fixed relationship issues

moved packages out of pkg
rbac system first stage
2026-02-05 00:10:10 +11:00 · 2026-02-04 18:57:33 +11:00 · 2026-02-03 21:37:06 +11:00 · 2026-02-02 22:39:03 +11:00
65 changed files with 2141 additions and 248 deletions
--- a/6
+++ b/6
@@ -4,7 +4,7 @@
 BINARY_NAME=oslstats

 build:
-	tailwindcss -i ./pkg/embedfs/files/css/input.css -o ./pkg/embedfs/files/css/output.css && \
+	tailwindcss -i ./internal/embedfs/web/css/input.css -o ./internal/embedfs/web/css/output.css && \
 	go mod tidy && \
   	templ generate && \
 	go generate ./cmd/${BINARY_NAME} && \
@@ -17,7 +17,7 @@ run:
 dev:
 	templ generate --watch &\
 	air &\
-	tailwindcss -i ./pkg/embedfs/files/css/input.css -o ./pkg/embedfs/files/css/output.css --watch
+	tailwindcss -i ./internal/embedfs/web/css/input.css -o ./internal/embedfs/web/css/output.css --watch

 clean:
 	go clean
@@ -82,7 +82,7 @@ migrate-create:

 # Reset database (DESTRUCTIVE - dev only!)
 reset-db:
-	@echo "⚠️  WARNING: This will DELETE ALL DATA!"
+	@echo "⚠️  WARNING - This will DELETE ALL DATA!"
 	make build
 	./bin/${BINARY_NAME}${SUFFIX} --reset-db

--- a/cmd/oslstats/db.go
+++ b/cmd/oslstats/db.go
@@ -1,20 +1,18 @@
 package main

 import (
-	"context"
 	"database/sql"
 	"fmt"
 	"time"

 	"git.haelnorr.com/h/oslstats/internal/config"
 	"git.haelnorr.com/h/oslstats/internal/db"
-	"github.com/pkg/errors"
 	"github.com/uptrace/bun"
 	"github.com/uptrace/bun/dialect/pgdialect"
 	"github.com/uptrace/bun/driver/pgdriver"
 )

-func setupBun(ctx context.Context, cfg *config.Config) (conn *bun.DB, close func() error, err error) {
+func setupBun(cfg *config.Config) (conn *bun.DB, close func() error) {
 	dsn := fmt.Sprintf("postgres://%s:%s@%s:%v/%s?sslmode=%s",
 		cfg.DB.User, cfg.DB.Password, cfg.DB.Host, cfg.DB.Port, cfg.DB.DB, cfg.DB.SSL)
 	sqldb := sql.OpenDB(pgdriver.NewConnector(pgdriver.WithDSN(dsn)))
@@ -26,30 +24,19 @@ func setupBun(ctx context.Context, cfg *config.Config) (conn *bun.DB, close func

 	conn = bun.NewDB(sqldb, pgdialect.New())
 	close = sqldb.Close
-
-	err = loadModels(ctx, conn)
-	if err != nil {
-		return nil, nil, errors.Wrap(err, "loadModels")
+	return conn, close
 }

-	return conn, close, nil
-}
-
-func loadModels(ctx context.Context, conn *bun.DB) error {
+func registerDBModels(conn *bun.DB) {
 	models := []any{
+		(*db.RolePermission)(nil),
+		(*db.UserRole)(nil),
 		(*db.User)(nil),
 		(*db.DiscordToken)(nil),
+		(*db.Season)(nil),
+		(*db.Role)(nil),
+		(*db.Permission)(nil),
+		(*db.AuditLog)(nil),
 	}
-
-	for _, model := range models {
-		_, err := conn.NewCreateTable().
-			Model(model).
-			IfNotExists().
-			Exec(ctx)
-		if err != nil {
-			return errors.Wrap(err, "db.NewCreateTable")
-		}
-	}
-
-	return nil
+	conn.RegisterModel(models...)
 }
--- a/cmd/oslstats/httpserver.go
+++ b/cmd/oslstats/httpserver.go
@@ -9,9 +9,11 @@ import (
 	"github.com/pkg/errors"
 	"github.com/uptrace/bun"

