From fce62725c358a646aaee88f496a2a5266777ff99 Mon Sep 17 00:00:00 2001
From: Mike Johnston <mike@nervesocket.com>
Date: Sat, 28 Feb 2026 03:23:47 -0500
Subject: [PATCH] permission fix

---
 src/routes/admin.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/routes/admin.js b/src/routes/admin.js
index 791c7e8..43a7ed6 100644
--- a/src/routes/admin.js
+++ b/src/routes/admin.js
@@ -21,8 +21,8 @@ router.use(requireOrganizerOrAdmin);
 
 // Admin/Organizer dashboard
 router.get('/', (req, res) => {
-  const hunts = Hunts.getByCreator(req.session.userId);
   const isAdmin = !!req.session.isAdmin;
+  const hunts = isAdmin ? Hunts.getAll() : Hunts.getByCreator(req.session.userId);
 
   // Only admins see the full user list and password reset
   const users = isAdmin ? Users.getAllUsers() : [];
@@ -178,7 +178,7 @@ router.post('/reset-password', requireAdmin, (req, res) => {
   const user = Users.findByUsername(username);
 
   if (!user) {
-    const hunts = Hunts.getByCreator(req.session.userId);
+    const hunts = Hunts.getAll();
     const users = Users.getAllUsers();
     req.session.flash = { type: 'danger', message: `User "${username}" not found.` };
     return res.redirect('/admin');
@@ -188,7 +188,7 @@ router.post('/reset-password', requireAdmin, (req, res) => {
   const baseUrl = process.env.BASE_URL || `http://localhost:${process.env.PORT || 3000}`;
   const resetUrl = `${baseUrl}/auth/reset/${token}`;
 
-  const hunts = Hunts.getByCreator(req.session.userId);
+  const hunts = Hunts.getAll();
   const users = Users.getAllUsers();
   res.render('admin/dashboard', {
     title: 'Admin Dashboard',