diff --git a/web/src/endpoints/user/delete.rs b/web/src/endpoints/user/delete.rs
index ce5fb9df..05410a49 100644
--- a/web/src/endpoints/user/delete.rs
+++ b/web/src/endpoints/user/delete.rs
@@ -3,7 +3,8 @@ use sqlx::PgPool;
use crate::{
endpoints::IdPath,
- models::{Role, User}, utils::ApplicationError,
+ models::{Role, User},
+ utils::ApplicationError,
};
#[actix_web::delete("/users/{id}")]
@@ -20,7 +21,9 @@ pub async fn delete(
return Ok(HttpResponse::NotFound().finish());
};
- if user.role == Role::AreaManager && user.area_id != user_in_db.area_id {
+ if user.role == Role::AreaManager
+ && (user.area_id != user_in_db.area_id || user_in_db.role == Role::Admin)
+ {
return Err(ApplicationError::Unauthorized);
}
diff --git a/web/src/endpoints/user/get_edit.rs b/web/src/endpoints/user/get_edit.rs
index a2bb12f9..a8da435a 100644
--- a/web/src/endpoints/user/get_edit.rs
+++ b/web/src/endpoints/user/get_edit.rs
@@ -27,6 +27,12 @@ pub async fn get_edit(
return Ok(HttpResponse::NotFound().finish());
};
+ if user.role == Role::AreaManager
+ && (user.area_id != user_in_db.area_id || user_in_db.role == Role::Admin)
+ {
+ return Err(ApplicationError::Unauthorized);
+ }
+
let template = NewOrEditUserTemplate {
user: user.into_inner(),
id: Some(user_in_db.id),
diff --git a/web/src/endpoints/user/get_overview.rs b/web/src/endpoints/user/get_overview.rs
index 0c7c685d..53153940 100644
--- a/web/src/endpoints/user/get_overview.rs
+++ b/web/src/endpoints/user/get_overview.rs
@@ -14,6 +14,7 @@ pub struct UsersTemplate {
user: User,
area: Option,
users: Vec,
+ is_oob: bool
}
#[actix_web::get("/users")]
@@ -43,6 +44,7 @@ pub async fn get_overview(
user: user.into_inner(),
area,
users,
+ is_oob: false
};
Ok(template.to_response()?)
diff --git a/web/src/endpoints/user/post_edit.rs b/web/src/endpoints/user/post_edit.rs
index 95b0c22e..e34f28ad 100644
--- a/web/src/endpoints/user/post_edit.rs
+++ b/web/src/endpoints/user/post_edit.rs
@@ -27,7 +27,8 @@ pub async fn post_edit(
return Ok(HttpResponse::NotFound().finish());
};
- if user.role == Role::AreaManager && user.area_id != user_in_db.area_id {
+ let role = form.role.try_into()?;
+ if user.role == Role::AreaManager && (user.area_id != user_in_db.area_id || role == Role::Admin) {
return Err(ApplicationError::Unauthorized);
}
@@ -53,7 +54,7 @@ pub async fn post_edit(
let changeset = UserChangeset {
name: form.name.clone(),
email: form.email.clone(),
- role: form.role.try_into()?,
+ role,
functions,
area_id,
};
diff --git a/web/src/endpoints/user/post_new.rs b/web/src/endpoints/user/post_new.rs
index e5e6c8cb..4f7e84cb 100644
--- a/web/src/endpoints/user/post_new.rs
+++ b/web/src/endpoints/user/post_new.rs
@@ -27,6 +27,10 @@ pub async fn post_new(
}
let role = Role::try_from(form.role)?;
+ if role == Role::Admin && user.role != Role::Admin {
+ return Err(ApplicationError::Unauthorized);
+ }
+
let mut functions = Vec::with_capacity(3);
if form.is_posten.unwrap_or(false) {
diff --git a/web/src/endpoints/user/post_resend_registration.rs b/web/src/endpoints/user/post_resend_registration.rs
index 983402b7..471aa42d 100644
--- a/web/src/endpoints/user/post_resend_registration.rs
+++ b/web/src/endpoints/user/post_resend_registration.rs
@@ -24,7 +24,9 @@ pub async fn post(
return Ok(HttpResponse::NotFound().finish());
};
- if user.role == Role::AreaManager && user.area_id != user_in_db.area_id {
+ if user.role == Role::AreaManager
+ && (user.area_id != user_in_db.area_id || user_in_db.role == Role::Admin)
+ {
return Err(ApplicationError::Unauthorized);
}
diff --git a/web/templates/user/new_or_edit.html b/web/templates/user/new_or_edit.html
index f55a6d0b..a4a68293 100644
--- a/web/templates/user/new_or_edit.html
+++ b/web/templates/user/new_or_edit.html
@@ -51,7 +51,9 @@
+ {% if user.role == Role::Admin %}
+ {% endif %}