feat(admin): add dedicated routes for admin user management (#37)

- New GET /admin/users/new page: create user with all profile fields (login, password, firstName, lastName, birthDate, email, contact, groups) - New GET /admin/users/[id] page: edit user profile, groups, and optional password change without requiring current password - New PUT /api/users/{id} backend endpoint (ADMIN_USER permission) with AdminUpdateUserRequest DTO for admin-override user updates - Refactored admin users tab: replaced inline editing with edit links to dedicated routes; create button now links to /admin/users/new - Extended CreateUserRequest with profile fields so new users can be created with full profile data in a single request - Added 28 component tests across 3 new spec files (TDD) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 16:33:50 +01:00
parent 9731afb776
commit fb4f8e820c
16 changed files with 999 additions and 199 deletions
--- a/frontend/src/routes/admin/users/new/+page.server.ts
+++ b/frontend/src/routes/admin/users/new/+page.server.ts
@@ -0,0 +1,45 @@
+import { error, fail, redirect } from '@sveltejs/kit';
+import type { PageServerLoad, Actions } from './$types';
+import { createApiClient } from '$lib/api.server';
+import { getErrorMessage } from '$lib/errors';
+
+export const load: PageServerLoad = async ({ fetch, locals }) => {
+	const user = locals.user;
+	const hasAdmin = user?.groups?.some((g: { permissions: string[] }) =>
+		g.permissions.includes('ADMIN')
+	);
+	if (!hasAdmin) throw error(403, getErrorMessage('FORBIDDEN'));
+
+	const api = createApiClient(fetch);
+	const groupsResult = await api.GET('/api/groups');
+
+	return { groups: groupsResult.data ?? [] };
+};
+
+export const actions: Actions = {
+	default: async ({ request, fetch }) => {
+		const data = await request.formData();
+		const api = createApiClient(fetch);
+
+		const birthDateRaw = data.get('birthDate') as string;
+		const result = await api.POST('/api/users', {
+			body: {
+				username: data.get('username') as string,
+				initialPassword: data.get('password') as string,
+				email: (data.get('email') as string) || undefined,
+				groupIds: data.getAll('groupIds') as string[],
+				firstName: (data.get('firstName') as string) || null,
+				lastName: (data.get('lastName') as string) || null,
+				birthDate: birthDateRaw || null,
+				contact: (data.get('contact') as string) || null
+			}
+		});
+
+		if (!result.response.ok) {
+			const code = (result.error as unknown as { code?: string })?.code;
+			return fail(result.response.status, { error: getErrorMessage(code) });
+		}
+
+		throw redirect(303, '/admin');
+	}
+};
--- a/frontend/src/routes/admin/users/new/+page.svelte
+++ b/frontend/src/routes/admin/users/new/+page.svelte
@@ -0,0 +1,204 @@
+<script lang="ts">
+import { enhance } from '$app/forms';
+import { m } from '$lib/paraglide/messages.js';
+
+let { data, form } = $props();
+
+function germanToIso(german: string): string {
+	const match = german.match(/^(\d{2})\.(\d{2})\.(\d{4})$/);
+	if (!match) return '';
+	return `${match[3]}-${match[2]}-${match[1]}`;
+}
+
+let birthDateIso = $state('');
+
+function handleBirthDateInput(e: Event) {
+	const input = e.target as HTMLInputElement;
+	const digits = input.value.replace(/\D/g, '').slice(0, 8);
+	let formatted: string;
+	if (digits.length <= 2) {
+		formatted = digits;
+	} else if (digits.length <= 4) {
+		formatted = `${digits.slice(0, 2)}.${digits.slice(2)}`;
+	} else {
+		formatted = `${digits.slice(0, 2)}.${digits.slice(2, 4)}.${digits.slice(4)}`;
+	}
+	input.value = formatted;
+	birthDateIso = germanToIso(formatted);
+}
+</script>
+
+<div class="mx-auto max-w-3xl px-4 py-8 sm:px-6 lg:px-8">
+	<a
+		href="/admin"
+		class="group mb-4 inline-flex items-center text-xs font-bold tracking-widest text-gray-500 uppercase transition-colors hover:text-brand-navy"
