feat: add admin role management and user deletion

Admins can now change user roles and permanently delete user accounts. - New SetRole store method with validation (user/admin only) - New Delete store method — cascades via foreign keys to sessions, faves, and fave_tags - handleAdminSetRole: change role with self-modification prevention - handleAdminDeleteUser: permanent deletion with image cleanup from disk before cascade delete, self-deletion prevention - admin_users.html: role dropdown with save button per user row, delete button with hx-confirm for safety - Routes: POST /admin/users/{id}/role, POST /admin/users/{id}/delete Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 10:18:00 +02:00 · 2026-04-07 10:18:00 +02:00 · 254573316a
commit 254573316a
parent b186fb4bc5
4 changed files with 195 additions and 0 deletions
--- a/web/templates/pages/admin_users.html
+++ b/web/templates/pages/admin_users.html
@ -54,6 +54,14 @@
            </td>
            <td>{{.CreatedAt.Format "02.01.2006"}}</td>
            <td>
+                <form method="POST" action="{{basePath}}/admin/users/{{.ID}}/role" class="inline-form">
+                    <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
+                    <select name="role" class="inline-input">
+                        <option value="user" {{if eq .Role "user"}}selected{{end}}>Bruker</option>
+                        <option value="admin" {{if eq .Role "admin"}}selected{{end}}>Admin</option>
+                    </select>
+                    <button type="submit" class="outline nav-button">Lagre</button>
+                </form>
                <form method="POST" action="{{basePath}}/admin/users/{{.ID}}/reset-password" class="inline-form">
                    <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
                    <button type="submit" class="outline secondary nav-button">Tilbakestill passord</button>
@ -64,6 +72,14 @@
                        {{if .Disabled}}Aktiver{{else}}Deaktiver{{end}}
                    </button>
                </form>
+                <button
+                    hx-post="{{basePath}}/admin/users/{{.ID}}/delete"
+                    hx-confirm="Er du HELT sikker? Dette sletter brukeren og alle favorittene permanent."
+                    hx-target="closest tr"
+                    hx-swap="outerHTML"
+                    class="outline secondary nav-button"
+                    style="color: var(--pico-del-color);"
+                >Slett</button>
            </td>
        </tr>
        {{end}}