diff --git a/Makefile b/Makefile index a8de0d3..30bca30 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,9 @@ .PHONY: build frontend-build dev clean test patch minor major LAST_TAG := $(shell git tag --sort=-v:refname | head -1) -MAJOR := $(shell echo $(LAST_TAG) | cut -d. -f1) -MINOR := $(shell echo $(LAST_TAG) | cut -d. -f2) -PATCH := $(shell echo $(LAST_TAG) | cut -d. -f3) +MAJOR := $(shell echo $(LAST_TAG) | sed 's/^v//' | cut -d. -f1) +MINOR := $(shell echo $(LAST_TAG) | sed 's/^v//' | cut -d. -f2) +PATCH := $(shell echo $(LAST_TAG) | sed 's/^v//' | cut -d. -f3) build: frontend-build CGO_ENABLED=0 go build -ldflags "-X main.buildID=$$(git rev-parse --short HEAD)" -o turnpike . @@ -25,13 +25,13 @@ clean: rm -rf frontend/dist patch: - git tag $(MAJOR).$(MINOR).$(shell echo $$(($(PATCH)+1))) - @echo "Tagged $(MAJOR).$(MINOR).$(shell echo $$(($(PATCH)+1)))" + git tag v$(MAJOR).$(MINOR).$(shell echo $$(($(PATCH)+1))) + @echo "Tagged v$(MAJOR).$(MINOR).$(shell echo $$(($(PATCH)+1)))" minor: - git tag $(MAJOR).$(shell echo $$(($(MINOR)+1))).0 - @echo "Tagged $(MAJOR).$(shell echo $$(($(MINOR)+1))).0" + git tag v$(MAJOR).$(shell echo $$(($(MINOR)+1))).0 + @echo "Tagged v$(MAJOR).$(shell echo $$(($(MINOR)+1))).0" major: - git tag $(shell echo $$(($(MAJOR)+1))).0.0 - @echo "Tagged $(shell echo $$(($(MAJOR)+1))).0.0" + git tag v$(shell echo $$(($(MAJOR)+1))).0.0 + @echo "Tagged v$(shell echo $$(($(MAJOR)+1))).0.0" diff --git a/auth.go b/auth.go index b675e6f..c2d11af 100644 --- a/auth.go +++ b/auth.go @@ -12,10 +12,10 @@ import ( ) type Claims struct { - ParticipantID int `json:"pid"` - Email string `json:"sub"` - Roles []string `json:"roles"` - DeptIDs []int `json:"dept_ids,omitempty"` + UserID int `json:"uid"` + Username string `json:"sub"` + Role string `json:"role"` + DeptIDs []int `json:"dept_ids,omitempty"` jwt.RegisteredClaims } @@ -28,13 +28,13 @@ func checkPassword(hash, password string) bool { return bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)) == nil } -func (app *App) signToken(s *User) (string, error) { +func (app *App) signToken(u *User) (string, error) { expiry := time.Duration(app.tokenExpiry) * time.Hour claims := Claims{ - ParticipantID: s.ID, - Email: s.Email, - Roles: s.Roles, - DeptIDs: s.DepartmentIDs, + UserID: u.ID, + Username: u.Username, + Role: u.Role, + DeptIDs: u.DepartmentIDs, RegisteredClaims: jwt.RegisteredClaims{ ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiry)), IssuedAt: jwt.NewNumericDate(time.Now()), @@ -88,7 +88,7 @@ func (app *App) requireAuth(next http.HandlerFunc, roles ...string) http.Handler writeError(w, "unauthorized", http.StatusUnauthorized) return } - if len(roles) > 0 && !hasAnyRole(claims.Roles, roles) { + if len(roles) > 0 && !hasRole(claims.Role, roles) { writeError(w, "forbidden", http.StatusForbidden) return } @@ -97,25 +97,9 @@ func (app *App) requireAuth(next http.HandlerFunc, roles ...string) http.Handler } } -func hasAnyRole(roles []string, allowed []string) bool { - for _, r := range roles { - for _, a := range allowed { - if r == a { - return true - } - } - } - return false -} - -func isCoLeadOnly(claims *Claims) bool { - return hasAnyRole(claims.Roles, []string{"colead"}) && - !hasAnyRole(claims.Roles, []string{"admin", "staffing"}) -} - -func inSlice(v int, s []int) bool { - for _, x := range s { - if x == v { +func hasRole(role string, allowed []string) bool { + for _, r := range allowed { + if r == role { return true } } diff --git a/auth_test.go b/auth_test.go index 602c6cf..f611bc1 100644 --- a/auth_test.go +++ b/auth_test.go @@ -12,7 +12,7 @@ func TestLoginValid(t *testing.T) { mux := testMux(app) req := testRequest("POST", "/api/login", map[string]string{ - "email": admin.Email, + "username": admin.Username, "password": "admin123", }) w := httptest.NewRecorder() @@ -26,7 +26,7 @@ func TestLoginValid(t *testing.T) { t.Error("missing token in response") } user, ok := result["user"].(map[string]any) - if !ok || user["email"] != "oberon@athens.example" { + if !ok || user["username"] != "admin" { t.Errorf("user = %v", result["user"]) } } @@ -37,7 +37,7 @@ func TestLoginWrongPassword(t *testing.T) { mux := testMux(app) req := testRequest("POST", "/api/login", map[string]string{ - "email": "oberon@athens.example", + "username": "admin", "password": "wrong", }) w := httptest.NewRecorder() @@ -53,7 +53,7 @@ func TestLoginNonexistentUser(t *testing.T) { mux := testMux(app) req := testRequest("POST", "/api/login", map[string]string{ - "email": "nobody@test.com", + "username": "nobody", "password": "test", }) w := httptest.NewRecorder() @@ -94,7 +94,8 @@ func TestAuthMiddlewareRoleEnforcement(t *testing.T) { app := testApp(t) mux := testMux(app) - gate := testUserWithRoles(t, app, "Starveling", []string{"gatekeeper"}, []int{}) + // Create a gate user — should not be able to access /api/users (admin only) + gate := testUserWithRole(t, app, "gateuser", "gatekeeper", []int{}) token := testToken(t, app, gate) req := testAuthRequest("GET", "/api/users", nil, token) @@ -120,7 +121,7 @@ func TestMeEndpoint(t *testing.T) { t.Fatalf("status = %d", w.Code) } result := parseJSON(t, w) - if result["email"] != "oberon@athens.example" { - t.Errorf("email = %v", result["email"]) + if result["username"] != "admin" { + t.Errorf("username = %v", result["username"]) } } diff --git a/db.go b/db.go index 0ec6716..514460e 100644 --- a/db.go +++ b/db.go @@ -40,6 +40,20 @@ func migrate(db *sql.DB) error { updated_at TEXT NOT NULL DEFAULT (datetime('now')) ); + CREATE TABLE IF NOT EXISTS users ( + id INTEGER PRIMARY KEY AUTOINCREMENT, + username TEXT NOT NULL UNIQUE, + password_hash TEXT NOT NULL, + role TEXT NOT NULL CHECK(role IN ('admin','ticketing','staffing','colead','gatekeeper')), + created_at TEXT NOT NULL DEFAULT (datetime('now')) + ); + + CREATE TABLE IF NOT EXISTS user_departments ( + user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE, + department_id INTEGER NOT NULL REFERENCES departments(id) ON DELETE CASCADE, + PRIMARY KEY (user_id, department_id) + ); + CREATE TABLE IF NOT EXISTS departments ( id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL UNIQUE, @@ -49,24 +63,43 @@ func migrate(db *sql.DB) error { deleted_at TEXT ); - CREATE TABLE IF NOT EXISTS volunteers ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - participant_id INTEGER NOT NULL REFERENCES participants(id) ON DELETE CASCADE, - department_id INTEGER REFERENCES departments(id) ON DELETE SET NULL, - is_lead INTEGER NOT NULL DEFAULT 0, - ready INTEGER NOT NULL DEFAULT 0, - ready_at TEXT, - confirmed INTEGER NOT NULL DEFAULT 0, - confirmed_at TEXT, - kiosk_code TEXT, - note TEXT NOT NULL DEFAULT '', - created_at TEXT NOT NULL DEFAULT (datetime('now')), - updated_at TEXT NOT NULL DEFAULT (datetime('now')), - deleted_at TEXT + CREATE TABLE IF NOT EXISTS attendees ( + id INTEGER PRIMARY KEY AUTOINCREMENT, + name TEXT NOT NULL, + email TEXT NOT NULL DEFAULT '', + phone TEXT NOT NULL DEFAULT '', + ticket_id TEXT NOT NULL DEFAULT '', + ticket_type TEXT NOT NULL DEFAULT '', + volunteer_token TEXT UNIQUE, + party_size INTEGER NOT NULL DEFAULT 1, + checked_in INTEGER NOT NULL DEFAULT 0, + checked_in_count INTEGER NOT NULL DEFAULT 0, + checked_in_at TEXT, + checked_in_by INTEGER REFERENCES users(id), + note TEXT NOT NULL DEFAULT '', + created_at TEXT NOT NULL DEFAULT (datetime('now')), + updated_at TEXT NOT NULL DEFAULT (datetime('now')), + deleted_at TEXT ); - CREATE UNIQUE INDEX IF NOT EXISTS idx_volunteers_kiosk_code - ON volunteers(kiosk_code) WHERE kiosk_code IS NOT NULL; + CREATE UNIQUE INDEX IF NOT EXISTS idx_attendees_name_ticket + ON attendees(name, ticket_id) WHERE deleted_at IS NULL; + + CREATE TABLE IF NOT EXISTS volunteers ( + id INTEGER PRIMARY KEY AUTOINCREMENT, + attendee_id INTEGER REFERENCES attendees(id) ON DELETE SET NULL, + name TEXT NOT NULL, + email TEXT NOT NULL DEFAULT '', + phone TEXT NOT NULL DEFAULT '', + department_id INTEGER REFERENCES departments(id) ON DELETE SET NULL, + is_lead INTEGER NOT NULL DEFAULT 0, + ready INTEGER NOT NULL DEFAULT 0, + ready_at TEXT, + note TEXT NOT NULL DEFAULT '', + created_at TEXT NOT NULL DEFAULT (datetime('now')), + updated_at TEXT NOT NULL DEFAULT (datetime('now')), + deleted_at TEXT + ); CREATE TABLE IF NOT EXISTS shifts ( id INTEGER PRIMARY KEY AUTOINCREMENT, @@ -86,25 +119,19 @@ func migrate(db *sql.DB) error { shift_id INTEGER NOT NULL REFERENCES shifts(id) ON DELETE CASCADE, confirmed INTEGER NOT NULL DEFAULT 1, updated_at TEXT NOT NULL DEFAULT (datetime('now')), - deleted_at TEXT, PRIMARY KEY (volunteer_id, shift_id) ); CREATE TABLE IF NOT EXISTS participants ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - email TEXT NOT NULL DEFAULT '', - preferred_name TEXT NOT NULL DEFAULT '', - ticket_name TEXT NOT NULL DEFAULT '', - phone TEXT NOT NULL DEFAULT '', - pronouns TEXT NOT NULL DEFAULT '', - note TEXT NOT NULL DEFAULT '', - email_confirmed INTEGER NOT NULL DEFAULT 0, - confirmation_token TEXT, - password_hash TEXT, - login_enabled INTEGER NOT NULL DEFAULT 0, - created_at TEXT NOT NULL DEFAULT (datetime('now')), - updated_at TEXT NOT NULL DEFAULT (datetime('now')), - deleted_at TEXT + id INTEGER PRIMARY KEY AUTOINCREMENT, + email TEXT NOT NULL DEFAULT '', + preferred_name TEXT NOT NULL DEFAULT '', + phone TEXT NOT NULL DEFAULT '', + pronouns TEXT NOT NULL DEFAULT '', + note TEXT NOT NULL DEFAULT '', + created_at TEXT NOT NULL DEFAULT (datetime('now')), + updated_at TEXT NOT NULL DEFAULT (datetime('now')), + deleted_at TEXT ); CREATE UNIQUE INDEX IF NOT EXISTS idx_participants_email @@ -120,7 +147,7 @@ func migrate(db *sql.DB) error { order_id TEXT NOT NULL DEFAULT '', code TEXT UNIQUE, checked_in_at TEXT, - checked_in_by INTEGER REFERENCES participants(id), + checked_in_by INTEGER REFERENCES users(id), created_at TEXT NOT NULL DEFAULT (datetime('now')), updated_at TEXT NOT NULL DEFAULT (datetime('now')), deleted_at TEXT @@ -128,29 +155,220 @@ func migrate(db *sql.DB) error { CREATE UNIQUE INDEX IF NOT EXISTS idx_tickets_source_external ON tickets(source, external_id) WHERE external_id != '' AND deleted_at IS NULL; - - CREATE TABLE IF NOT EXISTS participant_roles ( - participant_id INTEGER NOT NULL REFERENCES participants(id) ON DELETE CASCADE, - role TEXT NOT NULL CHECK(role IN ('admin','staffing','colead','gatekeeper')), - PRIMARY KEY (participant_id, role) - ); - - CREATE TABLE IF NOT EXISTS participant_departments ( - participant_id INTEGER NOT NULL REFERENCES participants(id) ON DELETE CASCADE, - department_id INTEGER NOT NULL REFERENCES departments(id) ON DELETE CASCADE, - PRIMARY KEY (participant_id, department_id) - ); - - CREATE TABLE IF NOT EXISTS sso_nonces ( - nonce TEXT PRIMARY KEY, - created_at TEXT NOT NULL DEFAULT (datetime('now')) - ); `) - return err + if err != nil { + return err + } + return migrateV2(db) +} + +// migrateV2 adds new columns to existing databases without data loss. +func migrateV2(db *sql.DB) error { + addColumnIfMissing(db, "attendees", "volunteer_token TEXT UNIQUE") + addColumnIfMissing(db, "attendees", "party_size INTEGER NOT NULL DEFAULT 1") + addColumnIfMissing(db, "attendees", "checked_in_count INTEGER NOT NULL DEFAULT 0") + addColumnIfMissing(db, "shifts", "position INTEGER NOT NULL DEFAULT 0") + addColumnIfMissing(db, "volunteer_shifts", "deleted_at TEXT") + addColumnIfMissing(db, "volunteers", "preferred_name TEXT NOT NULL DEFAULT ''") + addColumnIfMissing(db, "volunteers", "ticket_name TEXT NOT NULL DEFAULT ''") + addColumnIfMissing(db, "volunteers", "pronouns TEXT NOT NULL DEFAULT ''") + addColumnIfMissing(db, "volunteers", "email_confirmed INTEGER NOT NULL DEFAULT 0") + addColumnIfMissing(db, "volunteers", "confirmation_token TEXT") + addColumnIfMissing(db, "volunteers", "confirmed INTEGER NOT NULL DEFAULT 0") + addColumnIfMissing(db, "volunteers", "confirmed_at TEXT") + addColumnIfMissing(db, "volunteers", "kiosk_code TEXT") + renameColumnIfExists(db, "volunteers", "checked_in", "ready") + renameColumnIfExists(db, "volunteers", "checked_in_at", "ready_at") + db.Exec(`CREATE UNIQUE INDEX IF NOT EXISTS idx_volunteers_kiosk_code ON volunteers(kiosk_code) WHERE kiosk_code IS NOT NULL`) + // Migrate kiosk codes from tickets to volunteers (idempotent). + db.Exec(` + UPDATE volunteers SET kiosk_code = ( + SELECT t.code FROM tickets t + WHERE t.participant_id = volunteers.participant_id + AND t.code IS NOT NULL AND t.deleted_at IS NULL + LIMIT 1 + ) WHERE kiosk_code IS NULL AND participant_id IS NOT NULL`) + // Delete stub tickets whose code has been migrated to the volunteer. + db.Exec(` + DELETE FROM tickets + WHERE source = 'manual' AND external_id = '' AND code IS NOT NULL + AND participant_id IN (SELECT id FROM volunteers WHERE kiosk_code IS NOT NULL)`) + // Widen the uniqueness constraint from name-only to (name, ticket_id). + db.Exec(`DROP INDEX IF EXISTS idx_attendees_name`) + db.Exec(`CREATE UNIQUE INDEX IF NOT EXISTS idx_attendees_name_ticket ON attendees(name, ticket_id) WHERE deleted_at IS NULL`) + return migrateV3(db) +} + +// migrateV3 populates participants + tickets from attendees/volunteers, +// and links volunteers to participants via participant_id. +func migrateV3(db *sql.DB) error { + addColumnIfMissing(db, "volunteers", "participant_id INTEGER REFERENCES participants(id)") + addColumnIfMissing(db, "participants", "ticket_name TEXT NOT NULL DEFAULT ''") + + // Seed participants from volunteers first (better name data: preferred_name). + db.Exec(` + INSERT OR IGNORE INTO participants (email, preferred_name, phone, pronouns, created_at, updated_at) + SELECT + LOWER(email), + CASE WHEN preferred_name != '' THEN preferred_name ELSE name END, + phone, + pronouns, + created_at, + created_at + FROM volunteers + WHERE email != '' AND deleted_at IS NULL`) + + // Fill in from attendees for emails not yet in participants. + db.Exec(` + INSERT OR IGNORE INTO participants (email, preferred_name, phone, created_at, updated_at) + SELECT LOWER(email), name, phone, created_at, created_at + FROM attendees + WHERE email != '' AND deleted_at IS NULL`) + + // Attendees with no email: create a placeholder participant so tickets aren't orphaned. + rows, _ := db.Query(`SELECT id, name, created_at FROM attendees WHERE email = '' AND deleted_at IS NULL`) + if rows != nil { + type stub struct { + id, name, createdAt string + } + var stubs []stub + for rows.Next() { + var s stub + rows.Scan(&s.id, &s.name, &s.createdAt) + stubs = append(stubs, s) + } + rows.Close() + for _, s := range stubs { + placeholder := fmt.Sprintf("ticket-%s@unknown", s.id) + db.Exec(`INSERT OR IGNORE INTO participants (email, preferred_name, created_at, updated_at) VALUES (?, ?, ?, ?)`, + placeholder, s.name, s.createdAt, s.createdAt) + } + } + + // Link volunteers to participants via email. + db.Exec(` + UPDATE volunteers SET participant_id = ( + SELECT p.id FROM participants p WHERE LOWER(p.email) = LOWER(volunteers.email) + ) + WHERE participant_id IS NULL AND email != ''`) + + // Seed tickets from attendees (1 ticket per attendee row). + db.Exec(` + INSERT OR IGNORE INTO tickets (participant_id, name, ticket_type, source, external_id, order_id, code, checked_in_at, checked_in_by, created_at, updated_at, deleted_at) + SELECT + p.id, + a.name, + a.ticket_type, + CASE WHEN a.ticket_id != '' THEN 'crowdwork' ELSE 'manual' END, + a.ticket_id, + a.ticket_id, + a.volunteer_token, + a.checked_in_at, + a.checked_in_by, + a.created_at, + a.updated_at, + a.deleted_at + FROM attendees a + JOIN participants p ON LOWER(p.email) = LOWER(a.email) OR p.email = 'ticket-' || a.id || '@unknown'`) + + // Volunteers whose participant has no ticket: create a stub ticket so they can get a kiosk code. + db.Exec(` + INSERT OR IGNORE INTO tickets (participant_id, source, created_at, updated_at) + SELECT DISTINCT v.participant_id, 'manual', v.created_at, v.created_at + FROM volunteers v + WHERE v.participant_id IS NOT NULL + AND v.deleted_at IS NULL + AND NOT EXISTS (SELECT 1 FROM tickets t WHERE t.participant_id = v.participant_id AND t.deleted_at IS NULL)`) + + return migrateV4(db) +} + +// migrateV4 renames roles: volunteer_lead→colead, coordinator→staffing, gate→gatekeeper. +func migrateV4(db *sql.DB) error { + var count int + if err := db.QueryRow(`SELECT COUNT(*) FROM users WHERE role IN ('volunteer_lead','coordinator','gate')`).Scan(&count); err != nil || count == 0 { + return nil + } + if _, err := db.Exec(`PRAGMA foreign_keys = OFF`); err != nil { + return err + } + stmts := []string{ + `CREATE TABLE users_v4 ( + id INTEGER PRIMARY KEY AUTOINCREMENT, + username TEXT NOT NULL UNIQUE, + password_hash TEXT NOT NULL, + role TEXT NOT NULL CHECK(role IN ('admin','ticketing','staffing','colead','gatekeeper')), + created_at TEXT NOT NULL DEFAULT (datetime('now')) + )`, + `INSERT INTO users_v4 (id, username, password_hash, role, created_at) + SELECT id, username, password_hash, + CASE role + WHEN 'volunteer_lead' THEN 'colead' + WHEN 'coordinator' THEN 'staffing' + WHEN 'gate' THEN 'gatekeeper' + ELSE role + END, + created_at + FROM users`, + `DROP TABLE users`, + `ALTER TABLE users_v4 RENAME TO users`, + `PRAGMA foreign_keys = ON`, + } + for _, s := range stmts { + if _, err := db.Exec(s); err != nil { + db.Exec(`PRAGMA foreign_keys = ON`) + return fmt.Errorf("migrateV4: %w", err) + } + } + return nil +} + +func addColumnIfMissing(db *sql.DB, table, colDef string) { + colName := strings.Fields(colDef)[0] + rows, err := db.Query(`PRAGMA table_info("` + table + `")`) + if err != nil { + return + } + defer rows.Close() + for rows.Next() { + var cid, notNull, pk int + var name, typ string + var dflt sql.NullString + rows.Scan(&cid, &name, &typ, ¬Null, &dflt, &pk) + if name == colName { + return + } + } + db.Exec(`ALTER TABLE "` + table + `" ADD COLUMN ` + colDef) +} + +func renameColumnIfExists(db *sql.DB, table, oldName, newName string) { + found := false + rows, err := db.Query(`PRAGMA table_info("` + table + `")`) + if err != nil { + return + } + for rows.Next() { + var cid, notNull, pk int + var name, typ string + var dflt sql.NullString + rows.Scan(&cid, &name, &typ, ¬Null, &dflt, &pk) + if name == oldName { + found = true + } + } + rows.Close() + if found { + db.Exec(`ALTER TABLE "` + table + `" RENAME COLUMN "` + oldName + `" TO "` + newName + `"`) + } } // --- Types --- +const attendeeCols = `id, name, email, phone, ticket_id, ticket_type, volunteer_token, + party_size, checked_in, checked_in_count, checked_in_at, checked_in_by, + note, created_at, updated_at, deleted_at` + const shiftCols = `id, department_id, name, day, start_time, end_time, capacity, position, updated_at, deleted_at` const shiftColsS = `s.id, s.department_id, s.name, s.day, s.start_time, s.end_time, s.capacity, s.position, s.updated_at, s.deleted_at` @@ -166,12 +384,30 @@ type Event struct { } type User struct { - ID int `json:"id"` - Email string `json:"email"` - PreferredName string `json:"preferred_name"` - Roles []string `json:"roles"` - DepartmentIDs []int `json:"department_ids"` - CreatedAt string `json:"created_at"` + ID int `json:"id"` + Username string `json:"username"` + Role string `json:"role"` + DepartmentIDs []int `json:"department_ids"` + CreatedAt string `json:"created_at"` +} + +type Attendee struct { + ID int `json:"id"` + Name string `json:"name"` + Email string `json:"email"` + Phone string `json:"phone"` + TicketID string `json:"ticket_id"` + TicketType string `json:"ticket_type"` + VolunteerToken *string `json:"volunteer_token,omitempty"` + PartySize int `json:"party_size"` + CheckedIn bool `json:"checked_in"` + CheckedInCount int `json:"checked_in_count"` + CheckedInAt *string `json:"checked_in_at,omitempty"` + CheckedInBy *int `json:"checked_in_by,omitempty"` + Note string `json:"note"` + CreatedAt string `json:"created_at"` + UpdatedAt string `json:"updated_at"` + DeletedAt *string `json:"deleted_at,omitempty"` } type Department struct { @@ -184,40 +420,40 @@ type Department struct { } type Volunteer struct { + ID int `json:"id"` + ParticipantID *int `json:"participant_id,omitempty"` + AttendeeID *int `json:"attendee_id,omitempty"` // deprecated; kept for migration compat + Name string `json:"name"` + PreferredName string `json:"preferred_name"` + Email string `json:"email"` + Phone string `json:"phone"` + Pronouns string `json:"pronouns"` + DepartmentID *int `json:"department_id,omitempty"` + IsLead bool `json:"is_lead"` + Ready bool `json:"ready"` + ReadyAt *string `json:"ready_at,omitempty"` + Confirmed bool `json:"confirmed"` + ConfirmedAt *string `json:"confirmed_at,omitempty"` + EmailConfirmed bool `json:"email_confirmed"` + ConfirmationToken *string `json:"-"` + KioskCode *string `json:"kiosk_code,omitempty"` + Note string `json:"note"` + CreatedAt string `json:"created_at"` + UpdatedAt string `json:"updated_at"` + DeletedAt *string `json:"deleted_at,omitempty"` +} + +type Participant struct { ID int `json:"id"` - ParticipantID int `json:"participant_id"` - DepartmentID *int `json:"department_id,omitempty"` - IsLead bool `json:"is_lead"` - Ready bool `json:"ready"` - ReadyAt *string `json:"ready_at,omitempty"` - Confirmed bool `json:"confirmed"` - ConfirmedAt *string `json:"confirmed_at,omitempty"` - KioskCode *string `json:"kiosk_code,omitempty"` + Email string `json:"email"` + PreferredName string `json:"preferred_name"` + TicketName string `json:"ticket_name"` + Phone string `json:"phone"` + Pronouns string `json:"pronouns"` Note string `json:"note"` CreatedAt string `json:"created_at"` UpdatedAt string `json:"updated_at"` DeletedAt *string `json:"deleted_at,omitempty"` - // Populated via JOIN from participant, not stored on volunteers table: - Name string `json:"name"` - Email string `json:"email"` - Phone string `json:"phone"` - Pronouns string `json:"pronouns"` - EmailConfirmed bool `json:"email_confirmed"` -} - -type Participant struct { - ID int `json:"id"` - Email string `json:"email"` - PreferredName string `json:"preferred_name"` - TicketName string `json:"ticket_name"` - Phone string `json:"phone"` - Pronouns string `json:"pronouns"` - Note string `json:"note"` - EmailConfirmed bool `json:"email_confirmed"` - ConfirmationToken *string `json:"-"` - CreatedAt string `json:"created_at"` - UpdatedAt string `json:"updated_at"` - DeletedAt *string `json:"deleted_at,omitempty"` } type Ticket struct { @@ -283,45 +519,11 @@ func (app *App) upsertEvent(e Event) error { return err } -// --- Staff (participants with login_enabled) --- +// --- Users --- -func (app *App) getParticipantRoles(participantID int) ([]string, error) { +func (app *App) getUserDeptIDs(userID int) ([]int, error) { rows, err := app.db.Query( - `SELECT role FROM participant_roles WHERE participant_id = ? ORDER BY role`, participantID, - ) - if err != nil { - return nil, err - } - defer rows.Close() - var roles []string - for rows.Next() { - var r string - rows.Scan(&r) - roles = append(roles, r) - } - if roles == nil { - roles = []string{} - } - return roles, rows.Err() -} - -func (app *App) setParticipantRoles(participantID int, roles []string) error { - if _, err := app.db.Exec(`DELETE FROM participant_roles WHERE participant_id = ?