Skip to content

[codex] Gate guest RSVP visibility#514

Closed
KishParikh13 wants to merge 1 commit into
v2from
codex/guest-rsvp-visibility
Closed

[codex] Gate guest RSVP visibility#514
KishParikh13 wants to merge 1 commit into
v2from
codex/guest-rsvp-visibility

Conversation

@KishParikh13

@KishParikh13 KishParikh13 commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • make event attendee lists private to admins, event creators, and account users registered for the event
  • include account-less guest RSVPs in private event-detail counts/lists while keeping guest emails hidden outside admin review
  • add admin guest RSVP review rows with name/email and split account-vs-guest counts
  • keep public event counts and avatar previews account-attendee-only

Why

Account-less RSVPs were saved but not visible to organizers. They should be reviewable by admins and visible to people who are legitimately part of the event, without leaking guest attendance through public event cards, counts, or avatar stacks.

Validation

  • npm run typecheck:backend
  • npm run typecheck:frontend
  • cd packages/backend && npm run test:cloudflare:app

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 17, 2026

Copy link
Copy Markdown

Deploying chinmaya-janata with  Cloudflare Pages  Cloudflare Pages

Latest commit: 0149a8f
Status: ✅  Deploy successful!
Preview URL: https://c619d317.project-janatha.pages.dev
Branch Preview URL: https://codex-guest-rsvp-visibility.project-janatha.pages.dev

View logs

@KishParikh13

KishParikh13 commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator Author

Implemented on v2 with a cleaner model that preserves the shipped #505/#504 privacy design: the public attendee COUNT now includes guest RSVPs (accurate 'X going', no PII), and the attendee LIST (/getEventUsers) is gated to logged-in attendees/creator/admin. See the commit on v2. Closing this draft in favor of that.

KishParikh13 added a commit that referenced this pull request Jun 17, 2026
@KishParikh13 @claude
feat(events): gate "who's going" list, keep public count guest-inclusive
ffa86b3 
Resolves #514's intent without reversing the #505/#504 privacy model:

- Public attendee COUNT (people_attending) now = account attendees +
  non-upgraded guest RSVPs, via a shared recomputeAttendeeCount() called
  from addEventAttendee/removeEventAttendee/upgradeGuestRsvps/createGuestRsvp.
  So "X going" stays accurate including guests — no PII, just a number.
- /getEventUsers (the WHO list) is now gated: authMiddleware (401) + must be
  an attendee, the creator, or an admin (else 403). Still PII-free; the
  separate gated /events/:id/roster remains the emails+guests view.
- Frontend useEventDetail: count comes from the event's peopleAttending (not
  the account-list length); a gated list no longer errors the screen; RSVP
  toggles the count optimistically.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@KishParikh13 KishParikh13 mentioned this pull request Jun 17, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KishParikh13