Admin access is protected only in React state

The admin page renders protected controls before a server-side role check.

Why this matters

A user may bypass the UI and call admin actions directly if server routes do not enforce roles.

Evidence

src/app/admin/page.tsx:31

production evidence

1  Client component checks user.role === 'admin'.
2  No server action authorization guard was detected in adjacent files.
3  Admin API routes are present under /api/admin.

Suggested fix

Move role checks to server components, middleware, and every admin API/action that mutates or reads sensitive data.

Paste into Cursor

Add server-side role enforcement for src/app/admin and every /api/admin route. Do not rely on client state for admin authorization.