From 9c85ed21b3b99c29a62a9f759d8c17bab61032de Mon Sep 17 00:00:00 2001
From: Hera Zhao <hera@euphon.net>
Date: Mon, 6 Apr 2026 22:30:24 +0000
Subject: [PATCH] Allow all logged-in users to create/edit/delete their own
 recipes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previously only editor+ roles could manage recipes, so viewer users
saw an empty "我的配方" section. Now any authenticated user can CRUD
their own recipes while admin/senior_editor retain full access.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 backend/main.py             | 14 ++++++++++----
 frontend/src/stores/auth.js |  2 +-
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/backend/main.py b/backend/main.py
index 3ac3bd5..8818527 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -713,7 +713,9 @@ def get_recipe(recipe_id: int):
 
 
 @app.post("/api/recipes", status_code=201)
-def create_recipe(recipe: RecipeIn, user=Depends(require_role("admin", "senior_editor", "editor"))):
+def create_recipe(recipe: RecipeIn, user=Depends(get_current_user)):
+    if not user.get("id"):
+        raise HTTPException(401, "请先登录")
     conn = get_db()
     c = conn.cursor()
     c.execute("INSERT INTO recipes (name, note, owner_id) VALUES (?, ?, ?)",
@@ -748,13 +750,15 @@ def _check_recipe_permission(conn, recipe_id, user):
         raise HTTPException(404, "Recipe not found")
     if user["role"] in ("admin", "senior_editor"):
         return row
-    if user["role"] == "editor" and row["owner_id"] == user["id"]:
+    if row["owner_id"] == user.get("id"):
         return row
     raise HTTPException(403, "只能修改自己创建的配方")
 
 
 @app.put("/api/recipes/{recipe_id}")
-def update_recipe(recipe_id: int, update: RecipeUpdate, user=Depends(require_role("admin", "senior_editor", "editor"))):
+def update_recipe(recipe_id: int, update: RecipeUpdate, user=Depends(get_current_user)):
+    if not user.get("id"):
+        raise HTTPException(401, "请先登录")
     conn = get_db()
     c = conn.cursor()
     _check_recipe_permission(conn, recipe_id, user)
@@ -793,7 +797,9 @@ def update_recipe(recipe_id: int, update: RecipeUpdate, user=Depends(require_rol
 
 
 @app.delete("/api/recipes/{recipe_id}")
-def delete_recipe(recipe_id: int, user=Depends(require_role("admin", "senior_editor", "editor"))):
+def delete_recipe(recipe_id: int, user=Depends(get_current_user)):
+    if not user.get("id"):
+        raise HTTPException(401, "请先登录")
     conn = get_db()
     row = _check_recipe_permission(conn, recipe_id, user)
     # Save full snapshot for undo
diff --git a/frontend/src/stores/auth.js b/frontend/src/stores/auth.js
index c894d3b..c1b28df 100644
--- a/frontend/src/stores/auth.js
+++ b/frontend/src/stores/auth.js
@@ -82,7 +82,7 @@ export const useAuthStore = defineStore('auth', () => {
 
   function canEditRecipe(recipe) {
     if (isAdmin.value || user.value.role === 'senior_editor') return true
-    if (user.value.role === 'editor' && recipe._owner_id === user.value.id) return true
+    if (recipe._owner_id === user.value.id) return true
     return false
   }