+	>
+		<svg
+			class="mr-2 h-4 w-4 transform transition-transform group-hover:-translate-x-1"
+			fill="none"
+			viewBox="0 0 24 24"
+			stroke="currentColor"
+			stroke-width="2"
+		>
+			<path stroke-linecap="round" stroke-linejoin="round" d="M15 19l-7-7 7-7" />
+		</svg>
+		{m.btn_back_to_overview()}
+	</a>
+
+	<h1 class="mb-6 font-serif text-3xl font-bold text-brand-navy">{m.admin_user_new_heading()}</h1>
+
+	{#if form?.error}
+		<div class="mb-5 rounded border border-red-200 bg-red-50 p-3 text-sm text-red-700">
+			{form.error}
+		</div>
+	{/if}
+
+	<div class="rounded-sm border border-brand-sand bg-white p-6 shadow-sm">
+		<form method="POST" use:enhance class="space-y-5">
+			<!-- Account -->
+			<h2 class="text-xs font-bold tracking-widest text-gray-400 uppercase">
+				{m.admin_section_users()}
+			</h2>
+
+			<label class="block">
+				<span
+					class="mb-1 block font-sans text-xs font-bold tracking-widest text-gray-400 uppercase"
+				>
+					{m.admin_col_login()}
+				</span>
+				<input
+					type="text"
+					name="username"
+					required
+					class="w-full rounded-sm border border-brand-sand px-3 py-2 font-serif text-sm focus:border-brand-navy focus:outline-none"
+				/>
+			</label>
+
+			<label class="block">
+				<span
+					class="mb-1 block font-sans text-xs font-bold tracking-widest text-gray-400 uppercase"
+				>
+					{m.admin_label_initial_password()}
+				</span>
+				<input
+					type="password"
+					name="password"
+					required
+					class="w-full rounded-sm border border-brand-sand px-3 py-2 font-serif text-sm focus:border-brand-navy focus:outline-none"
+				/>
+			</label>
+
+			<!-- Profile -->
+			<h2 class="pt-2 text-xs font-bold tracking-widest text-gray-400 uppercase">
+				{m.profile_section_personal()}
+			</h2>
+
+			<div class="grid grid-cols-1 gap-4 sm:grid-cols-2">
+				<label class="block">
+					<span
+						class="mb-1 block font-sans text-xs font-bold tracking-widest text-gray-400 uppercase"
+					>
+						{m.profile_label_first_name()}
+					</span>
+					<input
+						type="text"
+						name="firstName"
+						class="w-full rounded-sm border border-brand-sand px-3 py-2 font-serif text-sm focus:border-brand-navy focus:outline-none"
+					/>
+				</label>
+
+				<label class="block">
+					<span
+						class="mb-1 block font-sans text-xs font-bold tracking-widest text-gray-400 uppercase"
+					>
+						{m.profile_label_last_name()}
+					</span>
+					<input
+						type="text"
+						name="lastName"
+						class="w-full rounded-sm border border-brand-sand px-3 py-2 font-serif text-sm focus:border-brand-navy focus:outline-none"
+					/>
+				</label>
+			</div>
+
+			<label class="block">
+				<span
+					class="mb-1 block font-sans text-xs font-bold tracking-widest text-gray-400 uppercase"
+				>
+					{m.profile_label_birth_date()}
+				</span>
+				<input
+					type="text"
+					placeholder="TT.MM.JJJJ"
+					oninput={handleBirthDateInput}
+					class="w-full rounded-sm border border-brand-sand px-3 py-2 font-serif text-sm focus:border-brand-navy focus:outline-none"
+				/>
+				<input type="hidden" name="birthDate" value={birthDateIso} />
+			</label>
+
+			<label class="block">
+				<span
+					class="mb-1 block font-sans text-xs font-bold tracking-widest text-gray-400 uppercase"
+				>
+					{m.profile_label_email()}
+				</span>
+				<input
+					type="email"
+					name="email"
+					class="w-full rounded-sm border border-brand-sand px-3 py-2 font-serif text-sm focus:border-brand-navy focus:outline-none"
+				/>
+			</label>
+
+			<label class="block">
+				<span
+					class="mb-1 block font-sans text-xs font-bold tracking-widest text-gray-400 uppercase"
+				>
+					{m.profile_label_contact()}
+				</span>
+				<textarea
+					name="contact"
+					rows="3"
+					placeholder={m.profile_contact_placeholder()}
