feat(users): allow role assignment for Azure AD and LDAP users

- Backend: add admin-only guard + role validation to PUT /users/{id} - Backend: prevent admins from changing their own role - Frontend: role toggle button (person-check / person-dash) per user row - Frontend: admin badge green, viewer badge secondary, ldap badge blue - i18n: add makeAdmin / makeViewer translations (de + en) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-24 20:27:54 +01:00
parent 8103fffcb8
commit 796824c400
4 changed files with 41 additions and 3 deletions
--- a/app/routers/users.py
+++ b/app/routers/users.py
@@ -70,12 +70,31 @@ async def update_user(
    current_user: User = Depends(get_current_user),
    db: Session = Depends(get_db),
 ):
-    """Update an existing user (email, is_active, role)."""
+    """Update an existing user (email, is_active, role). Admin only."""
+    if current_user.role != "admin":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only admins can update users.",
+        )
+
    user = db.query(User).filter(User.id == user_id).first()
    if not user:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found.")

    update_data = payload.model_dump(exclude_none=True)
+
+    if "role" in update_data:
+        if update_data["role"] not in ("admin", "viewer"):
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Role must be 'admin' or 'viewer'.",
+            )
+        if user_id == current_user.id:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="You cannot change your own role.",
+            )
+
    for field, value in update_data.items():
        if hasattr(user, field):
            setattr(user, field, value)