fix: enforce HP visibility on player-emitted rolls, add membership check to request-state

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 15:53:20 -04:00 · 2026-04-11 15:53:20 -04:00 · 7a032bc277
commit 7a032bc277
parent 247379ba57
1 changed files with 15 additions and 13 deletions
--- a/server/src/routes/initiative.ts
+++ b/server/src/routes/initiative.ts
@ -54,15 +54,16 @@ export function stripHp(combats: CombatState[]): CombatState[] {
  }));
 }

-// Broadcast full state to sender, HP-stripped to everyone else in the room.
+// Broadcast full state to sender (if DM), HP-stripped to everyone else in the room.
 function broadcast(
  io: Server,
  socket: Socket,
  campaignId: number,
-  combats: CombatState[]
+  combats: CombatState[],
+  callerIsDM: boolean
 ): void {
  socket.to(`campaign:${campaignId}`).emit("initiative:updated", stripHp(combats));
-  socket.emit("initiative:updated", combats);
+  socket.emit("initiative:updated", callerIsDM ? combats : stripHp(combats));
 }

 async function checkDM(socket: Socket, campaignId: number): Promise<boolean> {
@ -113,7 +114,8 @@ export function registerInitiativeHandlers(io: Server, socket: Socket): void {
        "SELECT role FROM campaign_members WHERE campaign_id = ? AND user_id = ?",
        [campaignId, userId]
      );
-      const dm = rows.length > 0 && rows[0].role === "dm";
+      if (rows.length === 0) return; // not a member of this campaign
+      const dm = rows[0].role === "dm";
      const combats = await loadCombats(campaignId);
      socket.emit("initiative:state", dm ? combats : stripHp(combats));
    } catch (err) {
@ -152,7 +154,7 @@ export function registerInitiativeHandlers(io: Server, socket: Socket): void {
      };
      const updated = [...combats, newCombat];
      await saveCombats(data.campaignId, updated);
-      broadcast(io, socket, data.campaignId, updated);
+      broadcast(io, socket, data.campaignId, updated, true);
    } catch (err) {
      console.error("[initiative]", err);
    }
@ -203,7 +205,7 @@ export function registerInitiativeHandlers(io: Server, socket: Socket): void {
        };
      });
      await saveCombats(data.campaignId, updated);
-      broadcast(io, socket, data.campaignId, updated);
+      broadcast(io, socket, data.campaignId, updated, dm);
    } catch (err) {
      console.error("[initiative]", err);
    }
@ -237,7 +239,7 @@ export function registerInitiativeHandlers(io: Server, socket: Socket): void {
        c.id !== data.combatId ? c : { ...c, enemy_roll: rollValue }
      );
      await saveCombats(data.campaignId, updated);
-      broadcast(io, socket, data.campaignId, updated);
+      broadcast(io, socket, data.campaignId, updated, true);
    } catch (err) {
      console.error("[initiative]", err);
    }
@ -262,7 +264,7 @@ export function registerInitiativeHandlers(io: Server, socket: Socket): void {
        };
      });
      await saveCombats(data.campaignId, updated);
-      broadcast(io, socket, data.campaignId, updated);
+      broadcast(io, socket, data.campaignId, updated, true);
    } catch (err) {
      console.error("[initiative]", err);
    }
@ -288,7 +290,7 @@ export function registerInitiativeHandlers(io: Server, socket: Socket): void {
        };
      });
      await saveCombats(data.campaignId, updated);
-      broadcast(io, socket, data.campaignId, updated);
+      broadcast(io, socket, data.campaignId, updated, true);
    } catch (err) {
      console.error("[initiative]", err);
    }
@ -322,7 +324,7 @@ export function registerInitiativeHandlers(io: Server, socket: Socket): void {
        };
      });
      await saveCombats(data.campaignId, updated);
-      broadcast(io, socket, data.campaignId, updated);
+      broadcast(io, socket, data.campaignId, updated, true);
    } catch (err) {
      console.error("[initiative]", err);
    }
@ -351,7 +353,7 @@ export function registerInitiativeHandlers(io: Server, socket: Socket): void {
        }
      );
      await saveCombats(data.campaignId, updated);
-      broadcast(io, socket, data.campaignId, updated);
+      broadcast(io, socket, data.campaignId, updated, true);
    } catch (err) {
      console.error("[initiative]", err);
    }
@ -374,7 +376,7 @@ export function registerInitiativeHandlers(io: Server, socket: Socket): void {
        }
      );
      await saveCombats(data.campaignId, updated);
-      broadcast(io, socket, data.campaignId, updated);
+      broadcast(io, socket, data.campaignId, updated, true);
    } catch (err) {
      console.error("[initiative]", err);
    }
@ -391,7 +393,7 @@ export function registerInitiativeHandlers(io: Server, socket: Socket): void {
      const combats = await loadCombats(data.campaignId);
      const updated = combats.filter((c) => c.id !== data.combatId);
      await saveCombats(data.campaignId, updated);
-      broadcast(io, socket, data.campaignId, updated);
+      broadcast(io, socket, data.campaignId, updated, true);
    } catch (err) {
      console.error("[initiative]", err);
    }