`, participantID); err != nil { - return err - } - for _, role := range roles { - if _, err := app.db.Exec( - `INSERT INTO participant_roles (participant_id, role) VALUES (?, ?)`, participantID, role, - ); err != nil { - return err - } - } - return nil -} - -func (app *App) getUserDeptIDs(participantID int) ([]int, error) { - rows, err := app.db.Query( - `SELECT department_id FROM participant_departments WHERE participant_id = ? ORDER BY department_id`, participantID, + `SELECT department_id FROM user_departments WHERE user_id = ? ORDER BY department_id`, userID, ) if err != nil { return nil, err @@ -339,13 +541,14 @@ func (app *App) getUserDeptIDs(participantID int) ([]int, error) { return ids, rows.Err() } -func (app *App) setUserDeptIDs(participantID int, deptIDs []int) error { - if _, err := app.db.Exec(`DELETE FROM participant_departments WHERE participant_id = ?`, participantID); err != nil { +func (app *App) setUserDeptIDs(userID int, deptIDs []int) error { + _, err := app.db.Exec(`DELETE FROM user_departments WHERE user_id = ?`, userID) + if err != nil { return err } for _, deptID := range deptIDs { if _, err := app.db.Exec( - `INSERT INTO participant_departments (participant_id, department_id) VALUES (?, ?)`, participantID, deptID, + `INSERT INTO user_departments (user_id, department_id) VALUES (?, ?)`, userID, deptID, ); err != nil { return err } @@ -353,157 +556,98 @@ func (app *App) setUserDeptIDs(participantID int, deptIDs []int) error { return nil } -func (app *App) getLoginParticipant(email string) (*User, string, error) { - var s User - var hash sql.NullString +func (app *App) getUserByUsername(username string) (*User, string, error) { + var u User + var hash string err := app.db.QueryRow( - `SELECT id, email, preferred_name, password_hash, created_at - FROM participants WHERE LOWER(email) = LOWER(?) AND login_enabled = 1 AND deleted_at IS NULL`, email, - ).Scan(&s.ID, &s.Email, &s.PreferredName, &hash, &s.CreatedAt) + `SELECT id, username, password_hash, role, created_at FROM users WHERE username = ?`, username, + ).Scan(&u.ID, &u.Username, &hash, &u.Role, &u.CreatedAt) if err == sql.ErrNoRows { return nil, "", nil } if err != nil { return nil, "", err } - var hashStr string - if hash.Valid { - hashStr = hash.String - } - s.Roles, _ = app.getParticipantRoles(s.ID) - s.DepartmentIDs, _ = app.getUserDeptIDs(s.ID) - return &s, hashStr, nil + u.DepartmentIDs, err = app.getUserDeptIDs(u.ID) + return &u, hash, err } -func (app *App) getUser(id int) (*User, error) { - var s User +func (app *App) getUserByID(id int) (*User, error) { + var u User err := app.db.QueryRow( - `SELECT id, email, preferred_name, created_at - FROM participants WHERE id = ? AND login_enabled = 1 AND deleted_at IS NULL`, id, - ).Scan(&s.ID, &s.Email, &s.PreferredName, &s.CreatedAt) + `SELECT id, username, role, created_at FROM users WHERE id = ?`, id, + ).Scan(&u.ID, &u.Username, &u.Role, &u.CreatedAt) if err == sql.ErrNoRows { return nil, nil } if err != nil { return nil, err } - s.Roles, _ = app.getParticipantRoles(s.ID) - s.DepartmentIDs, _ = app.getUserDeptIDs(s.ID) - return &s, nil + u.DepartmentIDs, err = app.getUserDeptIDs(u.ID) + return &u, err } func (app *App) listUsers() ([]User, error) { rows, err := app.db.Query( - `SELECT id, email, preferred_name, created_at - FROM participants WHERE login_enabled = 1 AND deleted_at IS NULL ORDER BY preferred_name, email`, + `SELECT id, username, role, created_at FROM users ORDER BY username`, ) if err != nil { return nil, err } defer rows.Close() - var staff []User + var users []User for rows.Next() { - var s User - if err := rows.Scan(&s.ID, &s.Email, &s.PreferredName, &s.CreatedAt); err != nil { + var u User + if err := rows.Scan(&u.ID, &u.Username, &u.Role, &u.CreatedAt); err != nil { return nil, err } - s.Roles = []string{} - s.DepartmentIDs = []int{} - staff = append(staff, s) + u.DepartmentIDs = []int{} + users = append(users, u) } if err := rows.Err(); err != nil { return nil, err } - for i := range staff { - staff[i].Roles, _ = app.getParticipantRoles(staff[i].ID) - staff[i].DepartmentIDs, _ = app.getUserDeptIDs(staff[i].ID) + for i := range users { + users[i].DepartmentIDs, _ = app.getUserDeptIDs(users[i].ID) } - return staff, nil + return users, nil } -func (app *App) createUser(email, preferredName, hash string, roles []string, deptIDs []int) (*User, error) { - // Find or create participant by email. - p, err := app.getParticipantByEmail(email) - if err != nil { - return nil, err - } - if p != nil { - // Participant exists — promote to staff. - if _, err := app.db.Exec( - `UPDATE participants SET password_hash = ?, login_enabled = 1, updated_at = ? WHERE id = ?`, - hash, now(), p.ID, - ); err != nil { - return nil, err - } - if err := app.setParticipantRoles(p.ID, roles); err != nil { - return nil, err - } - if err := app.setUserDeptIDs(p.ID, deptIDs); err != nil { - return nil, err - } - return app.getUser(p.ID) - } - // Create new participant with auth. +func (app *App) createUser(username, hash, role string, deptIDs []int) (*User, error) { res, err := app.db.Exec( - `INSERT INTO participants (email, preferred_name, password_hash, login_enabled, updated_at) - VALUES (?, ?, ?, 1, ?)`, - strings.ToLower(email), preferredName, hash, now(), + `INSERT INTO users (username, password_hash, role) VALUES (?, ?, ?)`, + username, hash, role, ) if err != nil { return nil, err } id, _ := res.LastInsertId() - if err := app.setParticipantRoles(int(id), roles); err != nil { - return nil, err - } if err := app.setUserDeptIDs(int(id), deptIDs); err != nil { return nil, err } - return app.getUser(int(id)) + return app.getUserByID(int(id)) } -func (app *App) updateUserRoles(id int, roles []string, deptIDs []int) error { - var enabled int - err := app.db.QueryRow(`SELECT login_enabled FROM participants WHERE id = ? AND deleted_at IS NULL`, id).Scan(&enabled) - if err != nil || enabled != 1 { - return fmt.Errorf("participant not found or not a staff member") - } - if err := app.setParticipantRoles(id, roles); err != nil { +func (app *App) updateUser(id int, role string, deptIDs []int) error { + if _, err := app.db.Exec(`UPDATE users SET role = ? WHERE id = ?`, role, id); err != nil { return err } return app.setUserDeptIDs(id, deptIDs) } func (app *App) updateUserPassword(id int, hash string) error { - _, err := app.db.Exec( - `UPDATE participants SET password_hash = ?, updated_at = ? WHERE id = ? AND login_enabled = 1`, hash, now(), id, - ) + _, err := app.db.Exec(`UPDATE users SET password_hash = ? WHERE id = ?`, hash, id) return err } -func (app *App) removeUser(id int) error { - tx, err := app.db.Begin() - if err != nil { - return err - } - defer tx.Rollback() - if _, err := tx.Exec(`DELETE FROM participant_roles WHERE participant_id = ?`, id); err != nil { - return err - } - if _, err := tx.Exec(`DELETE FROM participant_departments WHERE participant_id = ?`, id); err != nil { - return err - } - if _, err := tx.Exec( - `UPDATE participants SET login_enabled = 0, password_hash = NULL, updated_at = ? WHERE id = ?`, now(), id, - ); err != nil { - return err - } - return tx.Commit() +func (app *App) deleteUser(id int) error { + _, err := app.db.Exec(`DELETE FROM users WHERE id = ?`, id) + return err } func (app *App) countUsers() (int, error) { var n int - err := app.db.QueryRow(`SELECT COUNT(*) FROM participants WHERE login_enabled = 1 AND deleted_at IS NULL`).Scan(&n) + err := app.db.QueryRow(`SELECT COUNT(*) FROM users`).Scan(&n) return n, err } @@ -570,9 +714,177 @@ func (app *App) generateCodesForAll() (int, error) { return count, nil } +// incrementPartySize is kept for backward compatibility with existing tests. +func (app *App) incrementPartySize(name, ticketID string) (bool, error) { + res, err := app.db.Exec( + `UPDATE attendees SET party_size = party_size + 1, updated_at = ? + WHERE name = ? AND ticket_id = ? AND deleted_at IS NULL`, + now(), name, ticketID, + ) + if err != nil { + return false, err + } + n, _ := res.RowsAffected() + return n > 0, nil +} + +// --- Attendees --- + +func (app *App) listAttendees(search, ticketType, checkedIn string) ([]Attendee, error) { + q := `SELECT ` + attendeeCols + ` FROM attendees WHERE deleted_at IS NULL` + var args []any + if search != "" { + q += ` AND (name LIKE ? OR email LIKE ? OR ticket_id LIKE ?)` + s := "%" + search + "%" + args = append(args, s, s, s) + } + if ticketType != "" { + q += ` AND ticket_type = ?` + args = append(args, ticketType) + } + if checkedIn == "true" { + q += ` AND checked_in = 1` + } else if checkedIn == "false" { + q += ` AND checked_in = 0` + } + q += ` ORDER BY name ASC` + return queryAttendees(app.db, q, args...) +} + +func (app *App) getAttendee(id int) (*Attendee, error) { + rows, err := queryAttendees(app.db, + `SELECT `+attendeeCols+` FROM attendees WHERE id = ?`, id) + if err != nil || len(rows) == 0 { + return nil, err + } + return &rows[0], nil +} + +func (app *App) createAttendee(a Attendee) (*Attendee, error) { + res, err := app.db.Exec( + `INSERT INTO attendees (name, email, phone, ticket_id, ticket_type, note, updated_at) + VALUES (?, ?, ?, ?, ?, ?, ?)`, + a.Name, a.Email, a.Phone, a.TicketID, a.TicketType, a.Note, now(), + ) + if err != nil { + return nil, err + } + id, _ := res.LastInsertId() + return app.getAttendee(int(id)) +} + +func (app *App) updateAttendee(a Attendee) error { + _, err := app.db.Exec( + `UPDATE attendees SET name=?, email=?, phone=?, ticket_id=?, ticket_type=?, note=?, updated_at=? + WHERE id = ? AND deleted_at IS NULL`, + a.Name, a.Email, a.Phone, a.TicketID, a.TicketType, a.Note, now(), a.ID, + ) + return err +} + +func (app *App) deleteAttendee(id int) error { + _, err := app.db.Exec( + `UPDATE attendees SET deleted_at = ?, updated_at = ? WHERE id = ?`, now(), now(), id, + ) + return err +} + +// checkInAttendee increments checked_in_count by count (capped at party_size). +// Sets checked_in and checked_in_at on the first check-in. +func (app *App) checkInAttendee(id, userID, count int) (*Attendee, error) { + if count < 1 { + count = 1 + } + a, err := app.getAttendee(id) + if err != nil || a == nil { + return nil, err + } + remaining := a.PartySize - a.CheckedInCount + if count > remaining { + count = remaining + } + if count <= 0 { + return a, nil + } + t := now() + _, err = app.db.Exec(` + UPDATE attendees SET + checked_in_count = checked_in_count + ?, + checked_in = CASE WHEN checked_in = 0 THEN 1 ELSE checked_in END, + checked_in_at = CASE WHEN checked_in = 0 THEN ? ELSE checked_in_at END, + checked_in_by = CASE WHEN checked_in = 0 THEN ? ELSE checked_in_by END, + updated_at = ? + WHERE id = ? AND deleted_at IS NULL`, + count, t, userID, t, id, + ) + if err != nil { + return nil, err + } + return app.getAttendee(id) +} + +func (app *App) attendeesSince(since string) ([]Attendee, error) { + return queryAttendees(app.db, + `SELECT `+attendeeCols+` FROM attendees WHERE updated_at > ? ORDER BY updated_at ASC`, since) +} + +func queryAttendees(db *sql.DB, q string, args ...any) ([]Attendee, error) { + rows, err := db.Query(q, args...) + if err != nil { + return nil, err + } + defer rows.Close() + var result []Attendee + for rows.Next() { + var a Attendee + var checkedIn int + var token sql.NullString + if err := rows.Scan( + &a.ID, &a.Name, &a.Email, &a.Phone, &a.TicketID, &a.TicketType, + &token, &a.PartySize, &checkedIn, &a.CheckedInCount, + &a.CheckedInAt, &a.CheckedInBy, &a.Note, + &a.CreatedAt, &a.UpdatedAt, &a.DeletedAt, + ); err != nil { + return nil, err + } + if token.Valid && token.String != "" { + a.VolunteerToken = &token.String + } + a.CheckedIn = checkedIn == 1 + if a.PartySize < 1 { + a.PartySize = 1 + } + result = append(result, a) + } + return result, rows.Err() +} + +func (app *App) attendeeTicketTypes() ([]string, error) { + rows, err := app.db.Query( + `SELECT DISTINCT ticket_type FROM attendees WHERE ticket_type != '' AND deleted_at IS NULL ORDER BY ticket_type`, + ) + if err != nil { + return nil, err + } + defer rows.Close() + var types []string + for rows.Next() { + var t string + rows.Scan(&t) + types = append(types, t) + } + return types, rows.Err() +} + +func (app *App) attendeeCounts() (total, checkedIn int, err error) { + app.db.QueryRow(`SELECT COUNT(*) FROM attendees WHERE deleted_at IS NULL`).Scan(&total) + app.db.QueryRow(`SELECT COUNT(*) FROM attendees WHERE checked_in=1 AND deleted_at IS NULL`).Scan(&checkedIn) + return +} + // --- Participants --- -const participantCols = `id, email, preferred_name, ticket_name, phone, pronouns, note, email_confirmed, confirmation_token, created_at, updated_at, deleted_at` +const participantCols = `id, email, preferred_name, ticket_name, phone, pronouns, note, created_at, updated_at, deleted_at` func (app *App) listParticipants(search, since string) ([]Participant, error) { var q string @@ -612,8 +924,8 @@ func (app *App) getParticipantByEmail(email string) (*Participant, error) { func (app *App) createParticipant(p Participant) (*Participant, error) { res, err := app.db.Exec( - `INSERT INTO participants (email, preferred_name, ticket_name, phone, pronouns, note, email_confirmed, confirmation_token, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`, - strings.ToLower(p.Email), p.PreferredName, p.TicketName, p.Phone, p.Pronouns, p.Note, boolInt(p.EmailConfirmed), p.ConfirmationToken, now(), + `INSERT INTO participants (email, preferred_name, ticket_name, phone, pronouns, note, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?)`, + strings.ToLower(p.Email), p.PreferredName, p.TicketName, p.Phone, p.Pronouns, p.Note, now(), ) if err != nil { return nil, err @@ -653,8 +965,6 @@ func (app *App) mergeParticipants(canonicalID, otherID int) error { ); err != nil { return err } - app.db.Exec(`INSERT OR IGNORE INTO participant_roles (participant_id, role) SELECT ?, role FROM participant_roles WHERE participant_id = ?`, canonicalID, otherID) - app.db.Exec(`INSERT OR IGNORE INTO participant_departments (participant_id, department_id) SELECT ?, department_id FROM participant_departments WHERE participant_id = ?`, canonicalID, otherID) _, err := app.db.Exec( `UPDATE participants SET deleted_at=?, updated_at=? WHERE id=?`, ts, ts, otherID, ) @@ -670,19 +980,12 @@ func queryParticipants(db *sql.DB, q string, args ...any) ([]Participant, error) var result []Participant for rows.Next() { var p Participant - var emailConfirmed int - var confirmationToken sql.NullString if err := rows.Scan( &p.ID, &p.Email, &p.PreferredName, &p.TicketName, &p.Phone, &p.Pronouns, &p.Note, - &emailConfirmed, &confirmationToken, &p.CreatedAt, &p.UpdatedAt, &p.DeletedAt, ); err != nil { return nil, err } - p.EmailConfirmed = emailConfirmed == 1 - if confirmationToken.Valid { - p.ConfirmationToken = &confirmationToken.String - } result = append(result, p) } return result, rows.Err() @@ -735,6 +1038,15 @@ func (app *App) getTicket(id int) (*Ticket, error) { return &rows[0], nil } +func (app *App) getTicketByCode(code string) (*Ticket, error) { + rows, err := queryTickets(app.db, + `SELECT `+ticketCols+` FROM tickets WHERE code = ? AND deleted_at IS NULL`, code) + if err != nil || len(rows) == 0 { + return nil, err + } + return &rows[0], nil +} + func (app *App) createTicket(t Ticket) (*Ticket, error) { res, err := app.db.Exec( `INSERT INTO tickets (participant_id, name, ticket_type, source, external_id, order_id, code, updated_at) @@ -771,6 +1083,16 @@ func (app *App) deleteTicket(id int) error { return err } +func (app *App) ticketsSince(since string) ([]Ticket, error) { + return queryTickets(app.db, + `SELECT `+ticketCols+` FROM tickets WHERE updated_at > ? ORDER BY updated_at ASC`, since) +} + +func (app *App) participantsSince(since string) ([]Participant, error) { + return queryParticipants(app.db, + `SELECT `+participantCols+` FROM participants WHERE updated_at > ? ORDER BY updated_at ASC`, since) +} + func queryTickets(db *sql.DB, q string, args ...any) ([]Ticket, error) { rows, err := db.Query(q, args...) if err != nil { @@ -895,15 +1217,25 @@ func queryDepartments(db *sql.DB, q string, args ...any) ([]Department, error) { // --- Volunteers --- -const volunteerSelect = `v.id, v.participant_id, - p.preferred_name, p.email, p.phone, p.pronouns, +// volunteerSelect / volunteerFrom are used together for all volunteer queries. +// Personal fields (name, email, phone, pronouns) come from the joined participant when available, +// falling back to the volunteer's own columns for legacy rows. +const volunteerSelect = `v.id, v.participant_id, v.attendee_id, + COALESCE(NULLIF(p.preferred_name,''), NULLIF(v.preferred_name,''), v.name), + COALESCE(NULLIF(p.preferred_name,''), NULLIF(v.preferred_name,''), v.name), + COALESCE(NULLIF(p.email,''), v.email), + COALESCE(NULLIF(p.phone,''), v.phone), + COALESCE(NULLIF(p.pronouns,''), v.pronouns), v.department_id, v.is_lead, v.ready, v.ready_at, v.confirmed, v.confirmed_at, - p.email_confirmed, v.kiosk_code, v.note, + v.email_confirmed, v.confirmation_token, v.kiosk_code, v.note, v.created_at, v.updated_at, v.deleted_at` -const volunteerFrom = `FROM volunteers v INNER JOIN participants p ON p.id = v.participant_id` +const volunteerFrom = `FROM volunteers v LEFT JOIN participants p ON p.id = v.participant_id` -func (app *App) listVolunteers(search string, deptIDs []int, since string) ([]Volunteer, error) { +// volunteerCols is kept for backward-compat references that expect unqualified column names. +const volunteerCols = `id, attendee_id, name, preferred_name, email, phone, pronouns, department_id, is_lead, ready, ready_at, email_confirmed, confirmation_token, note, created_at, updated_at, deleted_at` + +func (app *App) listVolunteers(search string, deptID *int, since string) ([]Volunteer, error) { q := `SELECT ` + volunteerSelect + ` ` + volunteerFrom + ` WHERE 1=1` var args []any if since != "" { @@ -913,20 +1245,15 @@ func (app *App) listVolunteers(search string, deptIDs []int, since string) ([]Vo q += ` AND v.deleted_at IS NULL` } if search != "" { - q += ` AND (p.preferred_name LIKE ? OR p.email LIKE ?)` + q += ` AND (v.name LIKE ? OR v.email LIKE ? OR p.preferred_name LIKE ? OR p.email LIKE ?)` s := "%" + search + "%" - args = append(args, s, s) + args = append(args, s, s, s, s) } - if len(deptIDs) == 1 { + if deptID != nil { q += ` AND v.department_id = ?` - args = append(args, deptIDs[0]) - } else if len(deptIDs) > 1 { - q += ` AND v.department_id IN (` + placeholders(len(deptIDs)) + `)` - for _, id := range deptIDs { - args = append(args, id) - } + args = append(args, *deptID) } - q += ` ORDER BY p.preferred_name` + q += ` ORDER BY COALESCE(NULLIF(p.preferred_name,''), v.name)` return queryVolunteers(app.db, q, args...) } @@ -939,11 +1266,30 @@ func (app *App) getVolunteer(id int) (*Volunteer, error) { return &rows[0], nil } +func (app *App) getVolunteerByAttendeeID(attendeeID int) (*Volunteer, error) { + rows, err := queryVolunteers(app.db, + `SELECT `+volunteerSelect+` `+volunteerFrom+` WHERE v.attendee_id = ? AND v.deleted_at IS NULL LIMIT 1`, attendeeID) + if err != nil || len(rows) == 0 { + return nil, err + } + return &rows[0], nil +} + +func (app *App) getVolunteerByParticipantID(participantID int) (*Volunteer, error) { + rows, err := queryVolunteers(app.db, + `SELECT `+volunteerSelect+` `+volunteerFrom+` WHERE v.participant_id = ? AND v.deleted_at IS NULL LIMIT 1`, participantID) + if err != nil || len(rows) == 0 { + return nil, err + } + return &rows[0], nil +} + func (app *App) createVolunteer(v Volunteer) (*Volunteer, error) { res, err := app.db.Exec( - `INSERT INTO volunteers (participant_id, department_id, is_lead, note, updated_at) - VALUES (?, ?, ?, ?, ?)