valknar/sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: refactor role system to is_admin flag, add Badge component, fix native dialogs

Browse Source 
- Separate admin identity from role: viewer|model + is_admin boolean flag
- DB migration 0001_is_admin: adds column, migrates former admin role users
- Update ACL helpers, auth session, GraphQL types and all resolvers
- Admin layout guard and header links check is_admin instead of role
- Admin users table: show Admin badge next to name, remove admin from role select
- Admin user edit page: is_admin checkbox toggle
- Install shadcn Badge component; use in admin users table
- Fix duplicate photo keys in adminGetUser resolver
- Replace confirm() in /me recordings with Dialog component

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Sebastian Krüger
2026-03-06 16:14:00 +01:00
parent 9ef490c1e5
commit 670c18bcb7
19 changed files with 162 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
packages/backend/src/db/schema/users.ts
View File

@@ -29,6 +29,7 @@ export const users = pgTable(
role: roleEnum("role").notNull().default("viewer"),
avatar: text("avatar").references(() => files.id, { onDelete: "set null" }),
banner: text("banner").references(() => files.id, { onDelete: "set null" }),
is_admin: boolean("is_admin").notNull().default(false),
email_verified: boolean("email_verified").notNull().default(false),
email_verify_token: text("email_verify_token"),
password_reset_token: text("password_reset_token"),

10
packages/backend/src/graphql/resolvers/articles.ts
View File

@@ -2,7 +2,7 @@ import { builder } from "../builder";
import { ArticleType } from "../types/index";
import { articles, users } from "../../db/schema/index";
import { eq, and, lte, desc } from "drizzle-orm";
import { requireRole } from "../../lib/acl";
import { requireAdmin } from "../../lib/acl";
async function enrichArticle(db: any, article: any) {
let author = null;
@@ -78,7 +78,7 @@ builder.queryField("adminListArticles", (t) =>
t.field({
type: [ArticleType],
resolve: async (_root, _args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
const articleList = await ctx.db.select().from(articles).orderBy(desc(articles.publish_date));
return Promise.all(articleList.map((article: any) => enrichArticle(ctx.db, article)));
},
@@ -100,7 +100,7 @@ builder.mutationField("createArticle", (t) =>
publishDate: t.arg.string(),
},
resolve: async (_root, args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
const inserted = await ctx.db
.insert(articles)
.values({
@@ -138,7 +138,7 @@ builder.mutationField("updateArticle", (t) =>
publishDate: t.arg.string(),
},
resolve: async (_root, args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
const updates: Record<string, unknown> = { date_updated: new Date() };
if (args.title !== undefined && args.title !== null) updates.title = args.title;
if (args.slug !== undefined && args.slug !== null) updates.slug = args.slug;
@@ -169,7 +169,7 @@ builder.mutationField("deleteArticle", (t) =>
id: t.arg.string({ required: true }),
},
resolve: async (_root, args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
await ctx.db.delete(articles).where(eq(articles.id, args.id));
return true;
},

3
packages/backend/src/graphql/resolvers/auth.ts
View File

@@ -32,7 +32,8 @@ builder.mutationField("login", (t) =>
const sessionUser = {
id: user[0].id,
email: user[0].email,
role: user[0].role,
role: (user[0].role === "admin" ? "viewer" : user[0].role) as "model" | "viewer",
is_admin: user[0].is_admin,
first_name: user[0].first_name,
last_name: user[0].last_name,
artist_name: user[0].artist_name,

