🔥 Remove legacy adminUrlId admin token

[lukevella]

• Remove adminToken fallback from polls.get (unauthenticated admin access via URL token)
• Remove adminUrlId from polls.get response; add canManage boolean instead
• Change polls.modify input from urlId (adminUrlId) to pollId
• Remove getPollIdFromAdminUrlId helper
• Update edit pages to pass poll.id instead of poll.adminUrlId
• Update layout guard to use canManage instead of adminUrlId presence

Closes RAL-1134

Summary by CodeRabbit

Refactor

• Unified poll identifier usage: updates and management now use the poll's internal ID instead of the previous URL-based identifier.
• Access control simplified: management permission is exposed as a boolean flag and invite redirect behavior updated.
• Data fetching reordered to fetch core poll data first, then participants/comments.
• API response shape adjusted to include a management flag instead of an admin URL field.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
app	Ready	Preview, Comment	Apr 5, 2026 0:22am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
landing	Skipped		Apr 5, 2026 0:22am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 8d62c22e-a37d-450a-b003-90c39d1b40af

📥 Commits

Reviewing files that changed from the base of the PR and between 46fa87f and 5325495.

📒 Files selected for processing (1)

• apps/web/src/app/[locale]/(optional-space)/poll/[urlId]/layout.tsx

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/web/src/app/[locale]/(optional-space)/poll/[urlId]/layout.tsx

---

Walkthrough

Refactors poll identification and access control: API and client now use pollId and a canManage boolean instead of adminUrlId/admin token; server router inputs and client mutation payloads/layout redirects were updated accordingly.

Changes

Cohort / File(s)	Summary
Client mutation calls apps/web/src/app/[locale]/(optional-space)/poll/[urlId]/edit-details/page.tsx, .../edit-options/page.tsx, .../edit-settings/page.tsx	Changed update payloads to send pollId: poll.id (removed use of poll.adminUrlId).
Layout / access control apps/web/src/app/[locale]/(optional-space)/poll/[urlId]/layout.tsx	Replaced checks/redirects that referenced poll.adminUrlId with poll.canManage; adjusted fetch ordering to fetch poll first and prefetch participants/comments after authorization check.
Client types apps/web/src/trpc/client/types.ts	Replaced adminUrlId: string with canManage: boolean in GetPollApiResponse.
Server router apps/web/src/trpc/routers/polls.ts	Removed helper that resolved poll by adminUrlId; changed modify mutation input from { urlId } to { pollId }; removed adminToken from get input and simplified get logic to return canManage unconditionally.

Sequence Diagram(s)

sequenceDiagram
  participant Browser as Client (Browser)
  participant Page as Web Page (React)
  participant API as TRPC Router
  participant DB as Database

  Browser->>Page: User submits update (form data)
  Page->>API: updatePollMutation({ pollId, ...data })
  API->>DB: Update poll where id = pollId
  DB-->>API: Update result
  API-->>Page: { ok: true, ... }
  Page-->>Browser: Redirect / show success

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• 🔒️ Check poll admin privilage before mutation #2191: Modifies polls router and admin-access handling; may overlap with input/schema and authorization changes.
• 🔥 Remove deprecated procedures #2199: Replaces identifier usage from adminUrlId/urlId to pollId across client and router — strong code-level overlap.
• 🐛 Fix crash when accessing poll that doesn’t exist anymore #2218: Changes poll layout fetching/redirect logic that could conflict with the layout fetch-order and redirect updates here.

Poem

🐰 I hopped through code, a nimble guide,

Swapped tangled tokens for a simpler tide.
pollId now leads the merry run,
canManage flashes in morning sun,
The warren hums — updates done! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: removing legacy adminUrlId admin token from the codebase as evidenced by the router modifications, type updates, and page refactoring across all changed files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch luke/ral-1134-remove-legacy-adminurlid-admin-token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

apps/web/src/app/[locale]/(optional-space)/poll/[urlId]/layout.tsx (1)

19-31: Defer the manager-only prefetches until after Line 30.

Now that canManage is the real gate, non-managers still pay for participants.list and comments.list on every redirected /poll/[urlId] hit. Fetch the poll first, redirect when !poll.canManage, then prefetch the manager-only queries.

♻️ Suggested restructuring

-  const [poll] = await Promise.all([
-    trpc.polls.get.fetch({ urlId: params.urlId }).catch((e) => {
-      if (e instanceof TRPCError && e.code === "NOT_FOUND") {
-        notFound();
-      }
-      throw e;
-    }),
-    trpc.polls.participants.list.prefetch({ pollId: params.urlId }),
-    trpc.polls.comments.list.prefetch({ pollId: params.urlId }),
-  ]);
+  const poll = await trpc.polls.get.fetch({ urlId: params.urlId }).catch((e) => {
+    if (e instanceof TRPCError && e.code === "NOT_FOUND") {
+      notFound();
+    }
+    throw e;
+  });
 
   if (!poll.canManage) {
     redirect(`/invite/${params.urlId}`);
   }
+
+  await Promise.all([
+    trpc.polls.participants.list.prefetch({ pollId: params.urlId }),
+    trpc.polls.comments.list.prefetch({ pollId: params.urlId }),
+  ]);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/src/app/`[locale]/(optional-space)/poll/[urlId]/layout.tsx around
lines 19 - 31, The current Promise.all runs manager-only prefetches
(trpc.polls.participants.list.prefetch and trpc.polls.comments.list.prefetch)
before checking poll.canManage, causing non-managers to pay for them; change the
flow to first await trpc.polls.get.fetch({ urlId: params.urlId }) (keeping the
existing catch that calls notFound()), then if (!poll.canManage) call
redirect(`/invite/${params.urlId}`), and only after that run the two prefetches
(trpc.polls.participants.list.prefetch and trpc.polls.comments.list.prefetch)
when poll.canManage is true so manager-only queries are deferred until access is
confirmed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/web/src/app/`[locale]/(optional-space)/poll/[urlId]/layout.tsx:
- Around line 19-31: The current Promise.all runs manager-only prefetches
(trpc.polls.participants.list.prefetch and trpc.polls.comments.list.prefetch)
before checking poll.canManage, causing non-managers to pay for them; change the
flow to first await trpc.polls.get.fetch({ urlId: params.urlId }) (keeping the
existing catch that calls notFound()), then if (!poll.canManage) call
redirect(`/invite/${params.urlId}`), and only after that run the two prefetches
(trpc.polls.participants.list.prefetch and trpc.polls.comments.list.prefetch)
when poll.canManage is true so manager-only queries are deferred until access is
confirmed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: bb991bd9-f64d-4815-a879-58dd2289da6a

📥 Commits

Reviewing files that changed from the base of the PR and between 062762d and 46fa87f.

📒 Files selected for processing (6)

• apps/web/src/app/[locale]/(optional-space)/poll/[urlId]/edit-details/page.tsx
• apps/web/src/app/[locale]/(optional-space)/poll/[urlId]/edit-options/page.tsx
• apps/web/src/app/[locale]/(optional-space)/poll/[urlId]/edit-settings/page.tsx
• apps/web/src/app/[locale]/(optional-space)/poll/[urlId]/layout.tsx
• apps/web/src/trpc/client/types.ts
• apps/web/src/trpc/routers/polls.ts