+	"git.haelnorr.com/h/oslstats/internal/auditlog"
 	"git.haelnorr.com/h/oslstats/internal/config"
 	"git.haelnorr.com/h/oslstats/internal/discord"
 	"git.haelnorr.com/h/oslstats/internal/handlers"
+	"git.haelnorr.com/h/oslstats/internal/rbac"
 	"git.haelnorr.com/h/oslstats/internal/store"
 )

@@ -58,12 +60,21 @@ func setupHTTPServer(
 		return nil, errors.Wrap(err, "httpServer.LoggerIgnorePaths")
 	}

-	err = addRoutes(httpServer, &fs, cfg, bun, auth, store, discordAPI)
+	// Initialize permissions checker
+	perms, err := rbac.NewChecker(bun, httpServer)
+	if err != nil {
+		return nil, errors.Wrap(err, "rbac.NewChecker")
+	}
+
+	// Initialize audit logger
+	audit := auditlog.NewLogger(bun)
+
+	err = addRoutes(httpServer, &fs, cfg, bun, auth, store, discordAPI, perms, audit)
 	if err != nil {
 		return nil, errors.Wrap(err, "addRoutes")
 	}

-	err = addMiddleware(httpServer, auth, cfg)
+	err = addMiddleware(httpServer, auth, cfg, perms)
 	if err != nil {
 		return nil, errors.Wrap(err, "addMiddleware")
 	}
--- a/cmd/oslstats/main.go
+++ b/cmd/oslstats/main.go
@@ -24,6 +24,21 @@ func main() {
 		fmt.Fprintf(os.Stderr, "%s\n", errors.Wrap(err, "Failed to load config"))
 		os.Exit(1)
 	}
+	// Handle utility flags
+	if flags.EnvDoc || flags.ShowEnv {
+		if err = loader.PrintEnvVarsStdout(flags.ShowEnv); err != nil {
+			fmt.Fprintf(os.Stderr, "%s\n", errors.Wrap(err, "Failed to print env doc"))
+		}
+		return
+	}
+
+	if flags.GenEnv != "" {
+		if err = loader.GenerateEnvFile(flags.GenEnv, true); err != nil {
+			fmt.Fprintf(os.Stderr, "%s\n", errors.Wrap(err, "Failed to generate env file"))
+		}
+		return
+	}
+	//
 	// Setup the logger
 	logger, err := hlog.NewLogger(cfg.HLOG, os.Stdout)
 	if err != nil {
@@ -31,17 +46,6 @@ func main() {
 		os.Exit(1)
 	}

-	// Handle utility flags
-	if flags.EnvDoc || flags.ShowEnv {
-		loader.PrintEnvVarsStdout(flags.ShowEnv)
-		return
-	}
-
-	if flags.GenEnv != "" {
-		loader.GenerateEnvFile(flags.GenEnv, true)
-		return
-	}
-
 	// Handle migration file creation (doesn't need DB connection)
 	if flags.MigrateCreate != "" {
 		if err := createMigration(flags.MigrateCreate); err != nil {
@@ -55,24 +59,17 @@ func main() {
 		flags.MigrateStatus || flags.MigrateDryRun ||
 		flags.ResetDB {

-		// Setup database connection
-		conn, close, err := setupBun(ctx, cfg)
-		if err != nil {
-			logger.Fatal().Err(err).Str("stacktrace", fmt.Sprintf("%+v", errors.Wrap(err, "setupBun"))).Msg("Error setting up database")
-		}
-		defer close()
-
 		// Route to appropriate command
 		if flags.MigrateUp {
-			err = runMigrations(ctx, conn, cfg, "up")
+			err = runMigrations(ctx, cfg, "up")
 		} else if flags.MigrateRollback {
-			err = runMigrations(ctx, conn, cfg, "rollback")
+			err = runMigrations(ctx, cfg, "rollback")
 		} else if flags.MigrateStatus {
-			err = runMigrations(ctx, conn, cfg, "status")
+			err = runMigrations(ctx, cfg, "status")
 		} else if flags.MigrateDryRun {
-			err = runMigrations(ctx, conn, cfg, "dry-run")
+			err = runMigrations(ctx, cfg, "dry-run")
 		} else if flags.ResetDB {
-			err = resetDatabase(ctx, conn)
+			err = resetDatabase(ctx, cfg)
 		}

