From f0875bc929bdd8e6939ab1ece3c6c75a13a56dee Mon Sep 17 00:00:00 2001
From: Jared Schoeny <jared@schoeny.com>
Date: Fri, 16 Jan 2026 13:42:35 -1000
Subject: [PATCH] Fix unapproved hack viewing permissions

---
 src/app/hack/[slug]/page.tsx       | 13 +++++++------
 src/app/hack/[slug]/stats/page.tsx | 10 ++++------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/src/app/hack/[slug]/page.tsx b/src/app/hack/[slug]/page.tsx
index 928d01e..2533fe5 100644
--- a/src/app/hack/[slug]/page.tsx
+++ b/src/app/hack/[slug]/page.tsx
@@ -134,20 +134,21 @@ export default async function HackDetail({ params }: HackDetailProps) {
     canEdit: canUploadPatch,
   } = await checkPatchEditPermission(hack, user?.id as string, supabase);
 
+  // isAdmin always needs to be checked for archive hacks
   let isAdmin = false;
   if (!hack.approved || isArchive) {
     const { data: admin } = await supabase.rpc("is_admin");
     if (admin) {
       isAdmin = true;
-    } else if (!isArchive) {
-      return notFound();
+    } else if (!hack.approved) {
+      if (isArchive && !canEditAsArchiver) {
+        return notFound();
+      } else if (!canEdit) {
+        return notFound();
+      }
     }
   }
 
-  if (isArchive && !isAdmin && !canEditAsArchiver) {
-    return notFound();
-  }
-
   // Extract patch info from cached metadata
   const patchFilename = patch?.filename || null;
   const patchVersion = isArchive ? "Archive" : (patch?.version || "");
diff --git a/src/app/hack/[slug]/stats/page.tsx b/src/app/hack/[slug]/stats/page.tsx
index 3e4fda5..052ff2d 100644
--- a/src/app/hack/[slug]/stats/page.tsx
+++ b/src/app/hack/[slug]/stats/page.tsx
@@ -2,7 +2,7 @@ import { createClient } from "@/utils/supabase/server";
 import { notFound, redirect } from "next/navigation";
 import HackStatsClient from "@/components/Hack/Stats/HackStatsClient";
 import { getDownloadsSeriesAll, getHackInsights } from "@/app/dashboard/actions";
-import { isArchiveHack, canEditAsArchiver } from "@/utils/hack";
+import { checkEditPermission } from "@/utils/hack";
 
 export default async function HackStatsPage({ params: { slug } }: { params: { slug: string } }) {
   const supa = await createClient();
@@ -17,11 +17,9 @@ export default async function HackStatsPage({ params: { slug } }: { params: { sl
     .maybeSingle();
   if (!hack) notFound();
 
-  let isOwner = hack.created_by === user.id;
-  if (!isOwner) {
-    const isArchive = isArchiveHack(hack);
-    const isEditableByArchiver = await canEditAsArchiver(hack, user.id, supa);
-    if (!isOwner && !isArchive && !isEditableByArchiver) notFound();
+  const permission = await checkEditPermission(hack, user.id, supa);
+  if (!permission.canEdit) {
+    redirect(`/hack/${slug}`);
   }
 
   const allSeries = await getDownloadsSeriesAll({ days: 30 });