admin page updates

internal/db/role.go

@@ -98,10 +98,43 @@ func UpdateRole(ctx context.Context, tx bun.Tx, role *Role) error {
 }
 
 // DeleteRole deletes a role (checks IsSystem protection)
+// Also cleans up join table entries in role_permissions and user_roles
 func DeleteRole(ctx context.Context, tx bun.Tx, id int) error {
 	if id <= 0 {
 		return errors.New("id must be positive")
 	}
+
+	// First check if role exists and is not system
+	role, err := GetRoleByID(ctx, tx, id)
+	if err != nil {
+		return errors.Wrap(err, "GetRoleByID")
+	}
+	if role == nil {
+		return errors.New("role not found")
+	}
+	if role.IsSystem {
+		return errors.New("cannot delete system roles")
+	}
+
+	// Delete role_permissions entries
+	_, err = tx.NewDelete().
+		Model((*RolePermission)(nil)).
+		Where("role_id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrap(err, "delete role_permissions")
+	}
+
+	// Delete user_roles entries
+	_, err = tx.NewDelete().
+		Model((*UserRole)(nil)).
+		Where("role_id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrap(err, "delete user_roles")
+	}
+
+	// Finally delete the role
 	return DeleteWithProtection[Role](ctx, tx, id)
 }