 		if err != nil {
--- a/cmd/oslstats/middleware.go
+++ b/cmd/oslstats/middleware.go
@@ -8,8 +8,9 @@ import (
 	"git.haelnorr.com/h/golib/hws"
 	"git.haelnorr.com/h/golib/hwsauth"
 	"git.haelnorr.com/h/oslstats/internal/config"
+	"git.haelnorr.com/h/oslstats/internal/contexts"
 	"git.haelnorr.com/h/oslstats/internal/db"
-	"git.haelnorr.com/h/oslstats/pkg/contexts"
+	"git.haelnorr.com/h/oslstats/internal/rbac"

 	"github.com/pkg/errors"
 	"github.com/uptrace/bun"
@@ -19,10 +20,11 @@ func addMiddleware(
 	server *hws.Server,
 	auth *hwsauth.Authenticator[*db.User, bun.Tx],
 	cfg *config.Config,
+	perms *rbac.Checker,
 ) error {
-
 	err := server.AddMiddleware(
 		auth.Authenticate(),
+		perms.LoadPermissionsMiddleware(),
 		devMode(cfg),
 	)
 	if err != nil {
--- a/cmd/oslstats/migrate.go
+++ b/cmd/oslstats/migrate.go
@@ -10,6 +10,8 @@ import (
 	"text/tabwriter"
 	"time"

+	stderrors "errors"
+
 	"git.haelnorr.com/h/oslstats/cmd/oslstats/migrations"
 	"git.haelnorr.com/h/oslstats/internal/backup"
 	"git.haelnorr.com/h/oslstats/internal/config"
@@ -20,7 +22,10 @@ import (
 )

 // runMigrations executes database migrations
-func runMigrations(ctx context.Context, conn *bun.DB, cfg *config.Config, command string) error {
+func runMigrations(ctx context.Context, cfg *config.Config, command string) error {
+	conn, close := setupBun(cfg)
+	defer func() { _ = close() }()
+
 	migrator := migrate.NewMigrator(conn, migrations.Migrations)

 	// Initialize migration tables
@@ -30,7 +35,14 @@ func runMigrations(ctx context.Context, conn *bun.DB, cfg *config.Config, comman

 	switch command {
 	case "up":
-		return migrateUp(ctx, migrator, conn, cfg)
+		err := migrateUp(ctx, migrator, conn, cfg)
+		if err != nil {
+			err2 := migrateRollback(ctx, migrator, conn, cfg)
+			if err2 != nil {
+				return stderrors.Join(errors.Wrap(err2, "error while rolling back after migration error"), err)
+			}
+		}
+		return err
 	case "rollback":
 		return migrateRollback(ctx, migrator, conn, cfg)
 	case "status":
@@ -165,8 +177,8 @@ func migrateStatus(ctx context.Context, migrator *migrate.Migrator) error {
 	fmt.Println("╚══════════════════════════════════════════════════════════╝")

 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 3, ' ', 0)
-	fmt.Fprintln(w, "STATUS\tMIGRATION\tGROUP\tMIGRATED AT")
-	fmt.Fprintln(w, "------\t---------\t-----\t-----------")
+	_, _ = fmt.Fprintln(w, "STATUS\tMIGRATION\tGROUP\tMIGRATED AT")
+	_, _ = fmt.Fprintln(w, "------\t---------\t-----\t-----------")

 	appliedCount := 0
 	for _, m := range ms {
@@ -183,10 +195,10 @@ func migrateStatus(ctx context.Context, migrator *migrate.Migrator) error {
 			}
 		}

-		fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", status, m.Name, group, migratedAt)
+		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", status, m.Name, group, migratedAt)
 	}