`, - v.ParticipantID, v.DepartmentID, boolInt(v.IsLead), v.Note, now(), + `INSERT INTO volunteers (participant_id, attendee_id, name, preferred_name, email, phone, pronouns, department_id, is_lead, email_confirmed, confirmation_token, note, updated_at) + VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`, + v.ParticipantID, v.AttendeeID, v.Name, v.PreferredName, v.Email, v.Phone, v.Pronouns, + v.DepartmentID, boolInt(v.IsLead), boolInt(v.EmailConfirmed), v.ConfirmationToken, v.Note, now(), ) if err != nil { return nil, err @@ -954,8 +1300,9 @@ func (app *App) createVolunteer(v Volunteer) (*Volunteer, error) { func (app *App) updateVolunteer(v Volunteer) error { _, err := app.db.Exec( - `UPDATE volunteers SET department_id=?, is_lead=?, note=?, updated_at=? + `UPDATE volunteers SET participant_id=?, attendee_id=?, name=?, preferred_name=?, email=?, phone=?, pronouns=?, department_id=?, is_lead=?, note=?, updated_at=? WHERE id=? AND deleted_at IS NULL`, + v.ParticipantID, v.AttendeeID, v.Name, v.PreferredName, v.Email, v.Phone, v.Pronouns, v.DepartmentID, boolInt(v.IsLead), v.Note, now(), v.ID, ) return err @@ -968,6 +1315,8 @@ func (app *App) deleteVolunteer(id int) error { return err } +// markVolunteerReady marks the volunteer as ready and, if linked to an attendee, +// also increments the attendee's checked_in_count. func (app *App) markVolunteerReady(id, userID int) (*Volunteer, error) { t := now() _, err := app.db.Exec( @@ -978,7 +1327,14 @@ func (app *App) markVolunteerReady(id, userID int) (*Volunteer, error) { if err != nil { return nil, err } - return app.getVolunteer(id) + v, err := app.getVolunteer(id) + if err != nil || v == nil { + return v, err + } + if v.AttendeeID != nil { + app.checkInAttendee(*v.AttendeeID, userID, 1) + } + return v, nil } func (app *App) confirmVolunteer(id int) (*Volunteer, error) { @@ -1003,23 +1359,34 @@ func queryVolunteers(db *sql.DB, q string, args ...any) ([]Volunteer, error) { var result []Volunteer for rows.Next() { var v Volunteer - var deptID sql.NullInt64 + var participantID, attendeeID, deptID sql.NullInt64 var isLead, ready, confirmed, emailConfirmed int - var confirmedAt, kioskCode sql.NullString + var confirmationToken, confirmedAt, kioskCode sql.NullString if err := rows.Scan( - &v.ID, &v.ParticipantID, - &v.Name, &v.Email, &v.Phone, &v.Pronouns, - &deptID, &isLead, &ready, &v.ReadyAt, + &v.ID, &participantID, &attendeeID, &v.Name, &v.PreferredName, + &v.Email, &v.Phone, &v.Pronouns, &deptID, + &isLead, &ready, &v.ReadyAt, &confirmed, &confirmedAt, - &emailConfirmed, &kioskCode, &v.Note, + &emailConfirmed, &confirmationToken, &kioskCode, &v.Note, &v.CreatedAt, &v.UpdatedAt, &v.DeletedAt, ); err != nil { return nil, err } + if participantID.Valid { + id := int(participantID.Int64) + v.ParticipantID = &id + } + if attendeeID.Valid { + id := int(attendeeID.Int64) + v.AttendeeID = &id + } if deptID.Valid { id := int(deptID.Int64) v.DepartmentID = &id } + if confirmationToken.Valid { + v.ConfirmationToken = &confirmationToken.String + } if confirmedAt.Valid { v.ConfirmedAt = &confirmedAt.String } @@ -1037,7 +1404,7 @@ func queryVolunteers(db *sql.DB, q string, args ...any) ([]Volunteer, error) { func (app *App) getVolunteerByEmail(email string) (*Volunteer, error) { rows, err := queryVolunteers(app.db, - `SELECT `+volunteerSelect+` `+volunteerFrom+` WHERE LOWER(p.email) = LOWER(?) AND v.deleted_at IS NULL LIMIT 1`, email) + `SELECT `+volunteerSelect+` `+volunteerFrom+` WHERE LOWER(v.email) = LOWER(?) AND v.deleted_at IS NULL LIMIT 1`, email) if err != nil || len(rows) == 0 { return nil, err } @@ -1046,24 +1413,17 @@ func (app *App) getVolunteerByEmail(email string) (*Volunteer, error) { func (app *App) getVolunteerByConfirmationToken(token string) (*Volunteer, error) { rows, err := queryVolunteers(app.db, - `SELECT `+volunteerSelect+` `+volunteerFrom+` WHERE p.confirmation_token = ? AND v.deleted_at IS NULL LIMIT 1`, token) + `SELECT `+volunteerSelect+` `+volunteerFrom+` WHERE v.confirmation_token = ? AND v.deleted_at IS NULL LIMIT 1`, token) if err != nil || len(rows) == 0 { return nil, err } return &rows[0], nil } -func (app *App) confirmParticipantEmail(participantID int) error { +func (app *App) confirmVolunteerEmail(id int) error { _, err := app.db.Exec( - `UPDATE participants SET email_confirmed = 1, confirmation_token = NULL, updated_at = ? WHERE id = ?`, - now(), participantID) - return err -} - -func (app *App) setParticipantConfirmationToken(participantID int, token string) error { - _, err := app.db.Exec( - `UPDATE participants SET confirmation_token = ?, updated_at = ? WHERE id = ?`, - token, now(), participantID) + `UPDATE volunteers SET email_confirmed = 1, confirmation_token = NULL, updated_at = ? WHERE id = ?`, + now(), id) return err } @@ -1082,10 +1442,11 @@ func (app *App) assignKioskCode(id int, code string) error { return err } +// listVolunteersNeedingKioskCode returns email-confirmed volunteers without a kiosk code. func (app *App) listVolunteersNeedingKioskCode() ([]Volunteer, error) { return queryVolunteers(app.db, ` SELECT `+volunteerSelect+` `+volunteerFrom+` - WHERE p.email_confirmed = 1 AND v.kiosk_code IS NULL AND v.deleted_at IS NULL`) + WHERE v.email_confirmed = 1 AND v.kiosk_code IS NULL AND v.deleted_at IS NULL`) } func (app *App) generateVolunteerKioskCode() (string, error) { @@ -1115,7 +1476,7 @@ func generateConfirmationToken() (string, error) { // --- Shifts --- -func (app *App) listShifts(deptIDs []int, day, since string) ([]Shift, error) { +func (app *App) listShifts(deptID *int, day, since string) ([]Shift, error) { q := `SELECT ` + shiftCols + ` FROM shifts WHERE 1=1` var args []any if since != "" { @@ -1124,14 +1485,9 @@ func (app *App) listShifts(deptIDs []int, day, since string) ([]Shift, error) { } else { q += ` AND deleted_at IS NULL` } - if len(deptIDs) == 1 { + if deptID != nil { q += ` AND department_id = ?` - args = append(args, deptIDs[0]) - } else if len(deptIDs) > 1 { - q += ` AND department_id IN (` + placeholders(len(deptIDs)) + `)` - for _, id := range deptIDs { - args = append(args, id) - } + args = append(args, *deptID) } if day != "" { q += ` AND day = ?` @@ -1302,7 +1658,7 @@ var errShiftFull = fmt.Errorf("shift is full") func (app *App) unassignShift(volunteerID, shiftID int) error { _, err := app.db.Exec( - `UPDATE volunteer_shifts SET deleted_at=?, updated_at=? WHERE volunteer_id=? AND shift_id=?`, + `UPDATE volunteer_shifts SET deleted_at = ?, updated_at = ? WHERE volunteer_id=? AND shift_id=?`, now(), now(), volunteerID, shiftID, ) return err @@ -1355,27 +1711,6 @@ func (app *App) listOpenShiftsForDept(deptID int) ([]Shift, error) { ORDER BY s.day, s.position, s.start_time`, deptID) } -// --- SSO Nonces --- - -func (app *App) createSSONonce(nonce string) error { - _, err := app.db.Exec(`INSERT INTO sso_nonces (nonce) VALUES (?)`, nonce) - return err -} - -func (app *App) consumeSSONonce(nonce string) (bool, error) { - res, err := app.db.Exec( - `DELETE FROM sso_nonces WHERE nonce = ? AND created_at > datetime('now', '-10 minutes')`, nonce) - if err != nil { - return false, err - } - n, _ := res.RowsAffected() - return n > 0, nil -} - -func (app *App) cleanExpiredNonces() { - app.db.Exec(`DELETE FROM sso_nonces WHERE created_at < datetime('now', '-10 minutes')`) -} - // --- Helpers --- func now() string { @@ -1388,10 +1723,3 @@ func boolInt(b bool) int { } return 0 } - -func placeholders(n int) string { - if n <= 0 { - return "" - } - return strings.Repeat("?,", n-1) + "?" -} diff --git a/db_test.go b/db_test.go index 5755d08..0d453bb 100644 --- a/db_test.go +++ b/db_test.go @@ -7,7 +7,7 @@ import ( func TestMigrate(t *testing.T) { app := testApp(t) // Verify tables exist by querying each one - tables := []string{"event", "participants", "participant_roles", "departments", "volunteers", "shifts", "volunteer_shifts"} + tables := []string{"event", "users", "attendees", "departments", "volunteers", "shifts", "volunteer_shifts"} for _, table := range tables { var count int err := app.db.QueryRow("SELECT COUNT(*) FROM " + table).Scan(&count) @@ -17,6 +17,98 @@ func TestMigrate(t *testing.T) { } } +func TestAttendeesCRUD(t *testing.T) { + app := testApp(t) + + a, err := app.createAttendee(Attendee{Name: "Titania", Email: "titania@test.com", TicketType: "GA"}) + if err != nil { + t.Fatal(err) + } + if a.ID == 0 || a.Name != "Titania" { + t.Errorf("create: got %+v", a) + } + + got, err := app.getAttendee(a.ID) + if err != nil || got == nil { + t.Fatal("get: not found") + } + if got.Email != "titania@test.com" { + t.Errorf("get: email = %q", got.Email) + } + + got.Name = "Titania Fairweather" + if err := app.updateAttendee(*got); err != nil { + t.Fatal(err) + } + got2, _ := app.getAttendee(a.ID) + if got2.Name != "Titania Fairweather" { + t.Errorf("update: name = %q", got2.Name) + } + + if err := app.deleteAttendee(a.ID); err != nil { + t.Fatal(err) + } + // getAttendee returns soft-deleted records; listAttendees filters them + attendees, _ := app.listAttendees("", "", "") + for _, at := range attendees { + if at.ID == a.ID { + t.Error("delete: still visible in list") + } + } +} + +func TestIncrementPartySize(t *testing.T) { + app := testApp(t) + + app.createAttendee(Attendee{Name: "Oberon", TicketID: "ORD-100"}) + + merged, err := app.incrementPartySize("Oberon", "ORD-100") + if err != nil || !merged { + t.Fatalf("increment: merged=%v, err=%v", merged, err) + } + + a, _ := app.getAttendee(1) + if a.PartySize != 2 { + t.Errorf("party_size = %d, want 2", a.PartySize) + } + + // Different ticket_id should not merge + merged2, _ := app.incrementPartySize("Oberon", "ORD-200") + if merged2 { + t.Error("should not merge different ticket_id") + } +} + +func TestCheckInAttendee(t *testing.T) { + app := testApp(t) + admin := testAdminUser(t, app) + + app.createAttendee(Attendee{Name: "Puck"}) + // Set party_size directly since createAttendee defaults to 1 + app.db.Exec(`UPDATE attendees SET party_size = 3 WHERE id = 1`) + + // Check in 1 + a, err := app.checkInAttendee(1, admin.ID, 1) + if err != nil { + t.Fatal(err) + } + if a.CheckedInCount != 1 || !a.CheckedIn { + t.Errorf("after 1: count=%d, checked_in=%v", a.CheckedInCount, a.CheckedIn) + } + + // Check in 2 more (should cap at party_size=3) + a, _ = app.checkInAttendee(1, admin.ID, 5) + if a.CheckedInCount != 3 { + t.Errorf("after cap: count=%d, want 3", a.CheckedInCount) + } + + // Check in again — already full, should stay at 3 + a, _ = app.checkInAttendee(1, admin.ID, 1) + if a.CheckedInCount != 3 { + t.Errorf("after full: count=%d, want 3", a.CheckedInCount) + } +} + func TestGenerateToken(t *testing.T) { token, err := generateToken() if err != nil { @@ -105,8 +197,7 @@ func TestAssignAndUnassignShift(t *testing.T) { dept, _ := app.createDepartment(Department{Name: "Gate"}) deptID := dept.ID s, _ := app.createShift(Shift{DepartmentID: deptID, Name: "AM", Day: "2026-03-15", StartTime: "08:00", EndTime: "12:00", Capacity: 2}) - p, _ := app.createParticipant(Participant{PreferredName: "Helena", Email: "helena@test.com"}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptID}) + v, _ := app.createVolunteer(Volunteer{Name: "Helena", DepartmentID: &deptID}) if err := app.assignShift(v.ID, s.ID); err != nil { t.Fatal(err) @@ -130,8 +221,7 @@ func TestCheckShiftConflict(t *testing.T) { dept, _ := app.createDepartment(Department{Name: "Gate"}) deptID := dept.ID - p, _ := app.createParticipant(Participant{PreferredName: "Hermia", Email: "hermia@test.com"}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptID}) + v, _ := app.createVolunteer(Volunteer{Name: "Hermia", DepartmentID: &deptID}) s1, _ := app.createShift(Shift{DepartmentID: deptID, Name: "Morning", Day: "2026-03-15", StartTime: "08:00", EndTime: "12:00"}) s2, _ := app.createShift(Shift{DepartmentID: deptID, Name: "Overlap", Day: "2026-03-15", StartTime: "10:00", EndTime: "14:00"}) @@ -160,8 +250,7 @@ func TestCheckShiftConflictMidnight(t *testing.T) { dept, _ := app.createDepartment(Department{Name: "Sound"}) deptID := dept.ID - p, _ := app.createParticipant(Participant{PreferredName: "Lysander", Email: "lysander@test.com"}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptID}) + v, _ := app.createVolunteer(Volunteer{Name: "Lysander", DepartmentID: &deptID}) // Night shift: 22:00-02:00 (spans midnight) night, _ := app.createShift(Shift{DepartmentID: deptID, Name: "Night", Day: "2026-03-15", StartTime: "22:00", EndTime: "02:00"}) diff --git a/frontend/src/App.svelte b/frontend/src/App.svelte index ac0957e..7ad6bc9 100644 --- a/frontend/src/App.svelte +++ b/frontend/src/App.svelte @@ -1,6 +1,6 @@ {#if updateAvailable} @@ -129,9 +102,9 @@ {:else if isConfirmEmail} {:else if !session} - -{:else if roles.length === 1 && roles[0] === 'gatekeeper'} - + +{:else if role === 'gatekeeper'} + {:else}
@@ -148,10 +121,10 @@ Turnpike {#if path === '/' || path === ''} - {#if roles.length === 1 && roles[0] === 'colead'} + {#if role === 'colead'} {:else} - + {/if} {:else if path.startsWith('/participants')} diff --git a/frontend/src/api.js b/frontend/src/api.js index d15abc4..686faa8 100644 --- a/frontend/src/api.js +++ b/frontend/src/api.js @@ -1,4 +1,4 @@ -import { db, clearSession } from './db.js' +import { db } from './db.js' async function getToken() { const session = await db.session.get(1) @@ -17,7 +17,7 @@ export async function apiFetch(path, options = {}) { const res = await fetch(path, { ...options, headers }) if (res.status === 401) { - await clearSession() + await db.session.clear() window.location.pathname = '/login' throw new Error('unauthorized') } @@ -48,8 +48,8 @@ async function kioskFetch(path, options = {}) { } export const api = { - login: (email, password) => - apiJSON('/api/login', { method: 'POST', body: JSON.stringify({ email, password }) }), + login: (username, password) => + apiJSON('/api/login', { method: 'POST', body: JSON.stringify({ username, password }) }), logout: () => apiFetch('/api/logout', { method: 'POST' }), me: () => apiJSON('/api/me'), event: { @@ -118,10 +118,6 @@ export const api = { resetDepartments: () => apiJSON('/api/settings/reset-departments', { method: 'POST' }), resetVolunteerShifts: () => apiJSON('/api/settings/reset-volunteer-shifts', { method: 'POST' }), }, - sso: { - enabled: () => kioskFetch('/api/public/sso-enabled'), - init: () => kioskFetch('/api/sso/init'), - }, signup: { config: () => kioskFetch('/api/public/signup-config'), submit: (data) => kioskFetch('/api/public/signup', { method: 'POST', body: JSON.stringify(data) }), diff --git a/frontend/src/api.test.js b/frontend/src/api.test.js index a725f32..974dd32 100644 --- a/frontend/src/api.test.js +++ b/frontend/src/api.test.js @@ -64,11 +64,11 @@ describe('apiJSON', () => { describe('api methods', () => { it('login calls correct endpoint', async () => { const f = mockFetch({ token: 'tok', user: { id: 1 } }) - await api.login('admin@example.com', 'pass') + await api.login('admin', 'pass') const [url, opts] = f.mock.calls[0] expect(url).toBe('/api/login') expect(opts.method).toBe('POST') - expect(JSON.parse(opts.body)).toEqual({ email: 'admin@example.com', password: 'pass' }) + expect(JSON.parse(opts.body)).toEqual({ username: 'admin', password: 'pass' }) }) it('participants.list calls correct endpoint', async () => { diff --git a/frontend/src/app.css b/frontend/src/app.css index 3a685ae..0cd0ee8 100644 --- a/frontend/src/app.css +++ b/frontend/src/app.css @@ -66,9 +66,6 @@ a:hover { color: var(--c-accent-h); } /* Cards */ .card { background: var(--c-surface); border: 1px solid var(--c-border); border-radius: var(--radius-lg); padding: 1.25rem; } -.card + .card, .card + form, form + .card, form + form { margin-top: 1.5rem; } -.card-title { font-size: 0.95rem; font-weight: 700; margin-bottom: 1rem; } -.card-hint { font-size: 0.78rem; color: var(--c-muted); } /* Stats */ .stats { display: grid; grid-template-columns: repeat(auto-fill, minmax(160px, 1fr)); gap: 1rem; margin-bottom: 1.5rem; } @@ -106,15 +103,8 @@ input, select, textarea { width: 100%; font-family: var(--font); transition: border-color var(--transition); } -input[type="checkbox"] { width: auto; } -input[type="date"], input[type="time"], input[type="datetime-local"] { -webkit-appearance: none; appearance: none; min-height: 2.35rem; } input:focus, select:focus, textarea:focus { outline: none; border-color: var(--c-accent); } input::placeholder { color: var(--c-muted); } -.form-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; } -.form-grid-3 { display: grid; grid-template-columns: 1fr 1fr auto; gap: 1rem; align-items: end; } -.form-grid .full { grid-column: 1 / -1; } -.checkbox-label { display: inline-flex; align-items: center; gap: 0.5rem; font-size: 0.875rem; cursor: pointer; } -.checkbox-label-sm { display: inline-flex; align-items: center; gap: 0.3rem; font-size: 0.82rem; cursor: pointer; color: var(--c-text); } /* Search */ .search-bar { display: flex; gap: 0.5rem; align-items: center; margin-bottom: 1rem; } @@ -139,7 +129,6 @@ tr:hover td { background: rgba(255,255,255,0.02); } font-size: 0.72rem; font-weight: 600; text-transform: uppercase; letter-spacing: 0.04em; } -* + .badge { margin-left: 0.3rem; } .badge-checked { background: rgba(34,197,94,0.15); color: var(--c-success); } .badge-confirmed { background: rgba(99,102,241,0.15); color: var(--c-accent-h); } .badge-registered { background: rgba(14,165,233,0.15); color: #0ea5e9; } @@ -245,7 +234,6 @@ tr:hover td { background: rgba(255,255,255,0.02); } td { display: inline; padding: 0; border: none; } td:empty { display: none; } - /* Forms — 16px prevents iOS auto-zoom on focus */ - input, select, textarea { font-size: 16px; } - .form-grid, .form-grid-3 { grid-template-columns: 1fr !important; } + /* Forms */ + .form-grid { grid-template-columns: 1fr !important; } } diff --git a/frontend/src/components/Nav.svelte b/frontend/src/components/Nav.svelte index 61015f5..545e171 100644 --- a/frontend/src/components/Nav.svelte +++ b/frontend/src/components/Nav.svelte @@ -3,18 +3,17 @@ let { session, active, onLogout, navigate, open = false } = $props() - const roles = $derived(session?.user?.roles ?? []) - function hasRole(...allowed) { return roles.some(r => allowed.includes(r)) } + const role = $derived(session?.user?.role ?? '') const iconProps = { size: 18, strokeWidth: 1.75 } const links = $derived.by(() => { - if (!hasRole('admin') && hasRole('colead') && !hasRole('staffing')) return [ + if (role === 'colead') return [ { href: '/', label: 'Schedule', icon: CalendarDays }, { href: '/volunteers', label: 'Volunteers', icon: Heart }, { href: '/departments', label: 'Departments', icon: Hexagon }, ] - if (!hasRole('admin') && hasRole('staffing')) return [ + if (role === 'staffing') return [ { href: '/', label: 'Dashboard', icon: LayoutDashboard }, { href: '/schedule', label: 'Schedule', icon: CalendarDays }, { href: '/volunteers', label: 'Volunteers', icon: Heart }, diff --git a/frontend/src/db.js b/frontend/src/db.js index bd3b490..a09f332 100644 --- a/frontend/src/db.js +++ b/frontend/src/db.js @@ -46,22 +46,6 @@ db.version(4).stores({ volunteers: 'id, name, department_id, checked_in, participant_id, deleted_at', }) -db.version(5).stores({ - volunteers: 'id, participant_id, department_id, deleted_at', - participants: 'id, email, preferred_name, email_confirmed, updated_at, deleted_at', -}) - -db.version(6).stores({}).upgrade(async tx => { - await tx.table('session').clear() - await tx.table('meta').clear() - await tx.table('participants').clear() - await tx.table('tickets').clear() - await tx.table('departments').clear() - await tx.table('volunteers').clear() - await tx.table('shifts').clear() - await tx.table('volunteer_shifts').clear() -}) - export async function getLastSync() { const m = await db.meta.get('last_sync') return m?.value ?? '' @@ -80,18 +64,6 @@ export async function saveSession(token, user) { } export async function clearSession() { - await db.transaction('rw', - [db.session, db.meta, db.event, db.participants, db.tickets, db.departments, db.volunteers, db.shifts, db.volunteer_shifts], - async () => { - await db.session.clear() - await db.meta.clear() - await db.event.clear() - await db.participants.clear() - await db.tickets.clear() - await db.departments.clear() - await db.volunteers.clear() - await db.shifts.clear() - await db.volunteer_shifts.clear() - } - ) + await db.session.clear() + await db.meta.clear() } diff --git a/frontend/src/db.test.js b/frontend/src/db.test.js index 081ce1a..282b6fc 100644 --- a/frontend/src/db.test.js +++ b/frontend/src/db.test.js @@ -22,10 +22,10 @@ describe('session', () => { }) it('saves and retrieves session', async () => { - await saveSession('tok123', { id: 1, email: 'admin@example.com', roles: ['admin'] }) + await saveSession('tok123', { id: 1, username: 'admin', role: 'admin' }) const s = await getSession() expect(s.token).toBe('tok123') - expect(s.user.email).toBe('admin@example.com') + expect(s.user.username).toBe('admin') }) it('clears session and meta', async () => { diff --git a/frontend/src/pages/Dashboard.svelte b/frontend/src/pages/Dashboard.svelte index 73800d6..e5a26de 100644 --- a/frontend/src/pages/Dashboard.svelte +++ b/frontend/src/pages/Dashboard.svelte @@ -2,14 +2,13 @@ import { liveQuery } from 'dexie' import { db } from '../db.js' - let { session, navigate } = $props() + let { session } = $props() - const roles = $derived(session?.user?.roles ?? []) - function hasRole(...allowed) { return roles.some(r => allowed.includes(r)) } + const role = $derived(session?.user?.role ?? '') const myDeptIDs = $derived(session?.user?.department_ids ?? []) - const isAdmin = $derived(hasRole('admin')) - const isStaffing = $derived(hasRole('admin', 'staffing')) - const isColead = $derived(hasRole('colead')) + const isTicketing = $derived(['admin', 'ticketing'].includes(role)) + const isStaffing = $derived(['admin', 'ticketing', 'staffing'].includes(role)) + const isColead = $derived(role === 'colead') const event = liveQuery(() => db.event.get(1)) const allTickets = liveQuery(() => db.tickets.toArray()) @@ -77,8 +76,8 @@

