From 680ef9d440b2cb3c92dc65c621b71e93134a56bc Mon Sep 17 00:00:00 2001
From: Davide Scaini <davide.scaini@alumni.cern>
Date: Sun, 3 May 2026 18:51:52 +0200
Subject: [PATCH] Hide edit controls on activities the logged-in user does not
 own

---
 site/src/components/ActivityDetail.svelte | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/site/src/components/ActivityDetail.svelte b/site/src/components/ActivityDetail.svelte
index 38c98b8..133b783 100644
--- a/site/src/components/ActivityDetail.svelte
+++ b/site/src/components/ActivityDetail.svelte
@@ -14,7 +14,10 @@
   export let athlete: AthleteZones | null = null;
 
   const editUrl = import.meta.env.PUBLIC_EDIT_URL ?? '';
-  const editEnabled = editUrl !== '' || import.meta.env.PUBLIC_EDIT_ENABLED === 'true';
+  const editGloballyEnabled = editUrl !== '' || import.meta.env.PUBLIC_EDIT_ENABLED === 'true';
+
+  let currentHandle: string | null = null;
+  $: editEnabled = editGloballyEnabled && currentHandle !== null && currentHandle === activity.handle;
 
   let detail: ActivityDetail | null = null;
   let timeseries: Timeseries | null = null;
@@ -30,6 +33,11 @@
   $: displayTitle = localTitle || activity.title;
 
   onMount(async () => {
+    fetch('/api/me', { credentials: 'include' })
+      .then(r => r.ok ? r.json() : null)
+      .then(u => { if (u?.handle) currentHandle = u.handle; })
+      .catch(() => {});
+
     try {
       detail = await loadActivity(activity.id, activity.detail_url ?? '', base);
       if (!detail) throw new Error('Activity not found');