25
packages/backend/src/graphql/resolvers/users.ts
View File

@@ -3,7 +3,7 @@ import { builder } from "../builder";
import { CurrentUserType, UserType, AdminUserListType, AdminUserDetailType } from "../types/index";
import { users, user_photos, files } from "../../db/schema/index";
import { eq, ilike, or, count, and } from "drizzle-orm";
import { requireRole } from "../../lib/acl";
import { requireAdmin } from "../../lib/acl";
builder.queryField("me", (t) =>
t.field({
@@ -86,7 +86,7 @@ builder.queryField("adminListUsers", (t) =>
offset: t.arg.int(),
},
resolve: async (_root, args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
const limit = args.limit ?? 50;
const offset = args.offset ?? 0;
@@ -126,6 +126,7 @@ builder.mutationField("adminUpdateUser", (t) =>
args: {
userId: t.arg.string({ required: true }),
role: t.arg.string(),
isAdmin: t.arg.boolean(),
firstName: t.arg.string(),
lastName: t.arg.string(),
artistName: t.arg.string(),
@@ -133,10 +134,11 @@ builder.mutationField("adminUpdateUser", (t) =>
bannerId: t.arg.string(),
},
resolve: async (_root, args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
const updates: Record<string, unknown> = { date_updated: new Date() };
if (args.role !== undefined && args.role !== null) updates.role = args.role as any;
if (args.isAdmin !== undefined && args.isAdmin !== null) updates.is_admin = args.isAdmin;
if (args.firstName !== undefined && args.firstName !== null)
updates.first_name = args.firstName;
if (args.lastName !== undefined && args.lastName !== null) updates.last_name = args.lastName;
@@ -163,7 +165,7 @@ builder.mutationField("adminDeleteUser", (t) =>
userId: t.arg.string({ required: true }),
},
resolve: async (_root, args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
if (args.userId === ctx.currentUser!.id) throw new GraphQLError("Cannot delete yourself");
await ctx.db.delete(users).where(eq(users.id, args.userId));
return true;
@@ -179,7 +181,7 @@ builder.queryField("adminGetUser", (t) =>
userId: t.arg.string({ required: true }),
},
resolve: async (_root, args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
const user = await ctx.db.select().from(users).where(eq(users.id, args.userId)).limit(1);
if (!user[0]) return null;
const photoRows = await ctx.db
@@ -188,10 +190,11 @@ builder.queryField("adminGetUser", (t) =>
.leftJoin(files, eq(user_photos.file_id, files.id))
.where(eq(user_photos.user_id, args.userId))
.orderBy(user_photos.sort);
return {
...user[0],
photos: photoRows.map((p: any) => ({ id: p.id, filename: p.filename })),
};
const seen = new Set<string>();
const photos = photoRows
.filter((p: any) => p.id && !seen.has(p.id) && seen.add(p.id))
.map((p: any) => ({ id: p.id, filename: p.filename }));
return { ...user[0], photos };
},
}),
);
@@ -204,7 +207,7 @@ builder.mutationField("adminAddUserPhoto", (t) =>
fileId: t.arg.string({ required: true }),
},
resolve: async (_root, args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
await ctx.db.insert(user_photos).values({ user_id: args.userId, file_id: args.fileId });
return true;
},
@@ -219,7 +222,7 @@ builder.mutationField("adminRemoveUserPhoto", (t) =>
fileId: t.arg.string({ required: true }),
},
resolve: async (_root, args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
await ctx.db
.delete(user_photos)
.where(and(eq(user_photos.user_id, args.userId), eq(user_photos.file_id, args.fileId)));

12
packages/backend/src/graphql/resolvers/videos.ts
View File

@@ -15,7 +15,7 @@ import {
files,
} from "../../db/schema/index";
import { eq, and, lte, desc, inArray, count } from "drizzle-orm";
import { requireRole } from "../../lib/acl";
import { requireAdmin } from "../../lib/acl";
async function enrichVideo(db: any, video: any) {
// Fetch models
@@ -432,7 +432,7 @@ builder.queryField("adminListVideos", (t) =>
t.field({
type: [VideoType],
resolve: async (_root, _args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
const rows = await ctx.db.select().from(videos).orderBy(desc(videos.upload_date));
return Promise.all(rows.map((v: any) => enrichVideo(ctx.db, v)));
},
@@ -454,7 +454,7 @@ builder.mutationField("createVideo", (t) =>
uploadDate: t.arg.string(),
},
resolve: async (_root, args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
const inserted = await ctx.db
.insert(videos)
.values({
@@ -491,7 +491,7 @@ builder.mutationField("updateVideo", (t) =>
uploadDate: t.arg.string(),
},
resolve: async (_root, args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
const updates: Record<string, unknown> = {};
if (args.title !== undefined && args.title !== null) updates.title = args.title;
if (args.slug !== undefined && args.slug !== null) updates.slug = args.slug;
@@ -522,7 +522,7 @@ builder.mutationField("deleteVideo", (t) =>
id: t.arg.string({ required: true }),
},
resolve: async (_root, args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
await ctx.db.delete(videos).where(eq(videos.id, args.id));
return true;
},
@@ -537,7 +537,7 @@ builder.mutationField("setVideoModels", (t) =>
userIds: t.arg.stringList({ required: true }),
},
resolve: async (_root, args, ctx) => {
requireRole(ctx, "admin");
requireAdmin(ctx);
await ctx.db.delete(video_models).where(eq(video_models.video_id, args.videoId));
if (args.userIds.length > 0) {
await ctx.db.insert(video_models).values(

