familienarchiv/frontend/src/routes/admin/+layout.server.ts

import { error } from '@sveltejs/kit';
import { createApiClient } from '$lib/api.server';
import { getErrorMessage } from '$lib/errors';
import type { components } from '$lib/generated/api';

type UserGroup = components['schemas']['UserGroup'];

function hasPerm(user: { groups?: UserGroup[] } | undefined, perm: string): boolean {
	return user?.groups?.some((g) => g.permissions.includes(perm)) ?? false;
}

function hasAnyAdminPerm(user: { groups?: UserGroup[] } | undefined): boolean {
	return (
		hasPerm(user, 'ADMIN') ||
		hasPerm(user, 'ADMIN_USER') ||
		hasPerm(user, 'ADMIN_TAG') ||
		hasPerm(user, 'ADMIN_PERMISSION')
	);
}

export async function load({ fetch, locals }) {
	const user = locals.user;
	if (!hasAnyAdminPerm(user)) throw error(403, getErrorMessage('FORBIDDEN'));

	const api = createApiClient(fetch);

	// TODO: replace with a dedicated /api/admin/stats endpoint that returns counts only,
	// so the System page does not load full entity lists it does not render.
	const [usersResult, groupsResult, tagsResult] = await Promise.all([
		api.GET('/api/users'),
		api.GET('/api/groups'),
		api.GET('/api/tags')
	]);

	if (!usersResult.response.ok) {
		const code = (usersResult.error as unknown as { code?: string })?.code;
		throw error(usersResult.response.status, getErrorMessage(code));
	}
	if (!groupsResult.response.ok) {
		const code = (groupsResult.error as unknown as { code?: string })?.code;
		throw error(groupsResult.response.status, getErrorMessage(code));
	}
	if (!tagsResult.response.ok) {
		const code = (tagsResult.error as unknown as { code?: string })?.code;
		throw error(tagsResult.response.status, getErrorMessage(code));
	}

	return {
		userCount: (usersResult.data ?? []).length,
		groupCount: (groupsResult.data ?? []).length,
		tagCount: (tagsResult.data ?? []).length,
		canManageUsers: hasPerm(user, 'ADMIN_USER'),
		canManageTags: hasPerm(user, 'ADMIN_TAG'),
		canManagePermissions: hasPerm(user, 'ADMIN_PERMISSION'),
		canRunMaintenance: hasPerm(user, 'ADMIN')
	};
}