Merge pull request #102 from WXYC/fix-admin-panel

JacksonMeade · web-flow · commit cbe98dfe1792 · 2026-01-03T14:25:48.000-05:00
diff --git a/apps/auth/app.ts b/apps/auth/app.ts
@@ -148,16 +148,73 @@ const createDefaultUser = async () => {
       },
     });
 
-    console.log('Default user created successfully.');
+    // Set admin role for stationManager in default organization
+    // This ensures the user has admin permissions for Better Auth Admin plugin
+    const { db, user } = await import('@wxyc/database');
+    const { eq } = await import('drizzle-orm');
+    await db
+      .update(user)
+      .set({ role: 'admin' })
+      .where(eq(user.id, newUser.id));
+
+    console.log('Default user created successfully with admin role.');
   } catch (error) {
     console.error('Error creating default user!');
     throw error;
   }
 };
 
-// Initialize default user before starting the server
+// Fix admin roles for existing stationManagers (one-time migration)
+const syncAdminRoles = async () => {
+  try {
+    const { db, user, member, organization } = await import('@wxyc/database');
+    const { eq, sql } = await import('drizzle-orm');
+    
+    const defaultOrgSlug = process.env.DEFAULT_ORG_SLUG;
+    if (!defaultOrgSlug) {
+      console.log('[ADMIN PERMISSIONS] DEFAULT_ORG_SLUG not set, skipping admin role fix');
+      return;
+    }
+
+    // Find all users who are stationManager/admin/owner in default org but don't have admin role
+    const usersNeedingFix = await db
+      .select({
+        userId: user.id,
+        userEmail: user.email,
+        userRole: user.role,
+        memberRole: member.role,
+      })
+      .from(user)
+      .innerJoin(member, sql`${member.userId} = ${user.id}` as any)
+      .innerJoin(organization, sql`${member.organizationId} = ${organization.id}` as any)
+      .where(
+        sql`${organization.slug} = ${defaultOrgSlug}
+        AND ${member.role} IN ('admin', 'owner', 'stationManager')
+        AND (${user.role} IS NULL OR ${user.role} != 'admin')` as any
+      );
+
+    if (usersNeedingFix.length > 0) {
+      console.log(`[ADMIN PERMISSIONS] Found ${usersNeedingFix.length} users needing admin role fix:`);
+      for (const u of usersNeedingFix) {
+        console.log(`[ADMIN PERMISSIONS] - ${u.userEmail} (${u.memberRole}) - current role: ${u.userRole || 'null'}`);
+        await db
+          .update(user)
+          .set({ role: 'admin' })
+          .where(eq(user.id, u.userId));
+        console.log(`[ADMIN PERMISSIONS] - Fixed: ${u.userEmail} now has admin role`);
+      }
+    } else {
+      console.log('[ADMIN PERMISSIONS] All stationManagers already have admin role');
+    }
+  } catch (error) {
+    console.error('[ADMIN PERMISSIONS] Error fixing admin roles:', error);
+  }
+};
+
+// Initialize default user and sync admin roles before starting the server
 (async () => {
   await createDefaultUser();
+  await syncAdminRoles();
 