3
packages/backend/src/graphql/types/index.ts
View File

@@ -53,6 +53,7 @@ export const UserType = builder.objectRef<User>("User").implement({
description: t.exposeString("description", { nullable: true }),
tags: t.exposeStringList("tags", { nullable: true }),
role: t.exposeString("role"),
is_admin: t.exposeBoolean("is_admin"),
avatar: t.exposeString("avatar", { nullable: true }),
banner: t.exposeString("banner", { nullable: true }),
email_verified: t.exposeBoolean("email_verified"),
@@ -72,6 +73,7 @@ export const CurrentUserType = builder.objectRef<User>("CurrentUser").implement(
description: t.exposeString("description", { nullable: true }),
tags: t.exposeStringList("tags", { nullable: true }),
role: t.exposeString("role"),
is_admin: t.exposeBoolean("is_admin"),
avatar: t.exposeString("avatar", { nullable: true }),
banner: t.exposeString("banner", { nullable: true }),
email_verified: t.exposeBoolean("email_verified"),
@@ -359,6 +361,7 @@ export const AdminUserDetailType = builder
description: t.exposeString("description", { nullable: true }),
tags: t.exposeStringList("tags", { nullable: true }),
role: t.exposeString("role"),
is_admin: t.exposeBoolean("is_admin"),
avatar: t.exposeString("avatar", { nullable: true }),
banner: t.exposeString("banner", { nullable: true }),
email_verified: t.exposeBoolean("email_verified"),

8
packages/backend/src/lib/acl.ts
View File

@@ -1,20 +1,18 @@
import { GraphQLError } from "graphql";
import type { Context } from "../graphql/builder";
type UserRole = "viewer" | "model" | "admin";
export function requireAuth(ctx: Context): void {
if (!ctx.currentUser) throw new GraphQLError("Unauthorized");
}
export function requireRole(ctx: Context, ...roles: UserRole[]): void {
export function requireAdmin(ctx: Context): void {
requireAuth(ctx);
if (!roles.includes(ctx.currentUser!.role)) throw new GraphQLError("Forbidden");
if (!ctx.currentUser!.is_admin) throw new GraphQLError("Forbidden");
}
export function requireOwnerOrAdmin(ctx: Context, ownerId: string): void {
requireAuth(ctx);
if (ctx.currentUser!.id !== ownerId && ctx.currentUser!.role !== "admin") {
if (ctx.currentUser!.id !== ownerId && !ctx.currentUser!.is_admin) {
throw new GraphQLError("Forbidden");
}
}

3
packages/backend/src/lib/auth.ts
View File

@@ -3,7 +3,8 @@ import Redis from "ioredis";
export type SessionUser = {
id: string;
email: string;
role: "model" | "viewer" | "admin";
role: "model" | "viewer";
is_admin: boolean;
first_name: string | null;
last_name: string | null;
artist_name: string | null;

3
packages/backend/src/migrations/0001_is_admin.sql Normal file
View File

@@ -0,0 +1,3 @@
ALTER TABLE "users" ADD COLUMN "is_admin" boolean NOT NULL DEFAULT false;--> statement-breakpoint
UPDATE "users" SET "is_admin" = true WHERE "role" = 'admin';--> statement-breakpoint
UPDATE "users" SET "role" = 'viewer' WHERE "role" = 'admin';

7
packages/backend/src/migrations/meta/_journal.json
View File

@@ -8,6 +8,13 @@
"when": 1772645674513,
"tag": "0000_pale_hellion",
"breakpoints": true
},
{
"idx": 1,
"version": "7",
"when": 1772645674514,
"tag": "0001_is_admin",
"breakpoints": true
}
]
}