From 5fc2148c81d487edbb795e9c3019bbb3bf4778a8 Mon Sep 17 00:00:00 2001
From: Cho Young-Hwi <cyh76507707@gmail.com>
Date: Tue, 17 Mar 2026 09:42:30 +0000
Subject: [PATCH] [#238] Add contract_address filter to admin hide/unhide

Scope admin moderation to current contract only, preventing
hide/unhide from affecting storylines or plots on other contracts.

Fixes #238

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/app/api/admin/auth.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/app/api/admin/auth.ts b/src/app/api/admin/auth.ts
index 9815d9a5..705cc0cf 100644
--- a/src/app/api/admin/auth.ts
+++ b/src/app/api/admin/auth.ts
@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { timingSafeEqual } from "node:crypto";
 import { createServiceRoleClient } from "../../../../lib/supabase";
+import { STORY_FACTORY } from "../../../../lib/contracts/constants";
 
 /**
  * Constant-time string comparison that does NOT leak length.
@@ -70,9 +71,10 @@ export async function handleModeration(
 
   const hidden = action === "hide";
 
+  const contractAddr = STORY_FACTORY.toLowerCase();
   const { error: dbError } = type === "storyline"
-    ? await supabase.from("storylines").update({ hidden }).eq("storyline_id", id)
-    : await supabase.from("plots").update({ hidden }).eq("id", id);
+    ? await supabase.from("storylines").update({ hidden }).eq("storyline_id", id).eq("contract_address", contractAddr)
+    : await supabase.from("plots").update({ hidden }).eq("id", id).eq("contract_address", contractAddr);
 
   if (dbError) {
     return NextResponse.json(