-	w.Flush()
+	_ = w.Flush()

 	fmt.Printf("\n📊 Summary: %d applied, %d pending\n\n",
 		appliedCount, len(ms)-appliedCount)
@@ -293,12 +305,12 @@ func init() {
 	Migrations.MustRegister(
 		// UP migration
 		func(ctx context.Context, dbConn *bun.DB) error {
-			// TODO: Add your migration code here
+			// Add your migration code here
 			return nil
 		},
 		// DOWN migration
 		func(ctx context.Context, dbConn *bun.DB) error {
-			// TODO: Add your rollback code here
+			// Add your rollback code here
 			return nil
 		},
 	)
@@ -306,7 +318,7 @@ func init() {
 `

 	// Write file
-	if err := os.WriteFile(filename, []byte(template), 0644); err != nil {
+	if err := os.WriteFile(filename, []byte(template), 0o644); err != nil {
 		return errors.Wrap(err, "write migration file")
 	}

@@ -319,8 +331,8 @@ func init() {
 }

 // resetDatabase drops and recreates all tables (destructive)
-func resetDatabase(ctx context.Context, conn *bun.DB) error {
-	fmt.Println("⚠️  WARNING: This will DELETE ALL DATA in the database!")
+func resetDatabase(ctx context.Context, cfg *config.Config) error {
+	fmt.Println("⚠️  WARNING - This will DELETE ALL DATA in the database!")
 	fmt.Print("Type 'yes' to continue: ")

 	reader := bufio.NewReader(os.Stdin)
@@ -334,6 +346,8 @@ func resetDatabase(ctx context.Context, conn *bun.DB) error {
 		fmt.Println("❌ Reset cancelled")
 		return nil
 	}
+	conn, close := setupBun(cfg)
+	defer func() { _ = close() }()

