From 466c8985cb7cea9ca441c690242c6c4c43ae07e9 Mon Sep 17 00:00:00 2001
From: Cal Corum <calcorum@users.noreply.github.com>
Date: Fri, 19 Dec 2025 00:13:42 -0600
Subject: [PATCH] Restrict injury logging to player's team GMs only
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Security fix: Remove user_id from ConfirmationView so only the player's
team GM(s) can click "Log Injury" button. Anyone can still run /injury roll
to see the result, but only authorized GMs can record it.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 VERSION                         | 2 +-
 commands/injuries/management.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/VERSION b/VERSION
index 5c18f91..d6af7e3 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.25.0
+2.25.1
diff --git a/commands/injuries/management.py b/commands/injuries/management.py
index 2eea8af..9108711 100644
--- a/commands/injuries/management.py
+++ b/commands/injuries/management.py
@@ -205,8 +205,8 @@ class InjuryGroup(app_commands.Group):
                 injury_callback = batter_confirm_callback
 
             # Create confirmation view with appropriate callback
+            # Only the player's team GM(s) can log the injury
             view = ConfirmationView(
-                user_id=interaction.user.id,
                 timeout=180.0,  # 3 minutes for confirmation
                 responders=[player.team.gmid, player.team.gmid2] if player.team else None,
                 confirm_callback=injury_callback,