From 0dfee5cd36b0a97dcff9ec67c4de7d958b1d6add Mon Sep 17 00:00:00 2001
From: chihlasm <michael@chihlas.com>
Date: Thu, 5 Feb 2026 23:34:47 -0500
Subject: [PATCH] fix: check edit permissions before loading tree into editor

TreeEditorPage now verifies canEditTree() after fetching tree data but
before loading it into the editor store. Previously only checked
canCreateTrees which doesn't prevent non-owners from editing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 frontend/src/pages/TreeEditorPage.tsx | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/frontend/src/pages/TreeEditorPage.tsx b/frontend/src/pages/TreeEditorPage.tsx
index 1715617a..203d9718 100644
--- a/frontend/src/pages/TreeEditorPage.tsx
+++ b/frontend/src/pages/TreeEditorPage.tsx
@@ -15,7 +15,7 @@ export function TreeEditorPage() {
   const { id } = useParams<{ id: string }>()
   const navigate = useNavigate()
   const isEditMode = !!id
-  const { canCreateTrees } = usePermissions()
+  const { canCreateTrees, canEditTree } = usePermissions()
 
   const {
     name,
@@ -93,6 +93,10 @@ export function TreeEditorPage() {
         setLoading(true)
         try {
           const tree = await treesApi.get(id)
+          if (!canEditTree({ author_id: tree.author_id, team_id: tree.team_id })) {
+            navigate('/trees')
+            return
+          }
           loadTree(tree)
         } catch (err) {
           console.error('Failed to load tree:', err)