   app.listen(parseInt(port), async () => {
     console.log(`listening on port: ${port}! (auth service)`);
diff --git a/shared/authentication/src/auth.definition.ts b/shared/authentication/src/auth.definition.ts
@@ -96,6 +96,144 @@ export const auth = betterAuth({
       organizationLimit: 1, // Users can only be in one organization
       roles: WXYCRoles,
       // Role information is included via custom JWT definePayload function above
+      organizationHooks: {
+        // Sync global user.role when members are added to default organization
+        afterAddMember: async ({ member, user: userData, organization: orgData }) => {
+          try {
+            const defaultOrgSlug = process.env.DEFAULT_ORG_SLUG;
+            if (!defaultOrgSlug) {
+              console.warn(
+                "DEFAULT_ORG_SLUG is not set, skipping admin role sync"
+              );
+              return;
+            }
+
+            // Only update for default organization
+            if (orgData.slug !== defaultOrgSlug) {
+              return;
+            }
+
+            // Check if role should grant admin permissions
+            const adminRoles = ["stationManager", "admin", "owner"];
+            if (adminRoles.includes(member.role)) {
+              // Update user.role to "admin" for Better Auth Admin plugin
+              const userId = userData.id;
+              await db
+                .update(user)
+                .set({ role: "admin" })
+                .where(eq(user.id, userId));
+              console.log(
+                `Granted admin role to user ${userId} (${userData.email}) with ${member.role} role in default organization`
+              );
+            }
+          } catch (error) {
+            console.error("Error syncing admin role in afterAddMember:", error);
+          }
+        },
+
+        // Sync global user.role when member roles are updated
+        afterUpdateMemberRole: async ({
+          member,
+          previousRole,
+          user: userData,
+          organization: orgData,
+        }) => {
+          try {
+            const defaultOrgSlug = process.env.DEFAULT_ORG_SLUG;
+            if (!defaultOrgSlug) {
+              console.warn(
+                "DEFAULT_ORG_SLUG is not set, skipping admin role sync"
+              );
+              return;
+            }
+
+            // Only update for default organization
+            if (orgData.slug !== defaultOrgSlug) {
+              return;
+            }
+
+            const adminRoles = ["stationManager", "admin", "owner"];
+            const shouldHaveAdmin = adminRoles.includes(member.role);
+            const previouslyHadAdmin = adminRoles.includes(previousRole);
+
+            const userId = userData.id;
+            if (shouldHaveAdmin && !previouslyHadAdmin) {
+              // Promoted to admin role - grant admin
+              await db
+                .update(user)
+                .set({ role: "admin" })
+                .where(eq(user.id, userId));
+              console.log(
+                `Granted admin role to user ${userId} (${userData.email}) after promotion to ${member.role}`
+              );
+            } else if (!shouldHaveAdmin && previouslyHadAdmin) {
+              // Demoted from admin role - remove admin
+              await db
+                .update(user)
+                .set({ role: null })
+                .where(eq(user.id, userId));
+              console.log(
+                `Removed admin role from user ${userId} (${userData.email}) after demotion from ${previousRole} to ${member.role}`
+              );
+            }
+          } catch (error) {
+            console.error(
+              "Error syncing admin role in afterUpdateMemberRole:",
+              error
+            );
+          }
+        },
+
+        // Sync global user.role when members are removed from default organization
+        afterRemoveMember: async ({ user: userData, organization: orgData }) => {
+          try {
+            const defaultOrgSlug = process.env.DEFAULT_ORG_SLUG;
+            if (!defaultOrgSlug) {
+              console.warn(
+                "DEFAULT_ORG_SLUG is not set, skipping admin role sync"
+              );
+              return;
+            }
+
+            // Only update for default organization
+            if (orgData.slug !== defaultOrgSlug) {
+              return;
+            }
+
+            // Check if user has any other memberships with admin roles
+            const otherAdminMemberships = await db
+              .select({ role: member.role })
+              .from(member)
+              .innerJoin(
+                organization,
+                sql`${member.organizationId} = ${organization.id}` as any
+              )
+              .where(
+                sql`${member.userId} = ${userData.id}
+                AND ${organization.slug} = ${defaultOrgSlug}
+                AND ${member.role} IN ('admin', 'owner', 'stationManager')` as any
+              )
+              .limit(1);
+
+            // If no other admin memberships exist, remove admin role
+            if (otherAdminMemberships.length === 0) {
+              const userId = userData.id;
+              await db
+                .update(user)
+                .set({ role: null })
+                .where(eq(user.id, userId));
+              console.log(
+                `Removed admin role from user ${userId} (${userData.email}) after removal from default organization`
+              );
+            }
+          } catch (error) {
+            console.error(
+              "Error syncing admin role in afterRemoveMember:",
+              error
+            );
+          }
+        },
+      },
     }),
   ],
 
@@ -110,43 +248,6 @@ export const auth = betterAuth({
     },
   },
 
-  // Admin configuration - organization owners/admins/stationManagers are admins
-  admin: {
-    // Check if user has admin, owner, or stationManager role in the WXYC organization
-    requireAdmin: async (user: any, request?: any) => {
-      if (!user?.id) return false;
-
-      try {
-        const defaultOrgSlug = process.env.DEFAULT_ORG_SLUG;
-
-        if (!defaultOrgSlug) {
-          throw new Error(
-            "DEFAULT_ORG_SLUG is not set in environment variables."
-          );
-        }
-
-        // Query the member table to check if user has admin/owner/stationManager role in WXYC org
-        const adminMember = await db
-          .select({ memberId: member.id })
-          .from(member)
-          .innerJoin(
-            organization,
-            sql`${member.organizationId} = ${organization.id}` as any
-          )
-          .where(
-            sql`${member.userId} = ${user.id}
-            AND ${organization.slug} = ${defaultOrgSlug}
-            AND ${member.role} IN ('admin', 'owner', 'stationManager')` as any
-          )
-          .limit(1);
-
-        return adminMember.length > 0;
-      } catch (error) {
-        console.error("Error checking admin status:", error);
-        return false;
-      }
-    },
-  },
 });
 
 export type Auth = typeof auth;
