fixed the inability to fully remove permissions

2025-08-25 17:21:58 +02:00 · 2025-08-25 17:21:58 +02:00 · b1787cda4e
parent 0cd32a0276
commit b1787cda4e
2 changed files with 14 additions and 5 deletions
--- a/src/routes/user/+page.server.ts
+++ b/src/routes/user/+page.server.ts
@ -36,6 +36,10 @@ export const load: PageServerLoad = ({ locals, url }) => {
 		if (user == null) {
 			return fail(404, { message: `User ${user_id} not found` })
 		}
+
+		if (!Permissions.has(locals.user.permissions, Permissions.USERADMIN.EDIT_PASSWORD)) {
+			user.permissions = 0
+		}
 	} 

 	return {
@ -84,10 +88,14 @@ export const actions = {
 				return fail(500, { message: "Database failure"})
 			}
 		}
+		
+		let permissions = null
+		if (ua_permissions.length > 0) {
+			permissions = ua_permissions.reduce((pv, cv) => pv | cv)

-		let permissions = ua_permissions.reduce((pv, cv) => pv | cv)
-		if (locals.user.id == id && locals.user.permissions != permissions) {
-			return fail(403, { message: "Cannot modify permissions for oneself" })
+			if (locals.user.id == id && locals.user.permissions != permissions) {
+				return fail(403, { message: "Cannot modify permissions for oneself" })
+			}
 		}

 		const updated_user = updateUser({id, name, gender, address, username, permissions})
--- a/src/routes/user/+page.svelte
+++ b/src/routes/user/+page.svelte
@ -71,6 +71,7 @@
 	</table>
 	
 	{#if data.user?.id == data.loggedInAs.id || Permissions.has(data.loggedInAs.permissions ?? 0, Permissions.USERADMIN.EDIT_PASSWORD)}
+	{@const disabled = data.user?.id == data.loggedInAs.id}
 		<table>
 			<colgroup>
 				<col class="leader2" />
@ -86,15 +87,15 @@
 					<td>Benutzerverwaltung</td>
 					<td>
 						<div class="permission-selector">
+							<input type=hidden name="USERADMIN" value="0" disabled={disabled} />
 							{#each Permissions.iterate(Permissions.USERADMIN) as permission}
 								<label>
 									<input 
 											type="checkbox" 
-											id={permission.value} 
 											name="USERADMIN" 
 											value={permission.value}
 											checked={Permissions.has(data.user.permissions, permission.value)} 
-											disabled={data.user?.id == data.loggedInAs.id}
+											disabled={disabled}
 											data-bits={Permissions.deconstruct(permission.value).join(" ")} 
 											onclick={(event) => {
 										const target = event.target as HTMLInputElement