diff --git a/src/routes/events/[event_id]/+page.svelte b/src/routes/events/[event_id]/+page.svelte index 3d48788e..bb827703 100644 --- a/src/routes/events/[event_id]/+page.svelte +++ b/src/routes/events/[event_id]/+page.svelte @@ -52,14 +52,29 @@ const modules = [ } ]; +// Filter modules by both access level and per-event cfg_json.modules_enabled let filtered_modules = $derived( modules.filter((mod) => { - if (mod.access === 'authenticated_access') - return $ae_loc.authenticated_access; - if (mod.access === 'trusted_access') return $ae_loc.trusted_access; - if (mod.access === 'administrator_access') - return $ae_loc.administrator_access; - return true; + // Access level gating (site/user level) + if (mod.access === 'authenticated_access' && !$ae_loc.authenticated_access) + return false; + if (mod.access === 'trusted_access' && !$ae_loc.trusted_access) + return false; + if (mod.access === 'administrator_access' && !$ae_loc.administrator_access) + return false; + + // Event-level gating via event.cfg_json.modules_enabled + // When modules_enabled is configured, it is a strict whitelist — + // only modules explicitly set to true are shown. All others are hidden. + // Default is HIDE: if modules_enabled is absent or the key is not set + // to true, the module is not shown. Admin must opt-in via the config page. + const modules_cfg = $lq__event_obj?.cfg_json?.modules_enabled ?? null; + if (modules_cfg !== null && typeof modules_cfg === 'object') { + return modules_cfg[mod.path] === true; + } + + // modules_enabled key not present at all → hide everything + return false; }) ); @@ -81,11 +96,11 @@ let filtered_modules = $derived(

-
+
{#each filtered_modules as mod (mod.path)} + class="card card-hover bg-surface-100 dark:bg-surface-800 border-surface-200 dark:border-surface-700 flex w-56 flex-col items-center space-y-4 border p-6 text-center shadow-lg transition-transform hover:scale-105">