{/if} - - {#if isAdmin} + + {#if isTicketing}

Ticket Check-in

@@ -106,7 +105,7 @@ {/if} {/if} - + {#if isStaffing || isColead}

{isColead ? 'My Volunteers' : 'Volunteers'}

@@ -125,7 +124,7 @@
{/if} - + {#if isStaffing || isColead}

{isColead ? 'My Shifts' : 'Shift Coverage'}

@@ -145,22 +144,22 @@ {/if} - {#if isAdmin} + {#if isTicketing}
- { e.preventDefault(); navigate('/import') }}>Import CSV - { e.preventDefault(); navigate('/participants') }}>Manage Participants - { e.preventDefault(); navigate('/settings') }}>Settings + Import CSV + Manage Participants + Settings
{:else if isStaffing || isColead}
- { e.preventDefault(); navigate('/schedule') }}>View Schedule - { e.preventDefault(); navigate('/volunteers') }}>Manage Volunteers + View Schedule + Manage Volunteers
{/if}

- Welcome, {session?.user?.preferred_name} - · {#each roles as r}{r}{/each} + Welcome, {session?.user?.username} + · {session?.user?.role}

diff --git a/frontend/src/pages/Departments.svelte b/frontend/src/pages/Departments.svelte index 863c4a1..c2cf82b 100644 --- a/frontend/src/pages/Departments.svelte +++ b/frontend/src/pages/Departments.svelte @@ -18,10 +18,9 @@ let editDesc = $state('') let saving = $state(false) - const roles = $derived(session?.user?.roles ?? []) - function hasRole(...allowed) { return roles.some(r => allowed.includes(r)) } - const canCreate = $derived(hasRole('admin', 'staffing')) - const canDelete = $derived(hasRole('admin')) + const role = $derived(session?.user?.role ?? '') + const canCreate = $derived(['admin', 'ticketing', 'staffing'].includes(role)) + const canDelete = $derived(['admin', 'ticketing'].includes(role)) const allDepts = liveQuery(() => db.departments.filter(d => !d.deleted_at).toArray() @@ -101,7 +100,7 @@ {#if showAdd && canCreate}
-
+
@@ -112,7 +111,7 @@
- +
@@ -191,7 +190,6 @@
diff --git a/frontend/src/pages/Participants.svelte b/frontend/src/pages/Participants.svelte index 0be1485..2867958 100644 --- a/frontend/src/pages/Participants.svelte +++ b/frontend/src/pages/Participants.svelte @@ -19,7 +19,6 @@ let showAdd = $state(false) let adding = $state(false) let newName = $state('') - let newTicketedName = $state('') let newEmail = $state('') let newPhone = $state('') let newPronouns = $state('') @@ -28,7 +27,6 @@ // Edit participant let editId = $state(null) let editName = $state('') - let editTicketedName = $state('') let editEmail = $state('') let editPhone = $state('') let editPronouns = $state('') @@ -42,9 +40,8 @@ let newTicketType = $state('') let newTicketExtId = $state('') - const roles = $derived(session?.user?.roles ?? []) - function hasRole(...allowed) { return roles.some(r => allowed.includes(r)) } - const canManage = $derived(hasRole('admin')) + const role = $derived(session?.user?.role ?? '') + const canManage = $derived(['admin', 'ticketing'].includes(role)) const allParticipants = liveQuery(() => db.participants.toArray()) const allTickets = liveQuery(() => db.tickets.toArray()) @@ -153,12 +150,12 @@ adding = true; error = '' try { const p = await api.participants.create({ - preferred_name: newName, ticket_name: newTicketedName, email: newEmail, - phone: newPhone, pronouns: newPronouns, note: newNote, + preferred_name: newName, email: newEmail, phone: newPhone, + pronouns: newPronouns, note: newNote, }) await db.participants.put(p) showAdd = false - newName = newTicketedName = newEmail = newPhone = newPronouns = newNote = '' + newName = newEmail = newPhone = newPronouns = newNote = '' } catch (err) { error = err.message } finally { @@ -169,7 +166,6 @@ function startEdit(p) { editId = p.id editName = p.preferred_name - editTicketedName = p.ticket_name || '' editEmail = p.email editPhone = p.phone editPronouns = p.pronouns @@ -181,8 +177,8 @@ saving = true; error = '' try { const p = await api.participants.update(editId, { - preferred_name: editName, ticket_name: editTicketedName, email: editEmail, - phone: editPhone, pronouns: editPronouns, note: editNote, + preferred_name: editName, email: editEmail, phone: editPhone, + pronouns: editPronouns, note: editNote, }) await db.participants.put(p) editId = null @@ -248,15 +244,11 @@ {#if showAdd && canManage}
-
+
- +
-
- - -
@@ -331,7 +323,7 @@ - + @@ -351,7 +343,6 @@
- diff --git a/frontend/src/pages/ScheduleBoard.svelte b/frontend/src/pages/ScheduleBoard.svelte index 529264f..6755588 100644 --- a/frontend/src/pages/ScheduleBoard.svelte +++ b/frontend/src/pages/ScheduleBoard.svelte @@ -25,9 +25,8 @@ let assignVolID = $state(0) let assigning = $state(false) - const roles = $derived(session?.user?.roles ?? []) - function hasRole(...allowed) { return roles.some(r => allowed.includes(r)) } - const canManage = $derived(hasRole('admin', 'staffing', 'colead')) + const role = $derived(session?.user?.role ?? '') + const canManage = $derived(['admin', 'ticketing', 'staffing', 'colead'].includes(role)) const myDeptIDs = $derived(session?.user?.department_ids ?? []) const allDepts = liveQuery(() => @@ -55,7 +54,7 @@ // Departments visible to this user const visibleDepts = $derived.by(() => { const depts = $allDepts ?? [] - if (hasRole('colead') && !hasRole('admin', 'staffing')) return depts.filter(d => myDeptIDs.includes(d.id)) + if (role === 'colead') return depts.filter(d => myDeptIDs.includes(d.id)) return depts }) @@ -135,13 +134,11 @@ try { const res = await api.shifts.reorder(positions) - if (res && !res.ok) throw new Error('Reorder failed') - await db.transaction('rw', db.shifts, async () => { - for (const p of positions) { - const s = await db.shifts.get(p.id) - if (s) await db.shifts.put({ ...s, position: p.position }) - } - }) + if (res && !res.ok) throw new Error() + for (const p of positions) { + const s = await db.shifts.get(p.id) + if (s) await db.shifts.put({ ...s, position: p.position }) + } } catch (err) { error = err.message } @@ -275,7 +272,7 @@ {#if showAdd && canManage}
-
+
- - {#each ($allVolunteers ?? []) - .filter(v => v.department_id === shift.department_id) - .filter(v => !assigned.some(a => a.volunteer.id === v.id)) - as v} - - {/each} - - - - -
- {:else} - - {/if} + {#if assigningShiftID === shift.id} +
+ + + + +
+ {:else} + {/if} {/if}
diff --git a/frontend/src/pages/Settings.svelte b/frontend/src/pages/Settings.svelte index 9df6b81..2f6ee8e 100644 --- a/frontend/src/pages/Settings.svelte +++ b/frontend/src/pages/Settings.svelte @@ -7,7 +7,6 @@ let saving = $state(false) let savingEvent = $state(false) let testing = $state(false) - let resetting = $state(false) let error = $state('') let success = $state('') @@ -27,8 +26,6 @@ let eventEndDate = $state('') let eventTimezone = $state('') const timezones = Intl.supportedValuesOf('timeZone') - let discourseSSOUrl = $state('') - let discourseSSOSecret = $state('') let shiftSignupsOpen = $state(false) let togglingSignups = $state(false) @@ -52,8 +49,6 @@ baseURL = s.base_url ?? '' noteLabel = s.volunteer_note_label ?? 'Additional note' noteRequired = s.volunteer_note_required ?? false - discourseSSOUrl = s.discourse_sso_url ?? '' - discourseSSOSecret = '' shiftSignupsOpen = s.shift_signups_open ?? false } catch (err) { error = err.message @@ -94,17 +89,14 @@ smtp_host: smtpHost, smtp_port: smtpPort, smtp_user: smtpUser, - smtp_password: smtpPassword, + smtp_password: smtpPassword, // empty = keep existing smtp_from: smtpFrom, smtp_from_name: smtpFromName, base_url: baseURL, volunteer_note_label: noteLabel, volunteer_note_required: noteRequired, - discourse_sso_url: discourseSSOUrl, - discourse_sso_secret: discourseSSOSecret, }) smtpPassword = '' - discourseSSOSecret = '' success = 'Settings saved.' } catch (err) { error = err.message @@ -131,9 +123,7 @@ } async function resetModel(label, fn) { - if (resetting) return if (!confirm(`PERMANENTLY DELETE all ${label}? This cannot be undone.`)) return - resetting = true error = '' success = '' try { @@ -141,8 +131,6 @@ success = `Deleted ${result.deleted} ${label}.` } catch (err) { error = err.message - } finally { - resetting = false } } @@ -178,14 +166,14 @@
Loading…
{:else} -
-

Event

-
-
+
+

Event

+
+
-
+
@@ -197,7 +185,7 @@
-
+
@@ -216,11 +204,11 @@
-
-

SMTP Email

+
+

SMTP Email

-
-
+
+
@@ -248,27 +236,10 @@
- +
-

Discourse SSO

-

- Enable DiscourseConnect SSO so users can log in with their Discourse account. - Set the same secret in your Discourse admin under Connect > discourse connect secret. -

-
-
- - -
-
- - -
-
-
{#if !shiftSignupsOpen} -

+

Opening signups will email all confirmed volunteers their shift signup links.

