big ole refactor

internal/rbac/cache_middleware.go

@@ -39,12 +39,12 @@ func (c *Checker) LoadPermissionsMiddleware() hws.Middleware {
 
 			var roles_ []*db.Role
 			var perms []*db.Permission
-			if err := db.WithTxFailSilently(r.Context(), c.conn, func(ctx context.Context, tx bun.Tx) error {
+			if err := c.conn.WithTxFailSilently(r.Context(), func(ctx context.Context, tx bun.Tx) error {
 				var err error
 
 				if previewRole != nil {
 					// In preview mode: use the preview role instead of user's roles
-					role, err := db.GetRoleWithPermissions(ctx, tx, previewRole.ID)
+					role, err := db.GetRoleByID(ctx, tx, previewRole.ID)
 					if err != nil {
 						return errors.Wrap(err, "db.GetRoleWithPermissions")
 					}

internal/rbac/checker.go

@@ -13,11 +13,11 @@ import (
 )
 
 type Checker struct {
-	conn *bun.DB
+	conn *db.DB
 	s    *hws.Server
 }
 
-func NewChecker(conn *bun.DB, s *hws.Server) (*Checker, error) {
+func NewChecker(conn *db.DB, s *hws.Server) (*Checker, error) {
 	if conn == nil {
 		return nil, errors.New("conn cannot be nil")
 	}
@@ -56,7 +56,7 @@ func (c *Checker) UserHasPermission(ctx context.Context, user *db.User, permissi
 
 	// Not in preview mode: fallback to database for actual user permissions
 	var has bool
-	if err := db.WithTxFailSilently(ctx, c.conn, func(ctx context.Context, tx bun.Tx) error {
+	if err := c.conn.WithTxFailSilently(ctx, func(ctx context.Context, tx bun.Tx) error {
 		var err error
 		has, err = user.HasPermission(ctx, tx, permission)
 		if err != nil {
@@ -94,7 +94,7 @@ func (c *Checker) UserHasRole(ctx context.Context, user *db.User, role roles.Rol
 
 	// Not in preview mode: fallback to database for actual user roles
 	var has bool
-	if err := db.WithTxFailSilently(ctx, c.conn, func(ctx context.Context, tx bun.Tx) error {
+	if err := c.conn.WithTxFailSilently(ctx, func(ctx context.Context, tx bun.Tx) error {
 		var err error
 		has, err = user.HasRole(ctx, tx, role)
 		if err != nil {

internal/rbac/preview_middleware.go

@@ -15,7 +15,7 @@ import (
 // LoadPreviewRoleMiddleware loads the preview role from the session cookie if present
 // and adds it to the request context. This must run after authentication but before
 // the RBAC cache middleware.
-func LoadPreviewRoleMiddleware(s *hws.Server, conn *bun.DB) func(http.Handler) http.Handler {
+func LoadPreviewRoleMiddleware(s *hws.Server, conn *db.DB) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Check if there's a preview role in the cookie
@@ -26,10 +26,25 @@ func LoadPreviewRoleMiddleware(s *hws.Server, conn *bun.DB) func(http.Handler) h
 				return
 			}
 
+			user := db.CurrentUser(r.Context())
+			if user == nil {
+				// User not logged in,
+				ClearPreviewRoleCookie(w)
+				next.ServeHTTP(w, r)
+				return
+			}
+
 			// Load the preview role from the database
 			var previewRole *db.Role
-			if ok := db.WithReadTx(s, w, r, conn, func(ctx context.Context, tx bun.Tx) (bool, error) {
-				var err error
+			if ok := conn.WithReadTx(s, w, r, func(ctx context.Context, tx bun.Tx) (bool, error) {
+				isAdmin, err := user.IsAdmin(ctx, tx)
+				if err != nil {
+					return false, errors.Wrap(err, "user.IsAdmin")
+				}
+				if !isAdmin {
+					ClearPreviewRoleCookie(w)
+					return true, nil
+				}
 				previewRole, err = db.GetRoleByID(ctx, tx, roleID)
 				if err != nil {
 					return false, errors.Wrap(err, "db.GetRoleByID")

internal/rbac/protection_middleware.go

@@ -90,7 +90,7 @@ func (c *Checker) RequireActualAdmin(s *hws.Server) func(http.Handler) http.Hand
 
 			// Check user's ACTUAL role in database, bypassing preview mode
 			var hasAdmin bool
-			if ok := db.WithReadTx(s, w, r, c.conn, func(ctx context.Context, tx bun.Tx) (bool, error) {
+			if ok := c.conn.WithReadTx(s, w, r, func(ctx context.Context, tx bun.Tx) (bool, error) {
 				var err error
 				hasAdmin, err = user.HasRole(ctx, tx, roles.Admin)
 				if err != nil {