From 859b9c23e38789a2fc711628bffd9ba94e1c0f70 Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Mon, 19 Feb 2024 11:11:43 +0100
Subject: [PATCH] Add admin users

---
 client.go                 |  9 +++++++++
 entity.go                 |  2 ++
 main.go                   |  2 +-
 schema.sql                |  3 ++-
 template/index.html       | 28 ++++++++++++++++------------
 template/update-user.html | 12 ++++++++++--
 user.go                   | 19 +++++++++++++++++--
diff --git a/client.go b/client.go
index d26317299c1c649a42e433dc123aa2751d8b6a20..d70ca774d51de32afcde70dd4ac6395f403b7ab6 100644
--- a/client.go
+++ b/client.go
@@ -15,6 +15,15 @@ 		http.Redirect(w, req, "/login", http.StatusFound)
 		return
 	}
 
+	me, err := db.FetchUser(ctx, loginToken.User)
+	if err != nil {
+		httpError(w, err)
+		return
+	} else if !me.Admin {
+		http.Error(w, "Access denied", http.StatusForbidden)
+		return
+	}
+
 	client, clientSecret, err := NewClient(loginToken.User)
 	if err != nil {
 		httpError(w, err)
diff --git a/entity.go b/entity.go
index 219ed6b0df2ba388f9a7d440891a17ef89de437c..839411500ff02fb6f73b62e7e267856c035039fa 100644
--- a/entity.go
+++ b/entity.go
@@ -68,6 +68,7 @@ type User struct {
 	ID           ID[*User]
 	Username     string
 	PasswordHash string
+	Admin        bool
 }
 
 func (user *User) columns() map[string]interface{} {
@@ -75,6 +76,7 @@ 	return map[string]interface{}{
 		"id":            &user.ID,
 		"username":      &user.Username,
 		"password_hash": &user.PasswordHash,
+		"admin":         &user.Admin,
 	}
 }
 
diff --git a/main.go b/main.go
index 0bd4b34e47e787cada66cc3e6e4f6da673418f75..7e031e9a691c7ff7190757b0c2379976d496d45e 100644
--- a/main.go
+++ b/main.go
@@ -51,9 +51,9 @@
 	mux := chi.NewRouter()
 	mux.Handle("/static/*", http.FileServer(http.FS(staticFS)))
 	mux.Get("/", index)
-	mux.Post("/client/new", createClient)
 	mux.HandleFunc("/login", login)
 	mux.Post("/logout", logout)
+	mux.Post("/client/new", createClient)
 	mux.HandleFunc("/user/new", updateUser)
 	mux.HandleFunc("/user/{id}", updateUser)
 	mux.Get("/.well-known/oauth-authorization-server", getOAuthServerMetadata)
diff --git a/schema.sql b/schema.sql
index 1a0a7e78ee5cb1998e506605de3c9ccd5dcb298e..60280bce553eb15e837bce1cb1929734cb5ceb1b 100644
--- a/schema.sql
+++ b/schema.sql
@@ -3,7 +3,8 @@
 CREATE TABLE User (
 	id INTEGER PRIMARY KEY,
 	username TEXT NOT NULL UNIQUE,
-	password_hash TEXT
+	password_hash TEXT,
+	admin INTEGER NOT NULL DEFAULT 0
 );
 
 CREATE TABLE Client (
diff --git a/template/index.html b/template/index.html
index 2322b4a2783dcd210b0de8c75b09b02640a642ff..477d7ca921da2a2b139f6f0dcbac6f7b2247e176 100644
--- a/template/index.html
+++ b/template/index.html
@@ -7,21 +7,25 @@
 <p>Welcome, {{ .Me.Username }}!</p>
 
 <form method="post">
-	<a href="/user/new"><button type="button">Create user</button></a>
-	<a href="/user/{{ .Me.ID }}"><button type="button">Edit user</button></a>
-	<button type="submit" formaction="/client/new">Register new client</button>
+	{{ if .Me.Admin }}
+		<a href="/user/new"><button type="button">Create user</button></a>
+		<button type="submit" formaction="/client/new">Register new client</button>
+	{{ end }}
+	<a href="/user/{{ .Me.ID }}"><button type="button">Settings</button></a>
 	<button type="submit" formaction="/logout">Logout</button>
 </form>
 
-{{ with .Clients }}
-	<p>{{ . | len }} clients registered:</p>
-	<ul>
-		{{ range . }}
-			<li><code>{{ .ClientID }}</code></li>
-		{{ end }}
-	</ul>
-{{ else }}
-	<p>No client registered yet.</p>
+{{ if .Me.Admin }}
+	{{ with .Clients }}
+		<p>{{ . | len }} clients registered:</p>
+		<ul>
+			{{ range . }}
+				<li><code>{{ .ClientID }}</code></li>
+			{{ end }}
+		</ul>
+	{{ else }}
+		<p>No client registered yet.</p>
+	{{ end }}
 {{ end }}
 
 </main>
diff --git a/template/update-user.html b/template/update-user.html
index b1049728c4ea5135de8bd96cafa6c5f747259227..fb7e4006451e20ba157e7a6867ace3a9a04724a9 100644
--- a/template/update-user.html
+++ b/template/update-user.html
@@ -5,10 +5,18 @@
 <h1>sinwon</h1>
 
 <form method="post" action="">
-	Username: <input type="text" name="username" value="{{ .Username }}" required><br>
+	Username: <input type="text" name="username" value="{{ .User.Username }}" required><br>
 	Password: <input type="password" name="password"><br>
+	{{ if not (eq .Me.ID .User.ID) }}
+		<label>
+			<input type="checkbox" name="admin" {{ if .User.Admin }}checked{{ end }}>
+			Administrator
+		</label><br>
+	{{ end }}
+
+	<a href="/"><button type="button">Cancel</button></a>
 	<button type="submit">
-		{{ if .Username }}
+		{{ if .User.ID }}
 			Update user
 		{{ else }}
 			Create user
diff --git a/user.go b/user.go
index 4365ca5499e266f7290a8131bcbd992b0f2adc1e..b652d6b5d92004a31e8113e73408dfc2b3238e46 100644
--- a/user.go
+++ b/user.go
@@ -141,21 +141,36 @@ 		http.Redirect(w, req, "/login", http.StatusFound)
 		return
 	}
 
-	if user.ID != 0 && loginToken.User != user.ID {
+	me, err := db.FetchUser(ctx, loginToken.User)
+	if err != nil {
+		httpError(w, err)
+		return
+	} else if loginToken.User != user.ID && !me.Admin {
 		http.Error(w, "Access denied", http.StatusForbidden)
 		return
 	}
 
 	username := req.PostFormValue("username")
 	password := req.PostFormValue("password")
+	admin := req.PostFormValue("admin") == "on"
 	if username == "" {
-		if err := tpl.ExecuteTemplate(w, "update-user.html", user); err != nil {
+		data := struct {
+			User *User
+			Me   *User
+		}{
+			User: user,
+			Me:   me,
+		}
+		if err := tpl.ExecuteTemplate(w, "update-user.html", &data); err != nil {
 			panic(err)
 		}
 		return
 	}
 
 	user.Username = username
+	if me.Admin && user.ID != me.ID {
+		user.Admin = admin
+	}
 	if password != "" {
 		if err := user.SetPassword(password); err != nil {
 			httpError(w, err)

-- 
2.48.1