 	models := []any{
 		(*db.User)(nil),
--- a/cmd/oslstats/migrations/20260202231414_add_rbac_system.go
+++ b/cmd/oslstats/migrations/20260202231414_add_rbac_system.go
@@ -0,0 +1,244 @@
+package migrations
+
+import (
+	"context"
+	"time"
+
+	"git.haelnorr.com/h/oslstats/internal/db"
+	"github.com/uptrace/bun"
+)
+
+func init() {
+	Migrations.MustRegister(
+		// UP migration
+		func(ctx context.Context, dbConn *bun.DB) error {
+			dbConn.RegisterModel((*db.RolePermission)(nil), (*db.UserRole)(nil))
+			// Create permissions table
+			_, err := dbConn.NewCreateTable().
+				Model((*db.Role)(nil)).
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			// Create permissions table
+			_, err = dbConn.NewCreateTable().
+				Model((*db.Permission)(nil)).
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			// Create indexes for permissions
+			_, err = dbConn.NewCreateIndex().
+				Model((*db.Permission)(nil)).
+				Index("idx_permissions_resource").
+				Column("resource").
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			_, err = dbConn.NewCreateIndex().
+				Model((*db.Permission)(nil)).
+				Index("idx_permissions_action").
+				Column("action").
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			_, err = dbConn.NewCreateTable().
+				Model((*db.RolePermission)(nil)).
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			_, err = dbConn.ExecContext(ctx, `
+				CREATE INDEX idx_role_permissions_role ON role_permissions(role_id)
+			`)
+			if err != nil {
+				return err
+			}
+
+			_, err = dbConn.ExecContext(ctx, `
+				CREATE INDEX idx_role_permissions_permission ON role_permissions(permission_id)
+			`)
+			if err != nil {
+				return err
+			}
+
+			// Create user_roles table
+			_, err = dbConn.NewCreateTable().
+				Model((*db.UserRole)(nil)).
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			// Create indexes for user_roles
+			_, err = dbConn.NewCreateIndex().
+				Model((*db.UserRole)(nil)).
+				Index("idx_user_roles_user").
+				Column("user_id").
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			_, err = dbConn.NewCreateIndex().
+				Model((*db.UserRole)(nil)).
+				Index("idx_user_roles_role").
+				Column("role_id").
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			// Create audit_log table
+			_, err = dbConn.NewCreateTable().
+				Model((*db.AuditLog)(nil)).
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			// Create indexes for audit_log
+			_, err = dbConn.NewCreateIndex().
+				Model((*db.AuditLog)(nil)).
+				Index("idx_audit_log_user").
+				Column("user_id").
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			_, err = dbConn.NewCreateIndex().
+				Model((*db.AuditLog)(nil)).
+				Index("idx_audit_log_action").
+				Column("action").
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			_, err = dbConn.NewCreateIndex().
+				Model((*db.AuditLog)(nil)).
+				Index("idx_audit_log_resource").
+				Column("resource_type", "resource_id").
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			_, err = dbConn.NewCreateIndex().
+				Model((*db.AuditLog)(nil)).
+				Index("idx_audit_log_created").
+				Column("created_at").
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			// Seed system roles
+			now := time.Now().Unix()
+
+			adminRole := &db.Role{
+				Name:        "admin",
+				DisplayName: "Administrator",
+				Description: "Full system access with all permissions",
+				IsSystem:    true,
+				CreatedAt:   now,
+			}
+
+			_, err = dbConn.NewInsert().
+				Model(adminRole).
+				Returning("id").
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			userRole := &db.Role{
+				Name:        "user",
+				DisplayName: "User",
+				Description: "Standard user with basic permissions",
+				IsSystem:    true,
+				CreatedAt:   now,
+			}
+
+			_, err = dbConn.NewInsert().
+				Model(userRole).
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			// Seed system permissions
+			permissionsData := []*db.Permission{
+				{Name: "*", DisplayName: "Wildcard (All Permissions)", Description: "Grants access to all permissions, past, present, and future", Resource: "*", Action: "*", IsSystem: true, CreatedAt: now},
+				{Name: "seasons.create", DisplayName: "Create Seasons", Description: "Create new seasons", Resource: "seasons", Action: "create", IsSystem: true, CreatedAt: now},
+				{Name: "seasons.update", DisplayName: "Update Seasons", Description: "Update existing seasons", Resource: "seasons", Action: "update", IsSystem: true, CreatedAt: now},
+				{Name: "seasons.delete", DisplayName: "Delete Seasons", Description: "Delete seasons", Resource: "seasons", Action: "delete", IsSystem: true, CreatedAt: now},
+				{Name: "users.update", DisplayName: "Update Users", Description: "Update user information", Resource: "users", Action: "update", IsSystem: true, CreatedAt: now},
+				{Name: "users.ban", DisplayName: "Ban Users", Description: "Ban users from the system", Resource: "users", Action: "ban", IsSystem: true, CreatedAt: now},
+				{Name: "users.manage_roles", DisplayName: "Manage User Roles", Description: "Assign and revoke user roles", Resource: "users", Action: "manage_roles", IsSystem: true, CreatedAt: now},
+			}
+
+			_, err = dbConn.NewInsert().
+				Model(&permissionsData).
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			// Grant wildcard permission to admin role using Bun
+			// First, get the IDs
+			var wildcardPerm db.Permission
+			err = dbConn.NewSelect().
+				Model(&wildcardPerm).
+				Where("name = ?", "*").
+				Scan(ctx)
+			if err != nil {
+				return err
+			}
+
+			// Insert role_permission mapping
+			adminRolePerms := &db.RolePermission{
+				RoleID:       adminRole.ID,
+				PermissionID: wildcardPerm.ID,
+			}
+			_, err = dbConn.NewInsert().
+				Model(adminRolePerms).
+				On("CONFLICT (role_id, permission_id) DO NOTHING").
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			return nil
+		},
+		// DOWN migration
+		func(ctx context.Context, dbConn *bun.DB) error {
+			// Drop tables in reverse order
+			// Use raw SQL to avoid relationship resolution issues
+			tables := []string{
+				"audit_log",
+				"user_roles",
+				"role_permissions",
+				"permissions",
+				"roles",
+			}
+
+			for _, table := range tables {
+				_, err := dbConn.ExecContext(ctx, "DROP TABLE IF EXISTS "+table+" CASCADE")
+				if err != nil {
+					return err
+				}
+			}
+
+			return nil
+		},
+	)
+}
--- a/cmd/oslstats/migrations/migrations.go
+++ b/cmd/oslstats/migrations/migrations.go
@@ -1,3 +1,4 @@
+// Package migrations defines the database migrations to apply when using the migrate tags
 package migrations

 import (
--- a/cmd/oslstats/routes.go
+++ b/cmd/oslstats/routes.go
@@ -8,10 +8,12 @@ import (
 	"github.com/pkg/errors"
 	"github.com/uptrace/bun"

