Add superuser role, keep admin for zone admins

Author: tollsimy

src/auth/auth.go

@@ -43,20 +43,20 @@ func AuthenticationFunc(authHeader string) (string, string, error) {
 	// Debug mode: override username and role
 	if DEBUG_MODE == "true" {
 		// make sure to create a debug user if it doesn't exist
-		role := api.UserRequestRoleAdmin
+		role := api.UserRequestRoleSuperuser
 		debug_user := api.UserRequest{
-			Username: "admin_debug",
-			Password: "admin_debug",
+			Username: "superuser_debug",
+			Password: "superuser_debug",
 			Role:     &role,
-			Email:    "admin.debug@debug.com",
-			Name:     "Admin",
-			Surname:  "Debug",
+			Email:    "superuser.debug@debug.com",
+			Name:     "superuser",
+			Surname:  "debug",
 		}
 		_, err := dao.NewUserDao().AddUser(context.Background(), debug_user)
 		if err != nil && !errors.Is(err, dao.ErrUserAlreadyExists) {
 			return "", "", errors.New("failed to create debug user: " + err.Error())
 		}
-		return "admin_debug", "admin", nil
+		return "superuser_debug", "superuser", nil
 	}
 
 	if authHeader == "" {

src/db/postgres_schema_v1.sql

@@ -6,5 +6,5 @@ CREATE TABLE IF NOT EXISTS users (
     surname TEXT NOT NULL,
     email TEXT NOT NULL UNIQUE,
     password TEXT NOT NULL,
-    role TEXT NOT NULL CHECK (role IN ('driver', 'controller', 'admin'))
+    role TEXT NOT NULL CHECK (role IN ('driver', 'controller', 'admin', 'superuser'))
 );

src/handlers/session.go

@@ -76,8 +76,27 @@ func (h *SessionHandlers) Register(c *gin.Context) {
 		newUser.Role = &defaultRole
 	}
 
-	// If registering as an admin or controller, verify permissions
-	if *newUser.Role == api.UserRequestRoleAdmin || *newUser.Role == api.UserRequestRoleController {
+	if *newUser.Role == api.UserRequestRoleSuperuser {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Superuser registration is not allowed"})
+		return
+	}
+	// If registering as admin, you need to be a superuser
+	if *newUser.Role == api.UserRequestRoleAdmin {
+		// Check if the current user is authenticated with superuser privileges
+		_, role, err := auth.AuthenticationFunc(c.GetHeader("Authorization"))
+		if err != nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication failed: " + err.Error()})
+			return
+		}
+		// Check if the user has superuser privileges
+		if role != "superuser" {
+			c.JSON(http.StatusForbidden, gin.H{"error": "Superuser privileges required to register " + string(*newUser.Role) + " accounts"})
+			return
+		}
+	}
+
+	// If registering as controller, you need to be at least an admin
+	if *newUser.Role == api.UserRequestRoleController {
 		// Check if the current user is authenticated with admin privileges
 		_, role, err := auth.AuthenticationFunc(c.GetHeader("Authorization"))
 		if err != nil {
@@ -86,7 +105,7 @@ func (h *SessionHandlers) Register(c *gin.Context) {
 		}
 
 		// Check if the user has admin privileges
-		if role != "admin" {
+		if role != "admin" && role != "superuser" {
 			c.JSON(http.StatusForbidden, gin.H{"error": "Admin privileges required to register " + string(*newUser.Role) + " accounts"})
 			return
 		}

src/handlers/user.go

@@ -42,7 +42,7 @@ func (uh *UserHandlers) GetUsers(c *gin.Context, params api.GetUsersParams) {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get role"})
 		return
 	}
-	if roleStr != "admin" {
+	if roleStr != "superuser" {
 		c.JSON(http.StatusForbidden, gin.H{"error": "forbidden"})
 		return
 	}
@@ -96,7 +96,7 @@ func (uh *UserHandlers) DeleteUsers(c *gin.Context) {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get role"})
 		return
 	}
-	if roleStr != "admin" {
+	if roleStr != "superuser" {
 		c.JSON(http.StatusForbidden, gin.H{"error": "forbidden"})
 		return
 	}
@@ -190,7 +190,7 @@ func (uh *UserHandlers) GetUserById(c *gin.Context, id int64) {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get role"})
 		return
 	}
-	if roleStr != "admin" {
+	if roleStr != "superuser" {
 		c.JSON(http.StatusForbidden, gin.H{"error": "forbidden"})
 		return
 	}
@@ -229,7 +229,7 @@ func (uh *UserHandlers) UpdateUserById(c *gin.Context, id int64) {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get role"})
 		return
 	}
-	if roleStr != "admin" {
+	if roleStr != "superuser" {
 		c.JSON(http.StatusForbidden, gin.H{"error": "forbidden"})
 		return
 	}
@@ -281,7 +281,7 @@ func (uh *UserHandlers) DeleteUserById(c *gin.Context, id int64) {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get role"})
 		return
 	}
-	if roleStr != "admin" {
+	if roleStr != "superuser" {
 		c.JSON(http.StatusForbidden, gin.H{"error": "forbidden"})
 		return
 	}

src/rbac/rbac.go

@@ -7,6 +7,7 @@ import (
 func SetupRBAC() *gorbac.RBAC {
 	rbac := gorbac.New()
 
+	superuser := gorbac.NewStdRole("superuser")
 	admin := gorbac.NewStdRole("admin")
 	controller := gorbac.NewStdRole("controller")
 	driver := gorbac.NewStdRole("driver")
@@ -18,6 +19,7 @@ func SetupRBAC() *gorbac.RBAC {
 	// admin.Assign(readUsers)
 	// admin.Assign(writeUsers)
 
+	rbac.Add(superuser)
 	rbac.Add(admin)
 	rbac.Add(controller)
 	rbac.Add(driver)