?? 0);
                const showQuantitySummary = item.quantity > 1 && siteSettings.showQuantity;
                const sold = item.remainingQuantity === 0 && !myClaim;
-                const canClaim = siteSettings.claimingEnabled;
+                const canClaim = siteSettings.claimingEnabled && Boolean(currentGuestId);
                return (
                  <div
--- a/app/api/[slug]/route.ts
+++ b/app/api/[slug]/route.ts
@@ -8,13 +8,9 @@ export async function GET(
  { params }: { params: Promise<{ slug: string }> }
 ) {
  try {
    const { slug } = await params;
    const isAdmin = verifyAdminToken(request);
    const guest = await getGuestFromRequest(request);
    if (!isAdmin && !guest) {
      return NextResponse.json({ error: 'Convite necessário' }, { status: 401 });
    }
    const { slug } = await params;
    const wishlist = await db
      .select()
@@ -29,11 +25,11 @@ export async function GET(
      );
    }
-    // Only return public wishlists (admin can see all)
+    // Public wishlists can be viewed anonymously; private wishlists require admin or guest access.
-    if (!wishlist[0].isPublic && !isAdmin) {
+    if (!wishlist[0].isPublic && !isAdmin && !guest) {
      return NextResponse.json(
-        { error: 'Wishlist not found' },
+        { error: 'Convite necessário' },
-        { status: 404 }
+        { status: 401 }
      );
    }
--- a/app/api/items/[id]/route.ts
+++ b/app/api/items/[id]/route.ts
@@ -11,12 +11,6 @@ export async function GET(
  try {
    const { id } = await params;
    const isAdmin = verifyAdminToken(request);
    const guest = await getGuestFromRequest(request);
    if (!isAdmin && !guest) {
      return NextResponse.json({ error: 'Convite necessário' }, { status: 401 });
    }
    // Get item
    const item = await db
      .select()
@@ -45,10 +39,13 @@ export async function GET(
      );
    }
-    if (!wishlist[0].isPublic && !isAdmin) {
+    const isAdmin = verifyAdminToken(request);
    const guest = await getGuestFromRequest(request);
    if (!wishlist[0].isPublic && !isAdmin && !guest) {
      return NextResponse.json(
-        { error: 'This item is private' },
+        { error: 'Convite necessário' },
-        { status: 403 }
+        { status: 401 }
      );
    }
--- a/app/api/public/wishlists/route.ts
+++ b/app/api/public/wishlists/route.ts
@@ -1,16 +1,9 @@
-import { NextRequest, NextResponse } from 'next/server';
+import { NextResponse } from 'next/server';
 import { eq, asc } from 'drizzle-orm';
 import { db, wishlists } from '@/lib/db';
 import { getGuestFromRequest, verifyAdminToken } from '@/lib/auth/tokens';
-export async function GET(request: NextRequest) {
+export async function GET() {
  try {
    const isAdmin = verifyAdminToken(request);
    const guest = await getGuestFromRequest(request);
    if (!isAdmin && !guest) {
      return NextResponse.json({ error: 'Convite necessário' }, { status: 401 });
    }
    // Fetch only public wishlists
    const publicWishlists = await db
      .select()
--- a/app/api/wishlists/[id]/items/route.ts
+++ b/app/api/wishlists/[id]/items/route.ts
@@ -11,12 +11,6 @@ export async function GET(
  try {
    const { id } = await params;
    const isAdmin = verifyAdminToken(request);
    const guest = await getGuestFromRequest(request);
    if (!isAdmin && !guest) {
      return NextResponse.json({ error: 'Convite necessário' }, { status: 401 });
    }
    // Check if wishlist exists
    const wishlist = await db
      .select()
@@ -31,11 +25,14 @@ export async function GET(
      );
    }
-    // Permissions: guest can only see public wishlists; admin sees all
+    const isAdmin = verifyAdminToken(request);
-    if (!wishlist[0].isPublic && !isAdmin) {
+    const guest = await getGuestFromRequest(request);
    // Public wishlists can be viewed anonymously; private wishlists require admin or guest access.
    if (!wishlist[0].isPublic && !isAdmin && !guest) {
      return NextResponse.json(
-        { error: 'This wishlist is private' },
+        { error: 'Convite necessário' },
-        { status: 403 }
+        { status: 401 }
      );
    }
--- a/components/guest-guard.tsx
+++ b/components/guest-guard.tsx
@@ -1,7 +1,7 @@
 'use client';
 import { useEffect, useState } from 'react';
-import { authApi } from '@/lib/api';
+import { authApi, wishlistsApi } from '@/lib/api';
 type Status = 'checking' | { kind: 'ok'; guestName: string } | 'denied';
@@ -21,6 +21,15 @@ export default function GuestGuard({ children }: { children: React.ReactNode })
        if (who.role === 'admin' || who.role === 'guest') {
          setStatus({ kind: 'ok', guestName: who.guest?.name ?? 'admin' });
        } else {
          const slug = window.location.pathname.split('/').filter(Boolean)[0];
          if (slug) {
            const wishlist = await wishlistsApi.getBySlug(slug);
            if (cancelled) return;
            if (wishlist.isPublic) {
              setStatus({ kind: 'ok', guestName: 'visitante' });
              return;
            }
          }
          setStatus('denied');
        }
      } catch {
--- a/data/db/wishlist.db
+++ b/data/db/wishlist.db
Author	SHA1	Message	Date
Adriano Belisario	653121921e	chore: db snapshot with product-only images Some checks failed Build and Push Docker Image / build-and-push (push) Has been cancelled Details	2026-05-04 00:09:50 +00:00
Adriano Belisario	78bef85c96	feat: allow anonymous public wishlist viewing	2026-05-04 00:09:43 +00:00