{/if} @@ -332,24 +303,24 @@
-

Data Management

-

+

Data Management

+

Permanently delete all records of a given type. This cannot be undone.

- - - - -
diff --git a/frontend/src/pages/Users.svelte b/frontend/src/pages/Users.svelte index f49c8c6..ee6b18a 100644 --- a/frontend/src/pages/Users.svelte +++ b/frontend/src/pages/Users.svelte @@ -12,14 +12,13 @@ let showAdd = $state(false) let adding = $state(false) - let newEmail = $state('') - let newName = $state('') + let newUsername = $state('') let newPassword = $state('') - let newRoles = $state([]) + let newRole = $state('gate') let newDeptIDs = $state([]) let editID = $state(null) - let editRoles = $state([]) + let editRole = $state('') let editDeptIDs = $state([]) let editPassword = $state('') let saving = $state(false) @@ -29,7 +28,7 @@ .then(arr => arr.sort((a, b) => a.name.localeCompare(b.name))) ) - const availableRoles = ['admin', 'staffing', 'colead', 'gatekeeper'] + const roles = ['admin', 'ticketing', 'staffing', 'colead', 'gatekeeper'] const me = $derived(session?.user?.id) @@ -52,16 +51,15 @@ error = '' try { const u = await api.users.create({ - email: newEmail, - preferred_name: newName, + username: newUsername, password: newPassword, - roles: newRoles, + role: newRole, department_ids: newDeptIDs, }) users = [...users, u] showAdd = false - newEmail = newName = newPassword = '' - newRoles = [] + newUsername = newPassword = '' + newRole = 'gate' newDeptIDs = [] } catch (err) { error = err.message @@ -72,7 +70,7 @@ function startEdit(u) { editID = u.id - editRoles = [...(u.roles || [])] + editRole = u.role editDeptIDs = [...(u.department_ids || [])] editPassword = '' } @@ -85,7 +83,7 @@ saving = true error = '' try { - const payload = { roles: editRoles, department_ids: editDeptIDs } + const payload = { role: editRole, department_ids: editDeptIDs } if (editPassword) payload.password = editPassword const updated = await api.users.update(u.id, payload) users = users.map(x => x.id === u.id ? updated : x) @@ -98,7 +96,7 @@ } async function deleteUser(u) { - if (!confirm(`Remove login access for "${u.preferred_name || u.email}"? Their participant record will be kept.`)) return + if (!confirm(`Delete user "${u.username}"? This cannot be undone.`)) return try { await api.users.delete(u.id) users = users.filter(x => x.id !== u.id) @@ -107,7 +105,7 @@ } } - function toggleItem(id, list) { + function toggleDept(id, list) { const idx = list.indexOf(id) if (idx === -1) return [...list, id] return list.filter(x => x !== id) @@ -119,7 +117,7 @@ } function roleLabel(r) { - return { admin: 'Admin', staffing: 'Staffing', colead: 'Colead', gatekeeper: 'Gatekeeper' }[r] || r + return { admin: 'Admin', ticketing: 'Ticketing', staffing: 'Staffing', colead: 'Colead', gatekeeper: 'Gatekeeper' }[r] || r } @@ -134,6 +132,7 @@

Roles: admin — full access · + ticketing — participants, tickets, import · staffing — volunteers, shifts, departments · colead — manage assigned departments only · gatekeeper — check-in only @@ -149,31 +148,22 @@ {#if showAdd}

