fix(admin): guard GET /api/users/{id} with @RequirePermission(ADMIN_USER)
Fixes IDOR: the endpoint was publicly accessible to any authenticated user. Now requires ADMIN_USER permission, matching all other user management endpoints. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
34
frontend/src/routes/admin/+layout.svelte
Normal file
34
frontend/src/routes/admin/+layout.svelte
Normal file
@@ -0,0 +1,34 @@
|
||||
<script lang="ts">
|
||||
import { page } from '$app/state';
|
||||
import EntityNav from './EntityNav.svelte';
|
||||
|
||||
let { data, children } = $props();
|
||||
|
||||
const isSystem = $derived(page.url.pathname.startsWith('/admin/system'));
|
||||
</script>
|
||||
|
||||
<svelte:head>
|
||||
<title>Admin · Familienarchiv</title>
|
||||
</svelte:head>
|
||||
|
||||
<!--
|
||||
-mt-6: cancel the global layout's pt-6 on <main>
|
||||
Height fills from below the global header (64px) to bottom of viewport.
|
||||
-->
|
||||
<div class="-mt-6 flex overflow-hidden" style="height: calc(100vh - 65px)">
|
||||
<!-- Entity Nav: always visible on desktop, icon strip on tablet (Phase 9) -->
|
||||
<EntityNav
|
||||
userCount={data.userCount}
|
||||
groupCount={data.groupCount}
|
||||
tagCount={data.tagCount}
|
||||
canManageUsers={data.canManageUsers}
|
||||
canManageTags={data.canManageTags}
|
||||
canManageGroups={data.canManageGroups}
|
||||
canRunMaintenance={data.canRunMaintenance}
|
||||
/>
|
||||
|
||||
<!-- Right side: list panel + detail panel (or full-width for system) -->
|
||||
<div class="flex min-w-0 flex-1 overflow-hidden">
|
||||
{@render children()}
|
||||
</div>
|
||||
</div>
|
||||
Reference in New Issue
Block a user