+	"git.haelnorr.com/h/oslstats/internal/auditlog"
 	"git.haelnorr.com/h/oslstats/internal/config"
 	"git.haelnorr.com/h/oslstats/internal/db"
 	"git.haelnorr.com/h/oslstats/internal/discord"
 	"git.haelnorr.com/h/oslstats/internal/handlers"
+	"git.haelnorr.com/h/oslstats/internal/rbac"
 	"git.haelnorr.com/h/oslstats/internal/store"
 )

@@ -23,9 +25,16 @@ func addRoutes(
 	auth *hwsauth.Authenticator[*db.User, bun.Tx],
 	store *store.Store,
 	discordAPI *discord.APIClient,
+	perms *rbac.Checker,
+	audit *auditlog.Logger,
 ) error {
 	// Create the routes
 	pageroutes := []hws.Route{
+		{
+			Path:    "/permtest",
+			Methods: []hws.Method{hws.MethodGET, hws.MethodPOST},
+			Handler: handlers.PermTester(s, conn),
+		},
 		{
 			Path:    "/static/",
 			Method:  hws.MethodGET,
@@ -59,8 +68,7 @@ func addRoutes(
 		{
 			Path:    "/notification-tester",
 			Methods: []hws.Method{hws.MethodGET, hws.MethodPOST},
-			Handler: handlers.NotifyTester(s),
-			// TODO: add login protection
+			Handler: perms.RequireAdmin(s)(handlers.NotifyTester(s)),
 		},
 		{
 			Path:    "/seasons",
@@ -115,8 +123,24 @@ func addRoutes(
 		},
 	}

+	// Admin routes
+	adminRoutes := []hws.Route{
+		{
+			// TODO: on page load, redirect to /admin/users
+			Path:    "/admin",
+			Method:  hws.MethodGET,
+			Handler: perms.RequireAdmin(s)(handlers.AdminDashboard(s, conn)),
+		},
+		{
+			Path:    "/admin/users",
+			Method:  hws.MethodPOST,
+			Handler: perms.RequireAdmin(s)(handlers.AdminUsersList(s, conn)),
+		},
+	}
+
 	routes := append(pageroutes, htmxRoutes...)
 	routes = append(routes, wsRoutes...)
+	routes = append(routes, adminRoutes...)

 	// Register the routes with the server
 	err := s.AddRoutes(routes...)
--- a/cmd/oslstats/run.go
+++ b/cmd/oslstats/run.go
@@ -13,8 +13,8 @@ import (

 	"git.haelnorr.com/h/oslstats/internal/config"
 	"git.haelnorr.com/h/oslstats/internal/discord"
+	"git.haelnorr.com/h/oslstats/internal/embedfs"
 	"git.haelnorr.com/h/oslstats/internal/store"
-	"git.haelnorr.com/h/oslstats/pkg/embedfs"
 )

 // Initializes and runs the server
@@ -25,10 +25,8 @@ func run(ctx context.Context, logger *hlog.Logger, cfg *config.Config) error {
 	// Setup the database connection
 	logger.Debug().Msg("Config loaded and logger started")
 	logger.Debug().Msg("Connecting to database")
-	bun, closedb, err := setupBun(ctx, cfg)
-	if err != nil {
-		return errors.Wrap(err, "setupDBConn")
-	}
+	bun, closedb := setupBun(cfg)
+	registerDBModels(bun)