+					class="w-full rounded-sm border border-brand-sand px-3 py-2 font-serif text-sm focus:border-brand-navy focus:outline-none"
+				></textarea>
+			</label>
+
+			<!-- Groups -->
+			<h2 class="pt-2 text-xs font-bold tracking-widest text-gray-400 uppercase">
+				{m.admin_col_groups()}
+			</h2>
+
+			<div class="flex flex-wrap gap-3">
+				{#each data.groups as group (group.id)}
+					<label class="inline-flex items-center gap-2 text-sm text-gray-700">
+						<input
+							type="checkbox"
+							name="groupIds"
+							value={group.id}
+							class="rounded border-gray-300 text-brand-navy focus:ring-brand-mint"
+						/>
+						{group.name}
+					</label>
+				{/each}
+			</div>
+
+			<!-- Save bar -->
+			<div
+				class="mt-4 flex items-center justify-between rounded-sm border border-brand-sand bg-white px-6 py-4 shadow-sm"
+			>
+				<a
+					href="/admin"
+					class="font-sans text-xs font-bold tracking-widest text-gray-500 uppercase hover:text-brand-navy"
+				>
+					{m.btn_cancel()}
+				</a>
+				<button
+					type="submit"
+					class="rounded-sm bg-brand-navy px-5 py-2 font-sans text-xs font-bold tracking-widest text-white uppercase transition-opacity hover:opacity-80"
+				>
+					{m.btn_create()}
+				</button>
+			</div>
+		</form>
+	</div>
+</div>
--- a/frontend/src/routes/admin/users/new/page.svelte.spec.ts
+++ b/frontend/src/routes/admin/users/new/page.svelte.spec.ts
@@ -0,0 +1,68 @@
+import { afterEach, describe, expect, it, vi } from 'vitest';
+import { cleanup, render } from 'vitest-browser-svelte';
+import { page } from 'vitest/browser';
+import Page from './+page.svelte';
+
+vi.mock('$app/forms', () => ({ enhance: () => () => {} }));
+
+const groups = [
+	{ id: 'g1', name: 'Editoren', permissions: ['WRITE_ALL'] },
+	{ id: 'g2', name: 'Admins', permissions: ['ADMIN'] }
+];
+
+const baseData = { groups };
+
+afterEach(cleanup);
+
+// ─── Rendering ────────────────────────────────────────────────────────────────
+
+describe('Admin new user page – rendering', () => {
+	it('renders the page heading', async () => {
+		render(Page, { data: baseData });
+		await expect.element(page.getByText(/Neuen Benutzer anlegen/i)).toBeInTheDocument();
+	});
+
+	it('renders the login input', async () => {
+		render(Page, { data: baseData });
+		await expect.element(page.getByRole('textbox', { name: /Login/i })).toBeInTheDocument();
+	});
+
+	it('renders group checkboxes for each available group', async () => {
+		render(Page, { data: baseData });
+		await expect.element(page.getByText('Editoren')).toBeInTheDocument();
+		await expect.element(page.getByText('Admins')).toBeInTheDocument();
+	});
+
+	it('cancel link points to /admin', async () => {
+		render(Page, { data: baseData });
+		await expect
+			.element(page.getByRole('link', { name: /Abbrechen/i }))
+			.toHaveAttribute('href', '/admin');
+	});
+
+	it('back link points to /admin', async () => {
+		render(Page, { data: baseData });
+		await expect
+			.element(page.getByRole('link', { name: /Zurück/i }))
+			.toHaveAttribute('href', '/admin');
+	});
+
+	it('renders the create button', async () => {
+		render(Page, { data: baseData });
+		await expect.element(page.getByRole('button', { name: /Erstellen/i })).toBeInTheDocument();
+	});
+});
+
+// ─── Error display ────────────────────────────────────────────────────────────
+
+describe('Admin new user page – error display', () => {
+	it('shows the error message when form has an error', async () => {
+		render(Page, { data: baseData, form: { error: 'Ein Fehler ist aufgetreten.' } });
+		await expect.element(page.getByText('Ein Fehler ist aufgetreten.')).toBeInTheDocument();
+	});
+
+	it('does not show error section when form is null', async () => {
+		render(Page, { data: baseData, form: null });
+		await expect.element(page.getByText('Ein Fehler ist aufgetreten.')).not.toBeInTheDocument();
+	});
+});