feat: area manager cant edit admin

refs #21

web/src/endpoints/user/delete.rs

@@ -3,7 +3,8 @@ use sqlx::PgPool;
 
 use crate::{
     endpoints::IdPath,
-    models::{Role, User}, utils::ApplicationError,
+    models::{Role, User},
+    utils::ApplicationError,
 };
 
 #[actix_web::delete("/users/{id}")]
@@ -20,7 +21,9 @@ pub async fn delete(
         return Ok(HttpResponse::NotFound().finish());
     };
 
-    if user.role == Role::AreaManager && user.area_id != user_in_db.area_id {
+    if user.role == Role::AreaManager
+        && (user.area_id != user_in_db.area_id || user_in_db.role == Role::Admin)
+    {
         return Err(ApplicationError::Unauthorized);
     }
 

web/src/endpoints/user/get_edit.rs

@@ -27,6 +27,12 @@ pub async fn get_edit(
         return Ok(HttpResponse::NotFound().finish());
     };
 
+    if user.role == Role::AreaManager
+        && (user.area_id != user_in_db.area_id || user_in_db.role == Role::Admin)
+    {
+        return Err(ApplicationError::Unauthorized);
+    }
+
     let template = NewOrEditUserTemplate {
         user: user.into_inner(),
         id: Some(user_in_db.id),

web/src/endpoints/user/get_overview.rs

@@ -14,6 +14,7 @@ pub struct UsersTemplate {
     user: User,
     area: Option<Area>,
     users: Vec<User>,
+    is_oob: bool
 }
 
 #[actix_web::get("/users")]
@@ -43,6 +44,7 @@ pub async fn get_overview(
         user: user.into_inner(),
         area,
         users,
+        is_oob: false
     };
 
     Ok(template.to_response()?)

web/src/endpoints/user/post_edit.rs

@@ -27,7 +27,8 @@ pub async fn post_edit(
         return Ok(HttpResponse::NotFound().finish());
     };
 
-    if user.role == Role::AreaManager && user.area_id != user_in_db.area_id {
+    let role = form.role.try_into()?;
+    if user.role == Role::AreaManager && (user.area_id != user_in_db.area_id || role == Role::Admin) {
         return Err(ApplicationError::Unauthorized);
     }
 
@@ -53,7 +54,7 @@ pub async fn post_edit(
     let changeset = UserChangeset {
         name: form.name.clone(),
         email: form.email.clone(),
-        role: form.role.try_into()?,
+        role,
         functions,
         area_id,
     };

web/src/endpoints/user/post_new.rs

@@ -27,6 +27,10 @@ pub async fn post_new(
     }
 
     let role = Role::try_from(form.role)?;
+    if role == Role::Admin && user.role != Role::Admin {
+        return Err(ApplicationError::Unauthorized);
+    }
+
     let mut functions = Vec::with_capacity(3);
 
     if form.is_posten.unwrap_or(false) {

web/src/endpoints/user/post_resend_registration.rs

@@ -24,7 +24,9 @@ pub async fn post(
         return Ok(HttpResponse::NotFound().finish());
     };
 
-    if user.role == Role::AreaManager && user.area_id != user_in_db.area_id {
+    if user.role == Role::AreaManager
+        && (user.area_id != user_in_db.area_id || user_in_db.role == Role::Admin)
+    {
         return Err(ApplicationError::Unauthorized);
     }
 

web/templates/user/new_or_edit.html

@@ -51,7 +51,9 @@
                     <option value="1" {{ role|is_some_and_eq(1|ref)|ref|cond_show("selected") }}>Personal</option>
                     <option value="10" {{ role|is_some_and_eq(10|ref)|ref|cond_show("selected") }}>Bereichsleiter
                     </option>
+                    {% if user.role == Role::Admin %}
                     <option value="100" {{ role|is_some_and_eq(100|ref)|ref|cond_show("selected") }}>Admin</option>
+                    {% endif %}
                   </select>
                 </div>
               </div>