-
+
- - -
-
- - + +
-
-
- Roles -
- {#each availableRoles as r} - - {/each} +
+ +
{#if ($allDepts ?? []).length > 0} @@ -181,10 +171,10 @@ Departments
{#each $allDepts ?? [] as d} - @@ -214,8 +204,8 @@
Preferred NameName Email Tickets Status
- - + + @@ -224,27 +214,22 @@ {#each users as u (u.id)} {#if editID === u.id} - + - + diff --git a/frontend/src/pages/Volunteers.svelte b/frontend/src/pages/Volunteers.svelte index 8f5abe5..06f6aac 100644 --- a/frontend/src/pages/Volunteers.svelte +++ b/frontend/src/pages/Volunteers.svelte @@ -24,17 +24,15 @@ let editIsLead = $state(false) let editNote = $state('') let saving = $state(false) - let confirmingID = $state(null) - const roles = $derived(session?.user?.roles ?? []) - function hasRole(...allowed) { return roles.some(r => allowed.includes(r)) } - const canManage = $derived(hasRole('admin', 'staffing', 'colead')) - const canConfirm = $derived(hasRole('admin', 'staffing', 'colead')) + const role = $derived(session?.user?.role ?? '') + const canManage = $derived(['admin', 'ticketing', 'staffing', 'colead'].includes(role)) + const canConfirm = $derived(['admin', 'staffing', 'colead'].includes(role)) const myDeptIDs = $derived(session?.user?.department_ids ?? []) let deptInitialized = $state(false) $effect(() => { - if (!deptInitialized && hasRole('colead') && !hasRole('admin', 'staffing') && myDeptIDs.length > 0) { + if (!deptInitialized && role === 'colead' && myDeptIDs.length > 0) { filterDept = String(myDeptIDs[0]) deptInitialized = true } @@ -77,15 +75,11 @@ } async function confirmVolunteer(v) { - if (confirmingID) return - confirmingID = v.id try { const updated = await api.volunteers.confirm(v.id) await db.volunteers.put(updated) } catch (err) { error = err.message - } finally { - confirmingID = null } } @@ -186,7 +180,7 @@ {#if showAdd && canManage}
-
+
@@ -196,8 +190,8 @@
- - + +
@@ -214,8 +208,8 @@
-
@@ -261,7 +255,7 @@
Preferred NameRolesUsernameRole Departments
{u.preferred_name || u.email} {#if u.id === me}you{/if}{u.username} {#if u.id === me}you{/if} -
- {#each availableRoles as r} - +
{#if ($allDepts ?? []).length > 0}
{#each $allDepts ?? [] as d} - {/each} @@ -266,19 +251,18 @@ {:else}
- {u.preferred_name || u.email} + {u.username} {#if u.id === me} - you + you {/if} -
{u.email} 		{#each u.roles ?? [] as r}{roleLabel(r)}{/each}{roleLabel(u.role)} {deptNamesFor(u.department_ids || [])}
{#if u.id !== me} - + {/if}
- + @@ -286,8 +280,8 @@ {:else} - {@const participant = participantFor(v.participant_id)}
Preferred NameName Department Status - @@ -301,20 +295,16 @@
{v.name} {#if v.is_lead} - Co-Lead + Co-Lead {/if} {#if !v.participant_id} - No ticket + No ticket {:else if !participantHasTickets(v.participant_id)} - No ticket - {/if} - {#if participant?.ticket_name && participant.ticket_name !== v.name} -
Ticket: {participant.ticket_name}
+ No ticket {/if} {#if v.email}
{v.email}
@@ -354,7 +344,7 @@ {#if canManage} 		{#if canConfirm && v.email_confirmed && !v.confirmed} - + {/if} diff --git a/frontend/src/sync.js b/frontend/src/sync.js index ef22313..fa3b641 100644 --- a/frontend/src/sync.js +++ b/frontend/src/sync.js @@ -4,36 +4,10 @@ import { api } from './api.js' let syncing = false let sseSource = null -async function checkBuildChanged() { - try { - const res = await fetch('/api/version') - const { build } = await res.json() - if (!build) return - const stored = await db.meta.get('build') - if (!stored || stored.value !== build) { - await db.transaction('rw', - [db.meta, db.event, db.participants, db.tickets, db.departments, db.volunteers, db.shifts, db.volunteer_shifts], - async () => { - await db.meta.clear() - await db.event.clear() - await db.participants.clear() - await db.tickets.clear() - await db.departments.clear() - await db.volunteers.clear() - await db.shifts.clear() - await db.volunteer_shifts.clear() - await db.meta.put({ key: 'build', value: build }) - } - ) - } - } catch {} -} - export async function syncPull() { if (syncing) return syncing = true try { - await checkBuildChanged() const since = await getLastSync() const data = await api.sync.pull(since) @@ -77,7 +51,7 @@ export async function syncPull() { } ) - if (data.server_time) await setLastSync(data.server_time) + await setLastSync(data.server_time) return true } catch (err) { console.warn('Sync pull failed:', err.message) @@ -123,7 +97,7 @@ export function startSSE(onEvent) { syncPull() }, 5000) } - }).catch(() => {}) + }) } connect() @@ -134,23 +108,18 @@ export function stopSSE() { sseSource = null } +// Poll for sync when online, with exponential backoff on failure let syncInterval = null -let onlineHandler = null export function startSyncLoop(intervalMs = 30000) { if (syncInterval) return syncInterval = setInterval(() => { if (navigator.onLine) syncPull() }, intervalMs) - onlineHandler = () => syncPull() - window.addEventListener('online', onlineHandler) + window.addEventListener('online', () => syncPull()) } export function stopSyncLoop() { clearInterval(syncInterval) syncInterval = null - if (onlineHandler) { - window.removeEventListener('online', onlineHandler) - onlineHandler = null - } } diff --git a/handle_attendees_test.go b/handle_attendees_test.go index 7dd7ff8..c5e6adb 100644 --- a/handle_attendees_test.go +++ b/handle_attendees_test.go @@ -31,8 +31,8 @@ func TestParticipantsListCreateDelete(t *testing.T) { } list := parseJSON(t, w) participants := list["participants"].([]any) - if len(participants) != 2 { // admin + Titania - t.Errorf("list: got %d, want 2", len(participants)) + if len(participants) != 1 { + t.Errorf("list: got %d, want 1", len(participants)) } // Delete @@ -48,8 +48,8 @@ func TestParticipantsListCreateDelete(t *testing.T) { w = httptest.NewRecorder() mux.ServeHTTP(w, req) list = parseJSON(t, w) - if ps, ok := list["participants"].([]any); ok && len(ps) != 1 { // admin remains - t.Errorf("after delete: got %d, want 1", len(ps)) + if ps, ok := list["participants"].([]any); ok && len(ps) != 0 { + t.Errorf("after delete: got %d, want 0", len(ps)) } } @@ -77,7 +77,7 @@ func TestCheckInTicketHandler(t *testing.T) { func TestGatekeeperRoleCanCheckIn(t *testing.T) { app := testApp(t) - gate := testUserWithRoles(t, app, "Philostrate", []string{"gatekeeper"}, []int{}) + gate := testUserWithRole(t, app, "gateuser", "gatekeeper", []int{}) token := testToken(t, app, gate) mux := testMux(app) @@ -94,7 +94,7 @@ func TestGatekeeperRoleCanCheckIn(t *testing.T) { func TestGatekeeperRoleCannotDelete(t *testing.T) { app := testApp(t) - gate := testUserWithRoles(t, app, "Philostrate", []string{"gatekeeper"}, []int{}) + gate := testUserWithRole(t, app, "gateuser", "gatekeeper", []int{}) token := testToken(t, app, gate) mux := testMux(app) diff --git a/handle_auth.go b/handle_auth.go index d75483b..282bd85 100644 --- a/handle_auth.go +++ b/handle_auth.go @@ -7,7 +7,7 @@ import ( func (app *App) handleLogin(w http.ResponseWriter, r *http.Request) { var body struct { - Email string `json:"email"` + Username string `json:"username"` Password string `json:"password"` } if err := json.NewDecoder(r.Body).Decode(&body); err != nil { @@ -15,7 +15,7 @@ func (app *App) handleLogin(w http.ResponseWriter, r *http.Request) { return } - user, hash, err := app.getLoginParticipant(body.Email) + user, hash, err := app.getUserByUsername(body.Username) if err != nil { writeError(w, "internal error", http.StatusInternalServerError) return @@ -40,9 +40,9 @@ func (app *App) handleLogout(w http.ResponseWriter, r *http.Request) { func (app *App) handleMe(w http.ResponseWriter, r *http.Request) { claims := claimsFromContext(r) - user, err := app.getUser(claims.ParticipantID) + user, err := app.getUserByID(claims.UserID) if err != nil || user == nil { - writeError(w, "unauthorized", http.StatusUnauthorized) + writeError(w, "not found", http.StatusNotFound) return } writeJSON(w, user) diff --git a/handle_kiosk_test.go b/handle_kiosk_test.go index 2bac7cf..e385ad3 100644 --- a/handle_kiosk_test.go +++ b/handle_kiosk_test.go @@ -16,7 +16,7 @@ func setupKiosk(t *testing.T) (*App, *http.ServeMux, string) { // Create volunteer with a kiosk_code directly on the volunteer record p, _ := app.createParticipant(Participant{Email: "titania@test.com", PreferredName: "Titania"}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptID}) + v, _ := app.createVolunteer(Volunteer{Name: "Titania", ParticipantID: &p.ID, DepartmentID: &deptID}) token, _ := app.generateVolunteerKioskCode() app.assignKioskCode(v.ID, token) @@ -132,8 +132,7 @@ func TestKioskClaimFull(t *testing.T) { // Shift 2 has capacity 1. Fill it with another volunteer. dept, _ := app.createDepartment(Department{Name: "Build"}) deptID := dept.ID - otherP, _ := app.createParticipant(Participant{PreferredName: "Other", Email: "other@test.com"}) - other, _ := app.createVolunteer(Volunteer{ParticipantID: otherP.ID, DepartmentID: &deptID}) + other, _ := app.createVolunteer(Volunteer{Name: "Other", DepartmentID: &deptID}) app.assignShift(other.ID, 2) // fills the capacity-1 shift req := httptest.NewRequest("POST", "/api/v/"+token+"/shifts/2", nil) diff --git a/handle_participants.go b/handle_participants.go index 52624d5..6277824 100644 --- a/handle_participants.go +++ b/handle_participants.go @@ -169,7 +169,7 @@ func (app *App) handleCheckInTicket(w http.ResponseWriter, r *http.Request) { return } claims := claimsFromContext(r) - tk, err := app.checkInTicket(id, claims.ParticipantID) + tk, err := app.checkInTicket(id, claims.UserID) if err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return diff --git a/handle_settings.go b/handle_settings.go index 5da8084..d4ed01c 100644 --- a/handle_settings.go +++ b/handle_settings.go @@ -27,14 +27,6 @@ func (app *App) handleGetSettings(w http.ResponseWriter, r *http.Request) { noteLabel = "Additional note" } - var ssoURL, ssoSecret string - app.db.QueryRow(`SELECT value FROM config WHERE key = 'discourse_sso_url'`).Scan(&ssoURL) - app.db.QueryRow(`SELECT value FROM config WHERE key = 'discourse_sso_secret'`).Scan(&ssoSecret) - maskedSSOSecret := "" - if ssoSecret != "" { - maskedSSOSecret = "***" - } - writeJSON(w, map[string]any{ "smtp_host": cfg.Host, "smtp_port": cfg.Port, @@ -46,8 +38,6 @@ func (app *App) handleGetSettings(w http.ResponseWriter, r *http.Request) { "volunteer_note_label": noteLabel, "volunteer_note_required": noteRequired == "true", "shift_signups_open": signupsOpen == "true", - "discourse_sso_url": ssoURL, - "discourse_sso_secret": maskedSSOSecret, }) } @@ -59,7 +49,7 @@ func (app *App) handleUpdateSettings(w http.ResponseWriter, r *http.Request) { } keys := []string{"smtp_host", "smtp_port", "smtp_user", "smtp_password", "smtp_from", "smtp_from_name", "base_url", - "volunteer_note_label", "volunteer_note_required", "discourse_sso_url", "discourse_sso_secret"} + "volunteer_note_label", "volunteer_note_required"} for _, k := range keys { v, ok := body[k] if !ok { @@ -68,7 +58,7 @@ func (app *App) handleUpdateSettings(w http.ResponseWriter, r *http.Request) { var val string switch vv := v.(type) { case string: - if (k == "smtp_password" || k == "discourse_sso_secret") && (vv == "" || vv == "***") { + if k == "smtp_password" && vv == "" { continue } val = vv diff --git a/handle_settings_test.go b/handle_settings_test.go index 16ef59f..cbc53fb 100644 --- a/handle_settings_test.go +++ b/handle_settings_test.go @@ -85,7 +85,7 @@ func TestResetTickets(t *testing.T) { func TestResetTicketsRequiresAdmin(t *testing.T) { app := testApp(t) - gate := testUserWithRoles(t, app, "Snug", []string{"gatekeeper"}, []int{}) + gate := testUserWithRole(t, app, "gate1", "gatekeeper", []int{}) token := testToken(t, app, gate) mux := testMux(app) @@ -131,7 +131,7 @@ func TestResetDepartmentsCascadesShifts(t *testing.T) { func TestSettingsNonAdminRejected(t *testing.T) { app := testApp(t) - gate := testUserWithRoles(t, app, "Quince", []string{"gatekeeper"}, []int{}) + gate := testUserWithRole(t, app, "gateuser", "gatekeeper", []int{}) token := testToken(t, app, gate) mux := testMux(app) diff --git a/handle_shifts.go b/handle_shifts.go index 9299916..a0ceb41 100644 --- a/handle_shifts.go +++ b/handle_shifts.go @@ -8,19 +8,20 @@ import ( func (app *App) handleListShifts(w http.ResponseWriter, r *http.Request) { q := r.URL.Query() - var deptIDs []int + var deptID *int if d := q.Get("dept"); d != "" { - if id, err := strconv.Atoi(d); err == nil { - deptIDs = []int{id} + id, err := strconv.Atoi(d) + if err == nil { + deptID = &id } } claims := claimsFromContext(r) - if isCoLeadOnly(claims) && len(deptIDs) == 0 { - deptIDs = claims.DeptIDs + if claims.Role == "colead" && deptID == nil && len(claims.DeptIDs) > 0 { + deptID = &claims.DeptIDs[0] } - shifts, err := app.listShifts(deptIDs, q.Get("day"), q.Get("since")) + shifts, err := app.listShifts(deptID, q.Get("day"), q.Get("since")) if err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return @@ -39,7 +40,7 @@ func (app *App) handleCreateShift(w http.ResponseWriter, r *http.Request) { return } claims := claimsFromContext(r) - if isCoLeadOnly(claims) && !inSlice(s.DepartmentID, claims.DeptIDs) { + if claims.Role == "colead" && !inSlice(s.DepartmentID, claims.DeptIDs) { writeError(w, "forbidden: outside your department", http.StatusForbidden) return } @@ -64,7 +65,7 @@ func (app *App) handleUpdateShift(w http.ResponseWriter, r *http.Request) { return } claims := claimsFromContext(r) - if isCoLeadOnly(claims) { + if claims.Role == "colead" { existing, _ := app.getShift(id) if existing == nil || !inSlice(existing.DepartmentID, claims.DeptIDs) { writeError(w, "forbidden: outside your department", http.StatusForbidden) @@ -86,14 +87,6 @@ func (app *App) handleDeleteShift(w http.ResponseWriter, r *http.Request) { writeError(w, "invalid id", http.StatusBadRequest) return } - claims := claimsFromContext(r) - if isCoLeadOnly(claims) { - s, _ := app.getShift(id) - if s == nil || !inSlice(s.DepartmentID, claims.DeptIDs) { - writeError(w, "forbidden: outside your department", http.StatusForbidden) - return - } - } if err := app.deleteShift(id); err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return @@ -118,14 +111,6 @@ func (app *App) handleAssignShiftVolunteer(w http.ResponseWriter, r *http.Reques writeError(w, "volunteer_id required", http.StatusBadRequest) return } - claims := claimsFromContext(r) - if isCoLeadOnly(claims) { - s, _ := app.getShift(shiftID) - if s == nil || !inSlice(s.DepartmentID, claims.DeptIDs) { - writeError(w, "forbidden: outside your department", http.StatusForbidden) - return - } - } if !body.Force { conflicts, err := app.checkShiftConflict(body.VolunteerID, shiftID) @@ -164,14 +149,6 @@ func (app *App) handleUnassignShiftVolunteer(w http.ResponseWriter, r *http.Requ writeError(w, "invalid volunteer id", http.StatusBadRequest) return } - claims := claimsFromContext(r) - if isCoLeadOnly(claims) { - s, _ := app.getShift(shiftID) - if s == nil || !inSlice(s.DepartmentID, claims.DeptIDs) { - writeError(w, "forbidden: outside your department", http.StatusForbidden) - return - } - } if err := app.unassignShift(volunteerID, shiftID); err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return @@ -190,16 +167,6 @@ func (app *App) handleReorderShifts(w http.ResponseWriter, r *http.Request) { writeError(w, "array of {id, position} required", http.StatusBadRequest) return } - claims := claimsFromContext(r) - if isCoLeadOnly(claims) { - for _, p := range raw { - s, _ := app.getShift(p.ID) - if s == nil || !inSlice(s.DepartmentID, claims.DeptIDs) { - writeError(w, "forbidden: outside your department", http.StatusForbidden) - return - } - } - } positions := make([]struct{ ID, Position int }, len(raw)) for i, p := range raw { positions[i] = struct{ ID, Position int }{p.ID, p.Position} diff --git a/handle_shifts_test.go b/handle_shifts_test.go index 19c49bf..8c629b1 100644 --- a/handle_shifts_test.go +++ b/handle_shifts_test.go @@ -55,8 +55,7 @@ func TestShiftAssignVolunteer(t *testing.T) { dept, _ := app.createDepartment(Department{Name: "Gate"}) deptID := dept.ID app.createShift(Shift{DepartmentID: deptID, Name: "AM", Day: "2026-03-15", StartTime: "08:00", EndTime: "12:00"}) - p, _ := app.createParticipant(Participant{PreferredName: "Titania", Email: "titania@test.com"}) - app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptID}) + app.createVolunteer(Volunteer{Name: "Titania", DepartmentID: &deptID}) // Assign req := testAuthRequest("POST", "/api/shifts/1/volunteers", map[string]any{ @@ -87,8 +86,7 @@ func TestShiftAssignConflict(t *testing.T) { deptID := dept.ID app.createShift(Shift{DepartmentID: deptID, Name: "AM", Day: "2026-03-15", StartTime: "08:00", EndTime: "12:00"}) app.createShift(Shift{DepartmentID: deptID, Name: "Overlap", Day: "2026-03-15", StartTime: "10:00", EndTime: "14:00"}) - p, _ := app.createParticipant(Participant{PreferredName: "Titania", Email: "titania@test.com"}) - app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptID}) + app.createVolunteer(Volunteer{Name: "Titania", DepartmentID: &deptID}) // Assign to first shift app.assignShift(1, 1) @@ -104,86 +102,6 @@ func TestShiftAssignConflict(t *testing.T) { } } -func TestCoLeadDeleteShiftOtherDept(t *testing.T) { - app := testApp(t) - mux := testMux(app) - - deptA, _ := app.createDepartment(Department{Name: "Gate"}) - deptB, _ := app.createDepartment(Department{Name: "Build"}) - colead := testUserWithRoles(t, app, "Hermia", []string{"colead"}, []int{deptA.ID}) - tok := testToken(t, app, colead) - - s, _ := app.createShift(Shift{DepartmentID: deptB.ID, Name: "AM", Day: "2026-03-15", StartTime: "08:00", EndTime: "12:00"}) - - w := httptest.NewRecorder() - mux.ServeHTTP(w, testAuthRequest("DELETE", "/api/shifts/"+itoa(s.ID), nil, tok)) - if w.Code != http.StatusForbidden { - t.Errorf("expected 403 for other dept, got %d", w.Code) - } -} - -func TestCoLeadDeleteShiftOwnDept(t *testing.T) { - app := testApp(t) - mux := testMux(app) - - deptA, _ := app.createDepartment(Department{Name: "Gate"}) - colead := testUserWithRoles(t, app, "Hermia", []string{"colead"}, []int{deptA.ID}) - tok := testToken(t, app, colead) - - s, _ := app.createShift(Shift{DepartmentID: deptA.ID, Name: "AM", Day: "2026-03-15", StartTime: "08:00", EndTime: "12:00"}) - - w := httptest.NewRecorder() - mux.ServeHTTP(w, testAuthRequest("DELETE", "/api/shifts/"+itoa(s.ID), nil, tok)) - if w.Code != http.StatusNoContent { - t.Errorf("expected 204 for own dept, got %d: %s", w.Code, w.Body.String()) - } -} - -func TestCoLeadAssignShiftVolunteerOtherDept(t *testing.T) { - app := testApp(t) - mux := testMux(app) - - deptA, _ := app.createDepartment(Department{Name: "Gate"}) - deptB, _ := app.createDepartment(Department{Name: "Build"}) - colead := testUserWithRoles(t, app, "Hermia", []string{"colead"}, []int{deptA.ID}) - tok := testToken(t, app, colead) - - s, _ := app.createShift(Shift{DepartmentID: deptB.ID, Name: "AM", Day: "2026-03-15", StartTime: "08:00", EndTime: "12:00"}) - deptBID := deptB.ID - p, _ := app.createParticipant(Participant{PreferredName: "Puck", Email: "puck@test.com"}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptBID}) - - w := httptest.NewRecorder() - mux.ServeHTTP(w, testAuthRequest("POST", "/api/shifts/"+itoa(s.ID)+"/volunteers", map[string]any{ - "volunteer_id": v.ID, - }, tok)) - if w.Code != http.StatusForbidden { - t.Errorf("expected 403 for other dept, got %d", w.Code) - } -} - -func TestCoLeadReorderShiftsOtherDept(t *testing.T) { - app := testApp(t) - mux := testMux(app) - - deptA, _ := app.createDepartment(Department{Name: "Gate"}) - deptB, _ := app.createDepartment(Department{Name: "Build"}) - colead := testUserWithRoles(t, app, "Hermia", []string{"colead"}, []int{deptA.ID}) - tok := testToken(t, app, colead) - - s1, _ := app.createShift(Shift{DepartmentID: deptB.ID, Name: "A", Day: "2026-03-15", StartTime: "08:00", EndTime: "12:00"}) - s2, _ := app.createShift(Shift{DepartmentID: deptB.ID, Name: "B", Day: "2026-03-15", StartTime: "12:00", EndTime: "16:00"}) - - w := httptest.NewRecorder() - mux.ServeHTTP(w, testAuthRequest("POST", "/api/shifts/reorder", []map[string]int{ - {"id": s1.ID, "position": 2}, - {"id": s2.ID, "position": 1}, - }, tok)) - if w.Code != http.StatusForbidden { - t.Errorf("expected 403 for other dept reorder, got %d", w.Code) - } -} - func TestShiftReorder(t *testing.T) { app := testApp(t) admin := testAdminUser(t, app) diff --git a/handle_signup.go b/handle_signup.go index 1f0fe2e..77a7c63 100644 --- a/handle_signup.go +++ b/handle_signup.go @@ -89,12 +89,17 @@ func (app *App) handlePublicSignup(w http.ResponseWriter, r *http.Request) { writeError(w, "internal error", http.StatusInternalServerError) return } - app.setParticipantConfirmationToken(participant.ID, confirmToken) vol := Volunteer{ - ParticipantID: participant.ID, - DepartmentID: body.DepartmentID, - Note: body.Note, + ParticipantID: &participant.ID, + Name: body.PreferredName, + PreferredName: body.PreferredName, + Email: body.Email, + Phone: body.Phone, + Pronouns: body.Pronouns, + DepartmentID: body.DepartmentID, + Note: body.Note, + ConfirmationToken: &confirmToken, } if _, err := app.createVolunteer(vol); err != nil { @@ -131,7 +136,7 @@ func (app *App) handleConfirmEmail(w http.ResponseWriter, r *http.Request) { return } - if err := app.confirmParticipantEmail(vol.ParticipantID); err != nil { + if err := app.confirmVolunteerEmail(vol.ID); err != nil { writeError(w, "internal error", http.StatusInternalServerError) return } @@ -148,7 +153,7 @@ func (app *App) handleConfirmEmail(w http.ResponseWriter, r *http.Request) { kioskLink := fmt.Sprintf("%s/v/%s", app.resolveBaseURL(), code) response["kiosk_link"] = kioskLink go func() { - if err := app.sendShiftSignupEmail(vol.Email, vol.Name, kioskLink); err != nil { + if err := app.sendShiftSignupEmail(vol.Email, vol.PreferredName, kioskLink); err != nil { log.Printf("shift signup email to %s failed: %v", vol.Email, err) } }() @@ -193,7 +198,7 @@ func (app *App) openShiftSignups() { // Email all email-confirmed volunteers that now have a kiosk code. confirmed, _ := queryVolunteers(app.db, ` SELECT `+volunteerSelect+` `+volunteerFrom+` - WHERE p.email_confirmed = 1 AND v.kiosk_code IS NOT NULL AND v.deleted_at IS NULL`) + WHERE v.email_confirmed = 1 AND v.kiosk_code IS NOT NULL AND v.deleted_at IS NULL`) baseURL := app.resolveBaseURL() sent := 0 @@ -202,7 +207,11 @@ func (app *App) openShiftSignups() { continue } kioskLink := fmt.Sprintf("%s/v/%s", baseURL, *v.KioskCode) - if err := app.sendShiftSignupEmail(v.Email, v.Name, kioskLink); err == nil { + name := v.PreferredName + if name == "" { + name = v.Name + } + if err := app.sendShiftSignupEmail(v.Email, name, kioskLink); err == nil { sent++ } else { log.Printf("shift signup email to %s failed: %v", v.Email, err) diff --git a/handle_signup_test.go b/handle_signup_test.go index 62f59d1..2b63c16 100644 --- a/handle_signup_test.go +++ b/handle_signup_test.go @@ -58,27 +58,27 @@ func TestPublicSignup(t *testing.T) { if err != nil || vol == nil { t.Fatal("volunteer not created") } - if vol.Name != "Titania" { - t.Errorf("name = %q, want Titania", vol.Name) + if vol.PreferredName != "Titania" { + t.Errorf("preferred_name = %q, want Titania", vol.PreferredName) } if vol.Pronouns != "she/they" { t.Errorf("pronouns = %q, want she/they", vol.Pronouns) } + if vol.ConfirmationToken == nil || *vol.ConfirmationToken == "" { + t.Error("expected confirmation token to be set") + } if vol.EmailConfirmed { t.Error("should not be confirmed yet") } // Participant should be auto-created and linked - if vol.ParticipantID == 0 { + if vol.ParticipantID == nil { t.Fatal("expected participant to be linked") } - p, _ := app.getParticipant(vol.ParticipantID) + p, _ := app.getParticipant(*vol.ParticipantID) if p == nil { t.Fatal("linked participant not found") } - if p.ConfirmationToken == nil || *p.ConfirmationToken == "" { - t.Error("expected confirmation token on participant") - } if p.Email != "titania@example.com" { t.Errorf("participant email = %q, want titania@example.com", p.Email) } @@ -105,8 +105,8 @@ func TestPublicSignupAutoMatchParticipant(t *testing.T) { if vol == nil { t.Fatal("volunteer not created") } - if vol.ParticipantID == 0 || vol.ParticipantID != existing.ID { - t.Errorf("expected volunteer linked to existing participant %d, got %d", existing.ID, vol.ParticipantID) + if vol.ParticipantID == nil || *vol.ParticipantID != existing.ID { + t.Errorf("expected volunteer linked to existing participant %d, got %v", existing.ID, vol.ParticipantID) } } @@ -200,8 +200,12 @@ func TestConfirmEmail(t *testing.T) { mux := testMux(app) token := "abc123def456" - p, _ := app.createParticipant(Participant{PreferredName: "Titania", Email: "titania@example.com", ConfirmationToken: &token}) - app.createVolunteer(Volunteer{ParticipantID: p.ID}) + app.createVolunteer(Volunteer{ + Name: "Titania", + PreferredName: "Titania", + Email: "titania@example.com", + ConfirmationToken: &token, + }) w := httptest.NewRecorder() mux.ServeHTTP(w, testRequest("POST", "/api/public/confirm", map[string]any{"token": token})) @@ -213,13 +217,12 @@ func TestConfirmEmail(t *testing.T) { t.Errorf("expected confirmed, got %v", result["status"]) } - // Verify participant is email confirmed + // Verify volunteer is confirmed vol, _ := app.getVolunteerByEmail("titania@example.com") if vol == nil || !vol.EmailConfirmed { - t.Error("volunteer should show email confirmed via participant") + t.Error("volunteer should be email confirmed") } - updatedP, _ := app.getParticipant(p.ID) - if updatedP.ConfirmationToken != nil { + if vol.ConfirmationToken != nil { t.Error("confirmation token should be cleared after confirmation") } } @@ -244,8 +247,12 @@ func TestConfirmEmailAlreadyConfirmed(t *testing.T) { mux := testMux(app) token := "abc123def456" - p, _ := app.createParticipant(Participant{PreferredName: "Titania", Email: "titania@example.com", ConfirmationToken: &token}) - app.createVolunteer(Volunteer{ParticipantID: p.ID}) + app.createVolunteer(Volunteer{ + Name: "Titania", + PreferredName: "Titania", + Email: "titania@example.com", + ConfirmationToken: &token, + }) // Confirm first time w := httptest.NewRecorder() @@ -270,9 +277,15 @@ func TestConfirmEmailWithSignupsOpen(t *testing.T) { app.db.Exec(`INSERT OR REPLACE INTO config (key, value) VALUES ('shift_signups_open', 'true')`) app.baseURL = "https://example.com" + participant, _ := app.createParticipant(Participant{PreferredName: "Titania", Email: "titania@example.com"}) token := "abc123def456" - participant, _ := app.createParticipant(Participant{PreferredName: "Titania", Email: "titania@example.com", ConfirmationToken: &token}) - app.createVolunteer(Volunteer{ParticipantID: participant.ID}) + app.createVolunteer(Volunteer{ + Name: "Titania", + PreferredName: "Titania", + Email: "titania@example.com", + ParticipantID: &participant.ID, + ConfirmationToken: &token, + }) w := httptest.NewRecorder() mux.ServeHTTP(w, testRequest("POST", "/api/public/confirm", map[string]any{"token": token})) @@ -314,10 +327,10 @@ func TestPublicSignupTicketNameDoesNotOverwritePreferredName(t *testing.T) { } vol, _ := app.getVolunteerByEmail("titania@example.com") - if vol == nil || vol.ParticipantID == 0 { + if vol == nil || vol.ParticipantID == nil { t.Fatal("volunteer/participant not created") } - p, _ := app.getParticipant(vol.ParticipantID) + p, _ := app.getParticipant(*vol.ParticipantID) if p == nil { t.Fatal("participant not found") } @@ -336,9 +349,15 @@ func TestConfirmEmailAssignsKioskCode(t *testing.T) { app.db.Exec(`INSERT OR REPLACE INTO config (key, value) VALUES ('shift_signups_open', 'true')`) app.baseURL = "https://example.com" + participant, _ := app.createParticipant(Participant{PreferredName: "Titania", TicketName: "Titania Fairweather", Email: "titania@example.com"}) token := "abc123def456" - participant, _ := app.createParticipant(Participant{PreferredName: "Titania", TicketName: "Titania Fairweather", Email: "titania@example.com", ConfirmationToken: &token}) - app.createVolunteer(Volunteer{ParticipantID: participant.ID}) + app.createVolunteer(Volunteer{ + Name: "Titania", + PreferredName: "Titania", + Email: "titania@example.com", + ParticipantID: &participant.ID, + ConfirmationToken: &token, + }) w := httptest.NewRecorder() mux.ServeHTTP(w, testRequest("POST", "/api/public/confirm", map[string]any{"token": token})) diff --git a/handle_sso.go b/handle_sso.go deleted file mode 100644 index e97c887..0000000 --- a/handle_sso.go +++ /dev/null @@ -1,190 +0,0 @@ -package main - -import ( - "crypto/hmac" - "crypto/rand" - "crypto/sha256" - "encoding/base64" - "encoding/hex" - "fmt" - "net/http" - "net/url" - "strings" -) - -func (app *App) getSSOConfig() (ssoURL, ssoSecret string) { - app.db.QueryRow(`SELECT value FROM config WHERE key = 'discourse_sso_url'`).Scan(&ssoURL) - app.db.QueryRow(`SELECT value FROM config WHERE key = 'discourse_sso_secret'`).Scan(&ssoSecret) - return -} - -func (app *App) handleSSOEnabled(w http.ResponseWriter, r *http.Request) { - ssoURL, ssoSecret := app.getSSOConfig() - writeJSON(w, map[string]bool{"enabled": ssoURL != "" && ssoSecret != ""}) -} - -func (app *App) getBaseURL() string { - if app.baseURL != "" { - return app.baseURL - } - var u string - app.db.QueryRow(`SELECT value FROM config WHERE key = 'base_url'`).Scan(&u) - return u -} - -func (app *App) handleSSOInit(w http.ResponseWriter, r *http.Request) { - ssoURL, ssoSecret := app.getSSOConfig() - if ssoURL == "" || ssoSecret == "" { - writeError(w, "SSO not configured", http.StatusNotFound) - return - } - - baseURL := app.getBaseURL() - if baseURL == "" { - writeError(w, "base_url must be configured for SSO", http.StatusBadRequest) - return - } - - b := make([]byte, 32) - rand.Read(b) - nonce := hex.EncodeToString(b) - - app.cleanExpiredNonces() - if err := app.createSSONonce(nonce); err != nil { - writeError(w, "internal error", http.StatusInternalServerError) - return - } - - returnURL := strings.TrimRight(baseURL, "/") + "/api/sso/callback" - - payload := fmt.Sprintf("nonce=%s&return_sso_url=%s", url.QueryEscape(nonce), url.QueryEscape(returnURL)) - encoded := base64.StdEncoding.EncodeToString([]byte(payload)) - - mac := hmac.New(sha256.New, []byte(ssoSecret)) - mac.Write([]byte(encoded)) - sig := hex.EncodeToString(mac.Sum(nil)) - - redirect := fmt.Sprintf("%s/session/sso_provider?sso=%s&sig=%s", - strings.TrimRight(ssoURL, "/"), url.QueryEscape(encoded), url.QueryEscape(sig)) - - writeJSON(w, map[string]string{"redirect_url": redirect}) -} - -func (app *App) handleSSOCallback(w http.ResponseWriter, r *http.Request) { - baseURL := app.getBaseURL() - - ssoRedirectError := func(msg string) { - if baseURL != "" { - http.Redirect(w, r, strings.TrimRight(baseURL, "/")+"/#sso_error="+url.QueryEscape(msg), http.StatusFound) - } else { - writeError(w, msg, http.StatusBadRequest) - } - } - - _, ssoSecret := app.getSSOConfig() - if ssoSecret == "" { - ssoRedirectError("SSO not configured") - return - } - - ssoParam := r.URL.Query().Get("sso") - sigParam := r.URL.Query().Get("sig") - if ssoParam == "" || sigParam == "" { - ssoRedirectError("Invalid SSO response") - return - } - - mac := hmac.New(sha256.New, []byte(ssoSecret)) - mac.Write([]byte(ssoParam)) - expectedSig := hex.EncodeToString(mac.Sum(nil)) - if !hmac.Equal([]byte(expectedSig), []byte(sigParam)) { - ssoRedirectError("Invalid SSO signature") - return - } - - decoded, err := base64.StdEncoding.DecodeString(ssoParam) - if err != nil { - ssoRedirectError("Invalid SSO payload") - return - } - - vals, err := url.ParseQuery(string(decoded)) - if err != nil { - ssoRedirectError("Invalid SSO payload") - return - } - - nonce := vals.Get("nonce") - valid, err := app.consumeSSONonce(nonce) - if err != nil || !valid { - ssoRedirectError("SSO session expired. Please try again.") - return - } - - email := strings.ToLower(vals.Get("email")) - if email == "" { - ssoRedirectError("No email in SSO response") - return - } - - name := vals.Get("name") - if name == "" { - name = vals.Get("username") - } - - user, _, err := app.getLoginParticipant(email) - if err != nil { - ssoRedirectError("Login failed. Please try again.") - return - } - - if user == nil { - p, err := app.getParticipantByEmail(email) - if err != nil { - ssoRedirectError("Login failed. Please try again.") - return - } - if p != nil { - if _, err := app.db.Exec( - `UPDATE participants SET login_enabled = 1, updated_at = ? WHERE id = ?`, - now(), p.ID, - ); err != nil { - ssoRedirectError("Login failed. Please try again.") - return - } - user, err = app.getUser(p.ID) - if err != nil { - ssoRedirectError("Login failed. Please try again.") - return - } - } - } - - if user == nil { - if name == "" { - name = strings.Split(email, "@")[0] - } - res, err := app.db.Exec( - `INSERT INTO participants (email, preferred_name, login_enabled, updated_at) VALUES (?, ?, 1, ?)`, - email, name, now(), - ) - if err != nil { - ssoRedirectError("Login failed. Please try again.") - return - } - id, _ := res.LastInsertId() - user, err = app.getUser(int(id)) - if err != nil || user == nil { - ssoRedirectError("Login failed. Please try again.") - return - } - } - - token, err := app.signToken(user) - if err != nil { - ssoRedirectError("Login failed. Please try again.") - return - } - - http.Redirect(w, r, strings.TrimRight(baseURL, "/")+"/#sso_token="+url.QueryEscape(token), http.StatusFound) -} diff --git a/handle_sync_test.go b/handle_sync_test.go index 000bc60..e4aa2af 100644 --- a/handle_sync_test.go +++ b/handle_sync_test.go @@ -13,10 +13,10 @@ func TestSyncPullFull(t *testing.T) { token := testToken(t, app, admin) mux := testMux(app) - p, _ := app.createParticipant(Participant{PreferredName: "Titania", Email: "titania@example.com"}) + app.createParticipant(Participant{PreferredName: "Titania", Email: "titania@example.com"}) dept, _ := app.createDepartment(Department{Name: "Gate"}) deptID := dept.ID - app.createVolunteer(Volunteer{Name: "Titania", ParticipantID: p.ID, DepartmentID: &deptID}) + app.createVolunteer(Volunteer{Name: "Titania", DepartmentID: &deptID}) app.createShift(Shift{DepartmentID: deptID, Name: "AM", Day: "2026-03-15", StartTime: "08:00", EndTime: "12:00"}) req := testAuthRequest("GET", "/api/sync/pull", nil, token) @@ -32,8 +32,8 @@ func TestSyncPullFull(t *testing.T) { t.Error("missing server_time") } participants := result["participants"].([]any) - if len(participants) != 2 { // admin + Titania - t.Errorf("participants = %d, want 2", len(participants)) + if len(participants) != 1 { + t.Errorf("participants = %d, want 1", len(participants)) } depts := result["departments"].([]any) if len(depts) != 1 { @@ -47,16 +47,14 @@ func TestSyncPullIncremental(t *testing.T) { token := testToken(t, app, admin) mux := testMux(app) - // Backdate admin participant so it falls before the "since" cutoff. - app.db.Exec(`UPDATE participants SET updated_at = '2026-01-01T00:00:00Z' WHERE id = ?`, admin.ID) - p1, _ := app.createParticipant(Participant{PreferredName: "Titania", Email: "titania@example.com"}) + // Backdate Titania so she falls before the "since" cutoff app.db.Exec(`UPDATE participants SET updated_at = '2026-01-01T00:00:00Z' WHERE id = ?`, p1.ID) since := "2026-01-01T12:00:00Z" - // Lysander created with default updated_at (now), which is after our since - app.createParticipant(Participant{PreferredName: "Lysander", Email: "lysander@example.com"}) + // Oberon created with default updated_at (now), which is after our since + app.createParticipant(Participant{PreferredName: "Oberon", Email: "oberon@example.com"}) req := testAuthRequest("GET", "/api/sync/pull?since="+since, nil, token) w := httptest.NewRecorder() @@ -64,13 +62,14 @@ func TestSyncPullIncremental(t *testing.T) { result := parseJSON(t, w) participants := result["participants"].([]any) + // Should only include Oberon (created after `since`) if len(participants) != 1 { t.Errorf("incremental: got %d participants, want 1", len(participants)) } if len(participants) == 1 { p := participants[0].(map[string]any) - if p["preferred_name"] != "Lysander" { - t.Errorf("preferred_name = %v, want Lysander", p["preferred_name"]) + if p["preferred_name"] != "Oberon" { + t.Errorf("preferred_name = %v, want Oberon", p["preferred_name"]) } } } @@ -81,10 +80,8 @@ func TestSyncPullIncludesSoftDeleted(t *testing.T) { token := testToken(t, app, admin) mux := testMux(app) - // Backdate admin participant. - app.db.Exec(`UPDATE participants SET updated_at = '2026-01-01T00:00:00Z' WHERE id = ?`, admin.ID) - p, _ := app.createParticipant(Participant{PreferredName: "Titania", Email: "titania@example.com"}) + // Backdate Titania's creation so the since cutoff is between creation and deletion app.db.Exec(`UPDATE participants SET updated_at = '2026-01-01T00:00:00Z' WHERE id = ?`, p.ID) since := "2026-01-01T12:00:00Z" diff --git a/handle_users.go b/handle_users.go index 4de6109..386e5b0 100644 --- a/handle_users.go +++ b/handle_users.go @@ -17,18 +17,17 @@ func (app *App) handleListUsers(w http.ResponseWriter, r *http.Request) { func (app *App) handleCreateUser(w http.ResponseWriter, r *http.Request) { var body struct { - Email string `json:"email"` - PreferredName string `json:"preferred_name"` - Password string `json:"password"` - Roles []string `json:"roles"` - DepartmentIDs []int `json:"department_ids"` + Username string `json:"username"` + Password string `json:"password"` + Role string `json:"role"` + DepartmentIDs []int `json:"department_ids"` } if err := json.NewDecoder(r.Body).Decode(&body); err != nil { writeError(w, "invalid request", http.StatusBadRequest) return } - if body.Email == "" || body.Password == "" || len(body.Roles) == 0 { - writeError(w, "email, password, and at least one role are required", http.StatusBadRequest) + if body.Username == "" || body.Password == "" || body.Role == "" { + writeError(w, "username, password, and role are required", http.StatusBadRequest) return } hash, err := hashPassword(body.Password) @@ -39,7 +38,7 @@ func (app *App) handleCreateUser(w http.ResponseWriter, r *http.Request) { if body.DepartmentIDs == nil { body.DepartmentIDs = []int{} } - user, err := app.createUser(body.Email, body.PreferredName, hash, body.Roles, body.DepartmentIDs) + user, err := app.createUser(body.Username, hash, body.Role, body.DepartmentIDs) if err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return @@ -54,15 +53,10 @@ func (app *App) handleUpdateUser(w http.ResponseWriter, r *http.Request) { writeError(w, "invalid id", http.StatusBadRequest) return } - target, _ := app.getUser(id) - if target == nil { - writeError(w, "not found", http.StatusNotFound) - return - } var body struct { - Roles []string `json:"roles"` - Password string `json:"password"` - DepartmentIDs []int `json:"department_ids"` + Role string `json:"role"` + Password string `json:"password"` + DepartmentIDs []int `json:"department_ids"` } if err := json.NewDecoder(r.Body).Decode(&body); err != nil { writeError(w, "invalid request", http.StatusBadRequest) @@ -71,8 +65,8 @@ func (app *App) handleUpdateUser(w http.ResponseWriter, r *http.Request) { if body.DepartmentIDs == nil { body.DepartmentIDs = []int{} } - if body.Roles != nil { - if err := app.updateUserRoles(id, body.Roles, body.DepartmentIDs); err != nil { + if body.Role != "" { + if err := app.updateUser(id, body.Role, body.DepartmentIDs); err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return } @@ -88,7 +82,7 @@ func (app *App) handleUpdateUser(w http.ResponseWriter, r *http.Request) { return } } - user, _ := app.getUser(id) + user, _ := app.getUserByID(id) writeJSON(w, user) } @@ -99,11 +93,11 @@ func (app *App) handleDeleteUser(w http.ResponseWriter, r *http.Request) { return } claims := claimsFromContext(r) - if claims.ParticipantID == id { + if claims.UserID == id { writeError(w, "cannot delete yourself", http.StatusBadRequest) return } - if err := app.removeUser(id); err != nil { + if err := app.deleteUser(id); err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return } diff --git a/handle_volunteers.go b/handle_volunteers.go index cd891d2..6832995 100644 --- a/handle_volunteers.go +++ b/handle_volunteers.go @@ -2,7 +2,6 @@ package main import ( "encoding/json" - "log" "net/http" "strconv" ) @@ -12,19 +11,20 @@ func (app *App) handleListVolunteers(w http.ResponseWriter, r *http.Request) { search := q.Get("search") since := q.Get("since") - var deptIDs []int + var deptID *int if d := q.Get("dept"); d != "" { - if id, err := strconv.Atoi(d); err == nil { - deptIDs = []int{id} + id, err := strconv.Atoi(d) + if err == nil { + deptID = &id } } claims := claimsFromContext(r) - if isCoLeadOnly(claims) && len(deptIDs) == 0 { - deptIDs = claims.DeptIDs + if claims.Role == "colead" && deptID == nil && len(claims.DeptIDs) > 0 { + deptID = &claims.DeptIDs[0] } - volunteers, err := app.listVolunteers(search, deptIDs, since) + volunteers, err := app.listVolunteers(search, deptID, since) if err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return @@ -34,64 +34,41 @@ func (app *App) handleListVolunteers(w http.ResponseWriter, r *http.Request) { func (app *App) handleCreateVolunteer(w http.ResponseWriter, r *http.Request) { var body struct { - Name string `json:"name"` - TicketName string `json:"ticket_name"` - Email string `json:"email"` - DepartmentID *int `json:"department_id"` - IsLead bool `json:"is_lead"` - Note string `json:"note"` + Volunteer + TicketName string `json:"ticket_name"` } if err := json.NewDecoder(r.Body).Decode(&body); err != nil { writeError(w, "invalid request", http.StatusBadRequest) return } - if body.Name == "" { + v := body.Volunteer + if v.Name == "" { writeError(w, "name is required", http.StatusBadRequest) return } - if body.Email == "" { - writeError(w, "email is required", http.StatusBadRequest) - return - } claims := claimsFromContext(r) - if isCoLeadOnly(claims) { - if body.DepartmentID == nil || !inSlice(*body.DepartmentID, claims.DeptIDs) { + if claims.Role == "colead" { + if v.DepartmentID == nil || !inSlice(*v.DepartmentID, claims.DeptIDs) { writeError(w, "forbidden: outside your department", http.StatusForbidden) return } } - p, _ := app.getParticipantByEmail(body.Email) - if p == nil { - p, _ = app.createParticipant(Participant{PreferredName: body.Name, Email: body.Email, TicketName: body.TicketName}) - } else if body.TicketName != "" && p.TicketName == "" { - app.db.Exec(`UPDATE participants SET ticket_name = ?, updated_at = ? WHERE id = ?`, body.TicketName, now(), p.ID) - } - if p == nil { - writeError(w, "failed to create participant", http.StatusInternalServerError) - return - } - confirmToken, err := generateConfirmationToken() - if err != nil { - writeError(w, "internal error", http.StatusInternalServerError) - return - } - app.setParticipantConfirmationToken(p.ID, confirmToken) - v := Volunteer{ - ParticipantID: p.ID, - DepartmentID: body.DepartmentID, - IsLead: body.IsLead, - Note: body.Note, + if v.Email != "" && v.ParticipantID == nil { + p, _ := app.getParticipantByEmail(v.Email) + if p == nil { + p, _ = app.createParticipant(Participant{PreferredName: v.Name, Email: v.Email, TicketName: body.TicketName}) + } else if body.TicketName != "" && p.TicketName == "" { + app.db.Exec(`UPDATE participants SET ticket_name = ?, updated_at = ? WHERE id = ?