admin page updates

internal/rbac/checker.go

@@ -33,6 +33,9 @@ func (c *Checker) UserHasPermission(ctx context.Context, user *db.User, permissi
 		return false, nil
 	}
 
+	// Check if we're in preview mode
+	previewRole := contexts.GetPreviewRole(ctx)
+
 	// Try cache first
 	cache := contexts.Permissions(ctx)
 	if cache != nil {
@@ -44,7 +47,14 @@ func (c *Checker) UserHasPermission(ctx context.Context, user *db.User, permissi
 		}
 	}
 
-	// Fallback to database
+	// If in preview mode, DO NOT fallback to database - use ONLY preview role permissions
+	// This ensures admins cannot bypass preview mode restrictions
+	if previewRole != nil {
+		// Not in cache and in preview mode = permission denied
+		return false, nil
+	}
+
+	// Not in preview mode: fallback to database for actual user permissions
 	var has bool
 	if err := db.WithTxFailSilently(ctx, c.conn, func(ctx context.Context, tx bun.Tx) error {
 		var err error
@@ -65,6 +75,9 @@ func (c *Checker) UserHasRole(ctx context.Context, user *db.User, role roles.Rol
 		return false, nil
 	}
 
+	// Check if we're in preview mode
+	previewRole := contexts.GetPreviewRole(ctx)
+
 	cache := contexts.Permissions(ctx)
 	if cache != nil {
 		if has, exists := cache.Roles[role]; exists {
@@ -72,13 +85,20 @@ func (c *Checker) UserHasRole(ctx context.Context, user *db.User, role roles.Rol
 		}
 	}
 
-	// Fallback to database
+	// If in preview mode, DO NOT fallback to database - use ONLY preview role
+	// This ensures admins cannot bypass preview mode restrictions
+	if previewRole != nil {
+		// Not in cache and in preview mode = role not assigned
+		return false, nil
+	}
+
+	// Not in preview mode: fallback to database for actual user roles
 	var has bool
 	if err := db.WithTxFailSilently(ctx, c.conn, func(ctx context.Context, tx bun.Tx) error {
 		var err error
 		has, err = user.HasRole(ctx, tx, role)
 		if err != nil {
-			return errors.Wrap(err, "user.HasPermission")
+			return errors.Wrap(err, "user.HasRole")
 		}
 		return nil
 	}); err != nil {