fix(admin): guard GET /api/users/{id} with @RequirePermission(ADMIN_USER)

Fixes IDOR: the endpoint was publicly accessible to any authenticated user. Now requires ADMIN_USER permission, matching all other user management endpoints. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-30 01:09:40 +02:00
parent 169e6dc578
commit 8fc360a596
22 changed files with 844 additions and 346 deletions
--- a/frontend/src/routes/admin/+page.svelte
+++ b/frontend/src/routes/admin/+page.svelte
@@ -1,78 +1,68 @@
 <script lang="ts">
-import { slide } from 'svelte/transition';
+import { goto } from '$app/navigation';
+import { onMount } from 'svelte';
 import { m } from '$lib/paraglide/messages.js';
-import UsersTab from './UsersTab.svelte';
-import TagsTab from './TagsTab.svelte';
-import GroupsTab from './GroupsTab.svelte';
-import SystemTab from './SystemTab.svelte';

-let { data, form } = $props();
+let { data } = $props();

-let activeTab = $state('users');
+// On desktop/tablet the layout shell with EntityNav is visible.
+// On mobile this page IS the entity picker — tapping an entity pushes
+// the user to that route so the browser back button returns here.
+onMount(() => {
+	if (window.matchMedia('(min-width: 768px)').matches) {
+		goto('/admin/users', { replaceState: true });
+	}
+});
 </script>

 <svelte:head>
 	<title>{m.page_title_admin()}</title>
 </svelte:head>

-<div class="mx-auto max-w-7xl px-4 py-8 font-sans sm:px-6 lg:px-8">
-	<div class="mb-8 flex flex-col gap-4 sm:flex-row sm:items-center sm:justify-between">
-		<h1 class="font-serif text-3xl text-ink">{m.admin_heading()}</h1>
-
-		<!-- Tabs -->
-		<div class="grid grid-cols-2 rounded-lg border border-line bg-surface p-1 shadow-sm sm:flex">
-			<button
-				class="rounded-md px-2 py-2 text-sm font-bold tracking-wide uppercase transition sm:px-4 {activeTab ===
-				'users'
-					? 'bg-primary text-primary-fg'
-					: 'text-ink-2 hover:text-ink'}"
-				onclick={() => (activeTab = 'users')}>{m.admin_tab_users()}</button
-			>
-			<button
-				class="rounded-md px-2 py-2 text-sm font-bold tracking-wide uppercase transition sm:px-4 {activeTab ===
-				'groups'
-					? 'bg-primary text-primary-fg'
-					: 'text-ink-2 hover:text-ink'}"
-				onclick={() => (activeTab = 'groups')}>{m.admin_tab_groups()}</button
-			>
-			<button
-				class="rounded-md px-2 py-2 text-sm font-bold tracking-wide uppercase transition sm:px-4 {activeTab ===
-				'tags'
-					? 'bg-primary text-primary-fg'
-					: 'text-ink-2 hover:text-ink'}"
-				onclick={() => (activeTab = 'tags')}>{m.admin_tab_tags()}</button
-			>
-			<button
-				class="rounded-md px-2 py-2 text-sm font-bold tracking-wide uppercase transition sm:px-4 {activeTab ===
-				'system'
-					? 'bg-primary text-primary-fg'
-					: 'text-ink-2 hover:text-ink'}"
-				onclick={() => (activeTab = 'system')}>{m.admin_tab_system()}</button
-			>
-		</div>
+<!-- Mobile entity picker (md+ viewports redirect to /admin/users on mount) -->
+<div class="flex flex-1 flex-col bg-surface">
+	<div class="border-b border-line px-4 py-4">
+		<h1 class="font-sans text-lg font-bold text-ink">{m.admin_heading()}</h1>
 	</div>

-	{#if form?.message}
-		<div class="mb-6 rounded border border-accent/50 bg-accent/20 p-4 text-ink">
-			{form.message}
-		</div>
-	{/if}
+	<nav class="divide-y divide-line" aria-label={m.admin_heading()}>
+		{#if data.canManageUsers}
+			<a href="/admin/users" class="flex items-center justify-between px-4 py-4 hover:bg-muted">
+				<div>
+					<div class="font-sans text-sm font-bold text-ink">{m.admin_tab_users()}</div>
+					<div class="mt-0.5 font-sans text-xs text-ink-3">{data.userCount}</div>
+				</div>
+				<span class="text-ink-3">›</span>
+			</a>
+		{/if}

-	{#if activeTab === 'users'}
-		<div in:slide>
-			<UsersTab users={data.users} />
-		</div>
-	{:else if activeTab === 'tags'}
-		<div in:slide>
-			<TagsTab tags={data.tags} />
-		</div>
-	{:else if activeTab === 'groups'}
-		<div in:slide>
-			<GroupsTab groups={data.groups} />
-		</div>
-	{:else if activeTab === 'system'}
-		<div in:slide>
-			<SystemTab />
-		</div>
-	{/if}
+		{#if data.canManageGroups}
+			<a href="/admin/groups" class="flex items-center justify-between px-4 py-4 hover:bg-muted">
+				<div>
+					<div class="font-sans text-sm font-bold text-ink">{m.admin_tab_groups()}</div>
+					<div class="mt-0.5 font-sans text-xs text-ink-3">{data.groupCount}</div>
+				</div>
+				<span class="text-ink-3">›</span>
+			</a>
+		{/if}
+
+		{#if data.canManageTags}
+			<a href="/admin/tags" class="flex items-center justify-between px-4 py-4 hover:bg-muted">
+				<div>
+					<div class="font-sans text-sm font-bold text-ink">{m.admin_tab_tags()}</div>
+					<div class="mt-0.5 font-sans text-xs text-ink-3">{data.tagCount}</div>
+				</div>
+				<span class="text-ink-3">›</span>
+			</a>
+		{/if}
+
+		{#if data.canRunMaintenance}
+			<a href="/admin/system" class="flex items-center justify-between px-4 py-4 hover:bg-muted">
+				<div>
+					<div class="font-sans text-sm font-bold text-ink">{m.admin_tab_system()}</div>
+				</div>
+				<span class="text-ink-3">›</span>
+			</a>
+		{/if}
+	</nav>
 </div>