`, body.TicketName, now(), p.ID) + } + if p != nil { + v.ParticipantID = &p.ID + } } created, err := app.createVolunteer(v) if err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return } - go func() { - if err := app.sendConfirmationEmail(body.Email, body.Name, confirmToken); err != nil { - log.Printf("confirmation email to %s failed: %v", body.Email, err) - } - }() w.WriteHeader(http.StatusCreated) writeJSON(w, created) } @@ -116,37 +93,29 @@ func (app *App) handleUpdateVolunteer(w http.ResponseWriter, r *http.Request) { writeError(w, "invalid id", http.StatusBadRequest) return } - var body struct { - DepartmentID *int `json:"department_id"` - IsLead bool `json:"is_lead"` - Note string `json:"note"` - } - if err := json.NewDecoder(r.Body).Decode(&body); err != nil { + var v Volunteer + if err := json.NewDecoder(r.Body).Decode(&v); err != nil { writeError(w, "invalid request", http.StatusBadRequest) return } + if v.Name == "" { + writeError(w, "name is required", http.StatusBadRequest) + return + } claims := claimsFromContext(r) - if isCoLeadOnly(claims) { + if claims.Role == "colead" { existing, _ := app.getVolunteer(id) if existing == nil || existing.DepartmentID == nil || !inSlice(*existing.DepartmentID, claims.DeptIDs) { writeError(w, "forbidden: outside your department", http.StatusForbidden) return } - if body.DepartmentID != nil && !inSlice(*body.DepartmentID, claims.DeptIDs) { - writeError(w, "forbidden: cannot move volunteer to that department", http.StatusForbidden) - return - } - } - v := Volunteer{ - ID: id, - DepartmentID: body.DepartmentID, - IsLead: body.IsLead, - Note: body.Note, } + v.ID = id if err := app.updateVolunteer(v); err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return } + if v.IsLead { app.confirmVolunteer(id) } @@ -160,14 +129,6 @@ func (app *App) handleDeleteVolunteer(w http.ResponseWriter, r *http.Request) { writeError(w, "invalid id", http.StatusBadRequest) return } - claims := claimsFromContext(r) - if isCoLeadOnly(claims) { - v, _ := app.getVolunteer(id) - if v == nil || v.DepartmentID == nil || !inSlice(*v.DepartmentID, claims.DeptIDs) { - writeError(w, "forbidden: outside your department", http.StatusForbidden) - return - } - } if err := app.deleteVolunteer(id); err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return @@ -182,14 +143,7 @@ func (app *App) handleMarkVolunteerReady(w http.ResponseWriter, r *http.Request) return } claims := claimsFromContext(r) - if isCoLeadOnly(claims) { - v, _ := app.getVolunteer(id) - if v == nil || v.DepartmentID == nil || !inSlice(*v.DepartmentID, claims.DeptIDs) { - writeError(w, "forbidden: outside your department", http.StatusForbidden) - return - } - } - v, err := app.markVolunteerReady(id, claims.ParticipantID) + v, err := app.markVolunteerReady(id, claims.UserID) if err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return @@ -204,14 +158,6 @@ func (app *App) handleConfirmVolunteer(w http.ResponseWriter, r *http.Request) { writeError(w, "invalid id", http.StatusBadRequest) return } - claims := claimsFromContext(r) - if isCoLeadOnly(claims) { - v, _ := app.getVolunteer(id) - if v == nil || v.DepartmentID == nil || !inSlice(*v.DepartmentID, claims.DeptIDs) { - writeError(w, "forbidden: outside your department", http.StatusForbidden) - return - } - } v, err := app.confirmVolunteer(id) if err != nil { writeError(w, err.Error(), http.StatusInternalServerError) @@ -233,24 +179,7 @@ func (app *App) handleAssignShift(w http.ResponseWriter, r *http.Request) { writeError(w, "shift_id required", http.StatusBadRequest) return } - claims := claimsFromContext(r) - if isCoLeadOnly(claims) { - v, _ := app.getVolunteer(volunteerID) - if v == nil || v.DepartmentID == nil || !inSlice(*v.DepartmentID, claims.DeptIDs) { - writeError(w, "forbidden: outside your department", http.StatusForbidden) - return - } - } - shift, err := app.getShift(body.ShiftID) - if err != nil || shift == nil { - writeError(w, "shift not found", http.StatusNotFound) - return - } - if err := app.assignShiftWithCapacity(volunteerID, body.ShiftID, shift.Capacity); err != nil { - if err == errShiftFull { - writeError(w, "shift is at capacity", http.StatusConflict) - return - } + if err := app.assignShift(volunteerID, body.ShiftID); err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return } @@ -268,14 +197,6 @@ func (app *App) handleUnassignShift(w http.ResponseWriter, r *http.Request) { writeError(w, "invalid shift id", http.StatusBadRequest) return } - claims := claimsFromContext(r) - if isCoLeadOnly(claims) { - v, _ := app.getVolunteer(volunteerID) - if v == nil || v.DepartmentID == nil || !inSlice(*v.DepartmentID, claims.DeptIDs) { - writeError(w, "forbidden: outside your department", http.StatusForbidden) - return - } - } if err := app.unassignShift(volunteerID, shiftID); err != nil { writeError(w, err.Error(), http.StatusInternalServerError) return @@ -283,3 +204,11 @@ func (app *App) handleUnassignShift(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusNoContent) } +func inSlice(v int, s []int) bool { + for _, x := range s { + if x == v { + return true + } + } + return false +} diff --git a/handle_volunteers_test.go b/handle_volunteers_test.go index dc61f28..e10815c 100644 --- a/handle_volunteers_test.go +++ b/handle_volunteers_test.go @@ -14,8 +14,10 @@ func TestConfirmVolunteer(t *testing.T) { dept, _ := app.createDepartment(Department{Name: "Gate"}) deptID := dept.ID - p, _ := app.createParticipant(Participant{PreferredName: "Titania", Email: "titania@test.com", EmailConfirmed: true}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptID}) + v, _ := app.createVolunteer(Volunteer{ + Name: "Titania", Email: "titania@test.com", + DepartmentID: &deptID, EmailConfirmed: true, + }) w := httptest.NewRecorder() mux.ServeHTTP(w, testAuthRequest("POST", "/api/volunteers/"+itoa(v.ID)+"/confirm", nil, tok)) @@ -44,8 +46,7 @@ func TestConfirmVolunteerIdempotent(t *testing.T) { admin := testAdminUser(t, app) tok := testToken(t, app, admin) - p, _ := app.createParticipant(Participant{PreferredName: "Puck", Email: "puck@test.com", EmailConfirmed: true}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID}) + v, _ := app.createVolunteer(Volunteer{Name: "Puck", Email: "puck@test.com", EmailConfirmed: true}) // Confirm twice — second should be a no-op, not an error. w := httptest.NewRecorder() @@ -65,141 +66,16 @@ func TestConfirmVolunteerRequiresRole(t *testing.T) { app := testApp(t) mux := testMux(app) - // Gatekeeper role should NOT be able to confirm volunteers. - gatekeeper := testUserWithRoles(t, app, "Egeus", []string{"gatekeeper"}, []int{}) - tok := testToken(t, app, gatekeeper) + // Ticketing role should NOT be able to confirm volunteers. + ticketing := testUserWithRole(t, app, "ticket_lead", "ticketing", nil) + tok := testToken(t, app, ticketing) - p, _ := app.createParticipant(Participant{PreferredName: "Helena", EmailConfirmed: true}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID}) + v, _ := app.createVolunteer(Volunteer{Name: "Helena", EmailConfirmed: true}) w := httptest.NewRecorder() mux.ServeHTTP(w, testAuthRequest("POST", "/api/volunteers/"+itoa(v.ID)+"/confirm", nil, tok)) if w.Code != http.StatusForbidden { - t.Errorf("expected 403 for gatekeeper role, got %d", w.Code) - } -} - -func TestCoLeadDeleteVolunteerOwnDept(t *testing.T) { - app := testApp(t) - mux := testMux(app) - - deptA, _ := app.createDepartment(Department{Name: "Gate"}) - colead := testUserWithRoles(t, app, "Hermia", []string{"colead"}, []int{deptA.ID}) - tok := testToken(t, app, colead) - - deptAID := deptA.ID - p, _ := app.createParticipant(Participant{PreferredName: "Puck", Email: "puck@test.com"}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptAID}) - - w := httptest.NewRecorder() - mux.ServeHTTP(w, testAuthRequest("DELETE", "/api/volunteers/"+itoa(v.ID), nil, tok)) - if w.Code != http.StatusNoContent { - t.Errorf("expected 204 for own dept, got %d: %s", w.Code, w.Body.String()) - } -} - -func TestCoLeadDeleteVolunteerOtherDept(t *testing.T) { - app := testApp(t) - mux := testMux(app) - - deptA, _ := app.createDepartment(Department{Name: "Gate"}) - deptB, _ := app.createDepartment(Department{Name: "Build"}) - colead := testUserWithRoles(t, app, "Hermia", []string{"colead"}, []int{deptA.ID}) - tok := testToken(t, app, colead) - - deptBID := deptB.ID - p, _ := app.createParticipant(Participant{PreferredName: "Puck", Email: "puck@test.com"}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptBID}) - - w := httptest.NewRecorder() - mux.ServeHTTP(w, testAuthRequest("DELETE", "/api/volunteers/"+itoa(v.ID), nil, tok)) - if w.Code != http.StatusForbidden { - t.Errorf("expected 403 for other dept, got %d", w.Code) - } -} - -func TestCoLeadConfirmVolunteerOtherDept(t *testing.T) { - app := testApp(t) - mux := testMux(app) - - deptA, _ := app.createDepartment(Department{Name: "Gate"}) - deptB, _ := app.createDepartment(Department{Name: "Build"}) - colead := testUserWithRoles(t, app, "Hermia", []string{"colead"}, []int{deptA.ID}) - tok := testToken(t, app, colead) - - deptBID := deptB.ID - p, _ := app.createParticipant(Participant{PreferredName: "Puck", Email: "puck@test.com"}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptBID}) - - w := httptest.NewRecorder() - mux.ServeHTTP(w, testAuthRequest("POST", "/api/volunteers/"+itoa(v.ID)+"/confirm", nil, tok)) - if w.Code != http.StatusForbidden { - t.Errorf("expected 403 for other dept, got %d", w.Code) - } -} - -func TestCoLeadReadyVolunteerOtherDept(t *testing.T) { - app := testApp(t) - mux := testMux(app) - - deptA, _ := app.createDepartment(Department{Name: "Gate"}) - deptB, _ := app.createDepartment(Department{Name: "Build"}) - colead := testUserWithRoles(t, app, "Hermia", []string{"colead"}, []int{deptA.ID}) - tok := testToken(t, app, colead) - - deptBID := deptB.ID - p, _ := app.createParticipant(Participant{PreferredName: "Puck", Email: "puck@test.com"}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptBID}) - - w := httptest.NewRecorder() - mux.ServeHTTP(w, testAuthRequest("POST", "/api/volunteers/"+itoa(v.ID)+"/ready", nil, tok)) - if w.Code != http.StatusForbidden { - t.Errorf("expected 403 for other dept, got %d", w.Code) - } -} - -func TestCoLeadAssignShiftOtherDept(t *testing.T) { - app := testApp(t) - mux := testMux(app) - - deptA, _ := app.createDepartment(Department{Name: "Gate"}) - deptB, _ := app.createDepartment(Department{Name: "Build"}) - colead := testUserWithRoles(t, app, "Hermia", []string{"colead"}, []int{deptA.ID}) - tok := testToken(t, app, colead) - - deptBID := deptB.ID - p, _ := app.createParticipant(Participant{PreferredName: "Puck", Email: "puck@test.com"}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptBID}) - s, _ := app.createShift(Shift{DepartmentID: deptB.ID, Name: "AM", Day: "2026-03-15", StartTime: "08:00", EndTime: "12:00"}) - - w := httptest.NewRecorder() - mux.ServeHTTP(w, testAuthRequest("POST", "/api/volunteers/"+itoa(v.ID)+"/shifts", map[string]any{ - "shift_id": s.ID, - }, tok)) - if w.Code != http.StatusForbidden { - t.Errorf("expected 403 for other dept, got %d", w.Code) - } -} - -func TestCoLeadUpdateVolunteerTargetDeptForbidden(t *testing.T) { - app := testApp(t) - mux := testMux(app) - - deptA, _ := app.createDepartment(Department{Name: "Gate"}) - deptB, _ := app.createDepartment(Department{Name: "Build"}) - colead := testUserWithRoles(t, app, "Hermia", []string{"colead"}, []int{deptA.ID}) - tok := testToken(t, app, colead) - - deptAID := deptA.ID - p, _ := app.createParticipant(Participant{PreferredName: "Puck", Email: "puck@test.com"}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptAID}) - - w := httptest.NewRecorder() - mux.ServeHTTP(w, testAuthRequest("PUT", "/api/volunteers/"+itoa(v.ID), map[string]any{ - "department_id": deptB.ID, - }, tok)) - if w.Code != http.StatusForbidden { - t.Errorf("expected 403 moving to other dept, got %d: %s", w.Code, w.Body.String()) + t.Errorf("expected 403 for ticketing role, got %d", w.Code) } } @@ -210,13 +86,12 @@ func TestUpdateVolunteerDepartment(t *testing.T) { tok := testToken(t, app, admin) dept, _ := app.createDepartment(Department{Name: "Gate"}) - p, _ := app.createParticipant(Participant{PreferredName: "Hermia"}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID}) + v, _ := app.createVolunteer(Volunteer{Name: "Hermia"}) // Assign department via update. w := httptest.NewRecorder() mux.ServeHTTP(w, testAuthRequest("PUT", "/api/volunteers/"+itoa(v.ID), map[string]any{ - "department_id": dept.ID, + "name": "Hermia", "department_id": dept.ID, }, tok)) if w.Code != 200 { t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String()) @@ -236,8 +111,10 @@ func TestUpdateVolunteerCoLeadAutoConfirms(t *testing.T) { dept, _ := app.createDepartment(Department{Name: "Build"}) deptID := dept.ID - p, _ := app.createParticipant(Participant{PreferredName: "Lysander", Email: "lys@test.com", EmailConfirmed: true}) - v, _ := app.createVolunteer(Volunteer{ParticipantID: p.ID, DepartmentID: &deptID}) + v, _ := app.createVolunteer(Volunteer{ + Name: "Lysander", Email: "lys@test.com", + DepartmentID: &deptID, EmailConfirmed: true, + }) // Verify not confirmed before update. got, _ := app.getVolunteer(v.ID) @@ -248,7 +125,7 @@ func TestUpdateVolunteerCoLeadAutoConfirms(t *testing.T) { // Update is_lead=true should auto-confirm. w := httptest.NewRecorder() mux.ServeHTTP(w, testAuthRequest("PUT", "/api/volunteers/"+itoa(v.ID), map[string]any{ - "department_id": deptID, "is_lead": true, + "name": "Lysander", "department_id": deptID, "is_lead": true, }, tok)) if w.Code != 200 { t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String()) diff --git a/main.go b/main.go index 186362c..be9fc53 100644 --- a/main.go +++ b/main.go @@ -97,62 +97,62 @@ func (app *App) registerRoutes(mux *http.ServeMux) { mux.HandleFunc("GET /api/me", auth(app.handleMe)) mux.HandleFunc("GET /api/event", auth(app.handleGetEvent)) - mux.HandleFunc("PUT /api/event", auth(app.handleUpdateEvent, "admin")) + mux.HandleFunc("PUT /api/event", auth(app.handleUpdateEvent, "admin", "ticketing")) - mux.HandleFunc("GET /api/participants", auth(app.handleListParticipants, "admin", "gatekeeper")) - mux.HandleFunc("POST /api/participants", auth(app.handleCreateParticipant, "admin")) - mux.HandleFunc("GET /api/participants/export", auth(app.handleExportParticipants, "admin")) - mux.HandleFunc("GET /api/participants/{id}", auth(app.handleGetParticipant, "admin", "gatekeeper")) - mux.HandleFunc("PUT /api/participants/{id}", auth(app.handleUpdateParticipant, "admin")) - mux.HandleFunc("DELETE /api/participants/{id}", auth(app.handleDeleteParticipant, "admin")) - mux.HandleFunc("POST /api/participants/{id}/merge/{other_id}", auth(app.handleMergeParticipants, "admin")) + mux.HandleFunc("GET /api/participants", auth(app.handleListParticipants, "admin", "ticketing", "gatekeeper")) + mux.HandleFunc("POST /api/participants", auth(app.handleCreateParticipant, "admin", "ticketing")) + mux.HandleFunc("GET /api/participants/export", auth(app.handleExportParticipants, "admin", "ticketing")) + mux.HandleFunc("GET /api/participants/{id}", auth(app.handleGetParticipant, "admin", "ticketing", "gatekeeper")) + mux.HandleFunc("PUT /api/participants/{id}", auth(app.handleUpdateParticipant, "admin", "ticketing")) + mux.HandleFunc("DELETE /api/participants/{id}", auth(app.handleDeleteParticipant, "admin", "ticketing")) + mux.HandleFunc("POST /api/participants/{id}/merge/{other_id}", auth(app.handleMergeParticipants, "admin", "ticketing")) - mux.HandleFunc("GET /api/tickets", auth(app.handleListTickets, "admin", "gatekeeper")) - mux.HandleFunc("POST /api/tickets", auth(app.handleCreateTicket, "admin")) - mux.HandleFunc("POST /api/tickets/{id}/checkin", auth(app.handleCheckInTicket, "admin", "gatekeeper")) - mux.HandleFunc("POST /api/tickets/generate-codes", auth(app.handleGenerateTokens, "admin")) - mux.HandleFunc("GET /api/tickets/export-links", auth(app.handleExportTokenLinks, "admin")) - mux.HandleFunc("POST /api/tickets/email-codes", auth(app.handleEmailAllTokens, "admin")) - mux.HandleFunc("POST /api/tickets/{id}/email-code", auth(app.handleEmailToken, "admin")) + mux.HandleFunc("GET /api/tickets", auth(app.handleListTickets, "admin", "ticketing", "gatekeeper")) + mux.HandleFunc("POST /api/tickets", auth(app.handleCreateTicket, "admin", "ticketing")) + mux.HandleFunc("POST /api/tickets/{id}/checkin", auth(app.handleCheckInTicket, "admin", "ticketing", "gatekeeper")) + mux.HandleFunc("POST /api/tickets/generate-codes", auth(app.handleGenerateTokens, "admin", "ticketing")) + mux.HandleFunc("GET /api/tickets/export-links", auth(app.handleExportTokenLinks, "admin", "ticketing")) + mux.HandleFunc("POST /api/tickets/email-codes", auth(app.handleEmailAllTokens, "admin", "ticketing")) + mux.HandleFunc("POST /api/tickets/{id}/email-code", auth(app.handleEmailToken, "admin", "ticketing")) mux.HandleFunc("GET /api/departments", auth(app.handleListDepartments)) - mux.HandleFunc("POST /api/departments", auth(app.handleCreateDepartment, "admin", "staffing")) - mux.HandleFunc("PUT /api/departments/{id}", auth(app.handleUpdateDepartment, "admin", "staffing")) - mux.HandleFunc("DELETE /api/departments/{id}", auth(app.handleDeleteDepartment, "admin")) + mux.HandleFunc("POST /api/departments", auth(app.handleCreateDepartment, "admin", "ticketing", "staffing")) + mux.HandleFunc("PUT /api/departments/{id}", auth(app.handleUpdateDepartment, "admin", "ticketing", "staffing")) + mux.HandleFunc("DELETE /api/departments/{id}", auth(app.handleDeleteDepartment, "admin", "ticketing")) - mux.HandleFunc("GET /api/volunteers", auth(app.handleListVolunteers, "admin", "staffing", "colead")) - mux.HandleFunc("POST /api/volunteers", auth(app.handleCreateVolunteer, "admin", "staffing", "colead")) - mux.HandleFunc("GET /api/volunteers/{id}", auth(app.handleGetVolunteer, "admin", "staffing", "colead")) - mux.HandleFunc("PUT /api/volunteers/{id}", auth(app.handleUpdateVolunteer, "admin", "staffing", "colead")) - mux.HandleFunc("DELETE /api/volunteers/{id}", auth(app.handleDeleteVolunteer, "admin", "staffing", "colead")) - mux.HandleFunc("POST /api/volunteers/{id}/ready", auth(app.handleMarkVolunteerReady, "admin", "staffing", "colead")) + mux.HandleFunc("GET /api/volunteers", auth(app.handleListVolunteers, "admin", "ticketing", "staffing", "colead")) + mux.HandleFunc("POST /api/volunteers", auth(app.handleCreateVolunteer, "admin", "ticketing", "staffing", "colead")) + mux.HandleFunc("GET /api/volunteers/{id}", auth(app.handleGetVolunteer, "admin", "ticketing", "staffing", "colead")) + mux.HandleFunc("PUT /api/volunteers/{id}", auth(app.handleUpdateVolunteer, "admin", "ticketing", "staffing", "colead")) + mux.HandleFunc("DELETE /api/volunteers/{id}", auth(app.handleDeleteVolunteer, "admin", "ticketing", "staffing", "colead")) + mux.HandleFunc("POST /api/volunteers/{id}/ready", auth(app.handleMarkVolunteerReady, "admin", "ticketing", "staffing", "colead")) mux.HandleFunc("POST /api/volunteers/{id}/confirm", auth(app.handleConfirmVolunteer, "admin", "staffing", "colead")) - mux.HandleFunc("POST /api/volunteers/{id}/shifts", auth(app.handleAssignShift, "admin", "staffing", "colead")) - mux.HandleFunc("DELETE /api/volunteers/{id}/shifts/{shift_id}", auth(app.handleUnassignShift, "admin", "staffing", "colead")) + mux.HandleFunc("POST /api/volunteers/{id}/shifts", auth(app.handleAssignShift, "admin", "ticketing", "staffing", "colead")) + mux.HandleFunc("DELETE /api/volunteers/{id}/shifts/{shift_id}", auth(app.handleUnassignShift, "admin", "ticketing", "staffing", "colead")) - mux.HandleFunc("GET /api/shifts", auth(app.handleListShifts, "admin", "staffing", "colead")) - mux.HandleFunc("POST /api/shifts", auth(app.handleCreateShift, "admin", "staffing", "colead")) - mux.HandleFunc("POST /api/shifts/reorder", auth(app.handleReorderShifts, "admin", "staffing", "colead")) - mux.HandleFunc("PUT /api/shifts/{id}", auth(app.handleUpdateShift, "admin", "staffing", "colead")) - mux.HandleFunc("DELETE /api/shifts/{id}", auth(app.handleDeleteShift, "admin", "staffing", "colead")) - mux.HandleFunc("POST /api/shifts/{id}/volunteers", auth(app.handleAssignShiftVolunteer, "admin", "staffing", "colead")) - mux.HandleFunc("DELETE /api/shifts/{id}/volunteers/{volunteer_id}", auth(app.handleUnassignShiftVolunteer, "admin", "staffing", "colead")) + mux.HandleFunc("GET /api/shifts", auth(app.handleListShifts, "admin", "ticketing", "staffing", "colead")) + mux.HandleFunc("POST /api/shifts", auth(app.handleCreateShift, "admin", "ticketing", "staffing", "colead")) + mux.HandleFunc("POST /api/shifts/reorder", auth(app.handleReorderShifts, "admin", "ticketing", "staffing", "colead")) + mux.HandleFunc("PUT /api/shifts/{id}", auth(app.handleUpdateShift, "admin", "ticketing", "staffing", "colead")) + mux.HandleFunc("DELETE /api/shifts/{id}", auth(app.handleDeleteShift, "admin", "ticketing", "staffing", "colead")) + mux.HandleFunc("POST /api/shifts/{id}/volunteers", auth(app.handleAssignShiftVolunteer, "admin", "ticketing", "staffing", "colead")) + mux.HandleFunc("DELETE /api/shifts/{id}/volunteers/{volunteer_id}", auth(app.handleUnassignShiftVolunteer, "admin", "ticketing", "staffing", "colead")) - mux.HandleFunc("GET /api/users", auth(app.handleListUsers, "admin")) - mux.HandleFunc("POST /api/users", auth(app.handleCreateUser, "admin")) - mux.HandleFunc("PUT /api/users/{id}", auth(app.handleUpdateUser, "admin")) - mux.HandleFunc("DELETE /api/users/{id}", auth(app.handleDeleteUser, "admin")) + mux.HandleFunc("GET /api/users", auth(app.handleListUsers, "admin", "ticketing")) + mux.HandleFunc("POST /api/users", auth(app.handleCreateUser, "admin", "ticketing")) + mux.HandleFunc("PUT /api/users/{id}", auth(app.handleUpdateUser, "admin", "ticketing")) + mux.HandleFunc("DELETE /api/users/{id}", auth(app.handleDeleteUser, "admin", "ticketing")) - mux.HandleFunc("GET /api/settings", auth(app.handleGetSettings, "admin")) - mux.HandleFunc("PUT /api/settings", auth(app.handleUpdateSettings, "admin")) - mux.HandleFunc("POST /api/settings/test-email", auth(app.handleTestEmail, "admin")) - mux.HandleFunc("POST /api/settings/reset-tickets", auth(app.handleResetTickets, "admin")) - mux.HandleFunc("POST /api/settings/reset-volunteers", auth(app.handleResetVolunteers, "admin")) - mux.HandleFunc("POST /api/settings/reset-shifts", auth(app.handleResetShifts, "admin")) - mux.HandleFunc("POST /api/settings/reset-departments", auth(app.handleResetDepartments, "admin")) - mux.HandleFunc("POST /api/settings/reset-volunteer-shifts", auth(app.handleResetVolunteerShifts, "admin")) + mux.HandleFunc("GET /api/settings", auth(app.handleGetSettings, "admin", "ticketing")) + mux.HandleFunc("PUT /api/settings", auth(app.handleUpdateSettings, "admin", "ticketing")) + mux.HandleFunc("POST /api/settings/test-email", auth(app.handleTestEmail, "admin", "ticketing")) + mux.HandleFunc("POST /api/settings/reset-tickets", auth(app.handleResetTickets, "admin", "ticketing")) + mux.HandleFunc("POST /api/settings/reset-volunteers", auth(app.handleResetVolunteers, "admin", "ticketing")) + mux.HandleFunc("POST /api/settings/reset-shifts", auth(app.handleResetShifts, "admin", "ticketing")) + mux.HandleFunc("POST /api/settings/reset-departments", auth(app.handleResetDepartments, "admin", "ticketing")) + mux.HandleFunc("POST /api/settings/reset-volunteer-shifts", auth(app.handleResetVolunteerShifts, "admin", "ticketing")) - mux.HandleFunc("POST /api/import", auth(app.handleImport, "admin")) + mux.HandleFunc("POST /api/import", auth(app.handleImport, "admin", "ticketing")) mux.HandleFunc("GET /api/sync/pull", auth(app.handleSyncPull)) mux.HandleFunc("GET /api/sync/stream", auth(app.handleSyncStream)) @@ -161,12 +161,9 @@ func (app *App) registerRoutes(mux *http.ServeMux) { writeJSON(w, map[string]string{"build": buildID}) }) - mux.HandleFunc("POST /api/settings/shift-signups", auth(app.handleToggleShiftSignups, "admin", "staffing")) + mux.HandleFunc("POST /api/settings/shift-signups", auth(app.handleToggleShiftSignups, "admin", "ticketing", "staffing")) // Public endpoints — no JWT required. - mux.HandleFunc("GET /api/public/sso-enabled", app.handleSSOEnabled) - mux.HandleFunc("GET /api/sso/init", app.handleSSOInit) - mux.HandleFunc("GET /api/sso/callback", app.handleSSOCallback) mux.HandleFunc("GET /api/public/signup-config", app.handlePublicSignupConfig) mux.HandleFunc("POST /api/public/signup", app.handlePublicSignup) mux.HandleFunc("POST /api/public/confirm", app.handleConfirmEmail) @@ -199,9 +196,9 @@ func (app *App) registerRoutes(mux *http.ServeMux) { } func (app *App) bootstrapAdmin() error { - adminEmail := os.Getenv("TURNPIKE_ADMIN_EMAIL") + adminUser := os.Getenv("TURNPIKE_ADMIN_USER") adminPass := os.Getenv("TURNPIKE_ADMIN_PASSWORD") - if adminEmail == "" || adminPass == "" { + if adminUser == "" || adminPass == "" { return nil } n, err := app.countUsers() @@ -212,11 +209,11 @@ func (app *App) bootstrapAdmin() error { if err != nil { return err } - _, err = app.createUser(adminEmail, "Admin", hash, []string{"admin"}, []int{}) + _, err = app.createUser(adminUser, hash, "admin", []int{}) if err != nil { return err } - log.Printf("Created admin user: %s", adminEmail) + log.Printf("Created admin user: %s", adminUser) return nil } diff --git a/testutil_test.go b/testutil_test.go index 14351e5..8f58833 100644 --- a/testutil_test.go +++ b/testutil_test.go @@ -6,7 +6,6 @@ import ( "fmt" "net/http" "net/http/httptest" - "strings" "testing" ) @@ -17,6 +16,7 @@ func testApp(t *testing.T) *App { t.Fatal(err) } t.Cleanup(func() { db.Close() }) + // Ensure config table exists (normally created by getOrCreateSecret) db.Exec(`CREATE TABLE IF NOT EXISTS config (key TEXT PRIMARY KEY, value TEXT NOT NULL)`) return &App{ db: db, @@ -29,18 +29,17 @@ func testApp(t *testing.T) *App { func testAdminUser(t *testing.T, app *App) *User { t.Helper() hash, _ := hashPassword("admin123") - u, err := app.createUser("oberon@athens.example", "Oberon", hash, []string{"admin"}, []int{}) + u, err := app.createUser("admin", hash, "admin", []int{}) if err != nil { t.Fatal(err) } return u } -func testUserWithRoles(t *testing.T, app *App, name string, roles []string, deptIDs []int) *User { +func testUserWithRole(t *testing.T, app *App, username, role string, deptIDs []int) *User { t.Helper() - email := strings.ToLower(name) + "@athens.example" - hash, _ := hashPassword(name + "123") - u, err := app.createUser(email, name, hash, roles, deptIDs) + hash, _ := hashPassword(username + "123") + u, err := app.createUser(username, hash, role, deptIDs) if err != nil { t.Fatal(err) }