Allow LNbits admin to edit another user's event #22

New issue

Open

opened 2026-05-24 16:49:32 +00:00 by padreug · 0 comments

padreug commented 2026-05-24 16:49:32 +00:00

Owner

Copy link

Context

The events extension admin index has an All Users' Events card (admin-only) that lists every event across every wallet. Today it's read-only — the admin can see proposed/rejected/canceled events from other organizers but can't act on them beyond the existing approve / reject / cancel controls.

A follow-up to PR #19, which made cross-tenant ownership visible by adding the Owner column.

Ask

Let the LNbits admin edit another user's event from the admin UI:

• Title, description, banner image
• Start / end / closing dates
• Price / currency / capacity
• Ticket policy flags (allow_fiat, auto_approve, etc.)
• Status (approved / proposed / rejected / canceled — already partially covered by the existing controls)

Today the PUT /events/{event_id} endpoint is gated on require_admin_key for the event's wallet. An LNbits-level admin holding their own wallet's admin_key can't edit because the event belongs to a different wallet. Either:

• Loosen the endpoint to accept either the event-owner's admin_key OR an LNbits-level admin token (via check_admin), or
• Add a sibling admin-only endpoint (PUT /events/admin/{event_id} gated by check_admin) that bypasses the wallet check.

The republish-to-Nostr side already handles "admin reaches into other users' events" — see republish-all — so the precedent exists.

Why

Today an organizer who needs to fix a typo, postpone, or cancel an event must do it themselves. If they're unreachable, the LNbits admin has no recourse besides approving/rejecting the existing record. This blocks normal moderation flows (typo fix, contested cancellation, etc.).

Notes

• Same wallet/owner check needs to be relaxed for the corresponding webapp activities flow if/when this lands — the useActivityDetail "isMine" gate hides Edit from non-owners. An admin-level "isAdmin" override needs to be threaded through.
• Audit trail: consider stamping last_edited_by_user_id on admin-edited rows so the event-owner can see "an admin edited this on YYYY-MM-DD" rather than silent override.

## Context The events extension admin index has an **All Users' Events** card (admin-only) that lists every event across every wallet. Today it's read-only — the admin can see proposed/rejected/canceled events from other organizers but can't act on them beyond the existing `approve` / `reject` / `cancel` controls. A follow-up to PR #19, which made cross-tenant ownership visible by adding the `Owner` column. ## Ask Let the LNbits admin **edit** another user's event from the admin UI: - Title, description, banner image - Start / end / closing dates - Price / currency / capacity - Ticket policy flags (`allow_fiat`, `auto_approve`, etc.) - Status (approved / proposed / rejected / canceled — already partially covered by the existing controls) Today the `PUT /events/{event_id}` endpoint is gated on `require_admin_key` for the **event's wallet**. An LNbits-level admin holding their own wallet's admin_key can't edit because the event belongs to a different wallet. Either: - Loosen the endpoint to accept either the event-owner's admin_key OR an LNbits-level admin token (via `check_admin`), or - Add a sibling admin-only endpoint (`PUT /events/admin/{event_id}` gated by `check_admin`) that bypasses the wallet check. The republish-to-Nostr side already handles "admin reaches into other users' events" — see `republish-all` — so the precedent exists. ## Why Today an organizer who needs to fix a typo, postpone, or cancel an event must do it themselves. If they're unreachable, the LNbits admin has no recourse besides approving/rejecting the existing record. This blocks normal moderation flows (typo fix, contested cancellation, etc.). ## Notes - Same wallet/owner check needs to be relaxed for the corresponding webapp activities flow if/when this lands — the `useActivityDetail` "isMine" gate hides Edit from non-owners. An admin-level "isAdmin" override needs to be threaded through. - Audit trail: consider stamping `last_edited_by_user_id` on admin-edited rows so the event-owner can see "an admin edited this on YYYY-MM-DD" rather than silent override.

padreug referenced this issue from a commit 2026-05-24 16:51:55 +00:00

feat(admin): Owner column on All Users' Events card

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

ticket-scanner-nostr

backup/main-pre-v1.3-rebase-2026-05-05

feat/event-approval-workflow

fix/sqlite-ticket-extra-serialization

v1.6.1-aio.6

v1.6.1-aio.5

v1.6.1-aio.3

v1.6.1-aio.2

v1.6.1-aio.1

v1.3.0-aio.6

v1.3.0-aio.5

v1.3.0-aio.4

v1.3.0-aio.3

v1.3.0-aio.2

v1.3.0-aio.1

v1.2.1-aio.2

v1.2.1-aio.1

v1.2.1

v0.0.2

v0.0.1

v1.2.0

v1.1.0

v1.0.0

v0.2.0

v0.1.6

v0.1.5

v0.1.4

v0.1.3

0.1.2

0.1.1

0.1

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

aiolabs/events#22

No description provided.