 	// Setup embedded files
 	logger.Debug().Msg("Getting embedded files")
--- a/go.mod
+++ b/go.mod
@@ -6,8 +6,8 @@ require (
 	git.haelnorr.com/h/golib/env v0.9.1
 	git.haelnorr.com/h/golib/ezconf v0.1.1
 	git.haelnorr.com/h/golib/hlog v0.10.4
-	git.haelnorr.com/h/golib/hws v0.4.4
-	git.haelnorr.com/h/golib/hwsauth v0.5.4
+	git.haelnorr.com/h/golib/hws v0.5.0
+	git.haelnorr.com/h/golib/hwsauth v0.5.5
 	git.haelnorr.com/h/golib/notify v0.1.0
 	github.com/a-h/templ v0.3.977
 	github.com/coder/websocket v1.8.14
--- a/go.sum
+++ b/go.sum
@@ -6,10 +6,10 @@ git.haelnorr.com/h/golib/ezconf v0.1.1 h1:4euTSDb9jvuQQkVq+x5gHoYPYyUZPWxoOSlWCI
 git.haelnorr.com/h/golib/ezconf v0.1.1/go.mod h1:rETDcjpcEyyeBgCiZSU617wc0XycwZSC5+IAOtXmwP8=
 git.haelnorr.com/h/golib/hlog v0.10.4 h1:vpCsV/OddjIYx8F48U66WxojjmhEbeLGQAOBG4ViSRQ=
 git.haelnorr.com/h/golib/hlog v0.10.4/go.mod h1:+wJ8vecQY/JITTXKmI3JfkHiUGyMs7N6wooj2wuWZbc=
-git.haelnorr.com/h/golib/hws v0.4.4 h1:tV9UjZ4q96UlOdJKsC7b3kDV+bpQYqKVPQuaV1n3U3k=
-git.haelnorr.com/h/golib/hws v0.4.4/go.mod h1:dxAbbGGNzqLXhZXwgt091QsvsPBdrS+1YsNQNldNVoM=
-git.haelnorr.com/h/golib/hwsauth v0.5.4 h1:nuaiVpJHHXgKVRPoQSE/v3CJHSkivViK5h3SVhEcbbM=
-git.haelnorr.com/h/golib/hwsauth v0.5.4/go.mod h1:eIjRPeGycvxRWERkxCoRVMEEhHuUdiPDvjpzzZOhQ0w=
+git.haelnorr.com/h/golib/hws v0.5.0 h1:0CSv2f+dm/KzB/o5o6uXCyvN74iBdMTImhkyAZzU52c=
+git.haelnorr.com/h/golib/hws v0.5.0/go.mod h1:dxAbbGGNzqLXhZXwgt091QsvsPBdrS+1YsNQNldNVoM=
+git.haelnorr.com/h/golib/hwsauth v0.5.5 h1:w1qssktq0zYo5cC/xa44h/ZE5G5r7rIsJ4QQWq2Jeoo=
+git.haelnorr.com/h/golib/hwsauth v0.5.5/go.mod h1:xPdxqHzr1ZU0MHlG4o8r1zEstBu4FJCdaA0ZHSFxmKA=
 git.haelnorr.com/h/golib/jwt v0.10.1 h1:1Adxt9H3Y4fWFvFjWpvg/vSFhbgCMDMxgiE3m7KvDMI=
 git.haelnorr.com/h/golib/jwt v0.10.1/go.mod h1:fbuPrfucT9lL0faV5+Q5Gk9WFJxPlwzRPpbMQKYZok4=
 git.haelnorr.com/h/golib/notify v0.1.0 h1:xdf6zd21F6n+SuGTeJiuLNMf6zFXMvwpKD0gmNq8N10=
--- a/internal/auditlog/logger.go
+++ b/internal/auditlog/logger.go
@@ -0,0 +1,164 @@
+// Package auditlog provides a system for logging events that require permissions to the audit log
+package auditlog
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+
+	"git.haelnorr.com/h/oslstats/internal/db"
+	"github.com/pkg/errors"
+	"github.com/uptrace/bun"
+)
+
+type Logger struct {
+	conn *bun.DB
+}
+
+func NewLogger(conn *bun.DB) *Logger {
+	return &Logger{conn: conn}
+}
+
+// LogSuccess logs a successful permission-protected action
+func (l *Logger) LogSuccess(
+	ctx context.Context,
+	tx bun.Tx,
+	user *db.User,
+	action string,
+	resourceType string,
+	resourceID any, // Can be int, string, or nil
+	details map[string]any,
+	r *http.Request,
+) error {
+	return l.log(ctx, tx, user, action, resourceType, resourceID, details, "success", nil, r)
+}
+
+// LogError logs a failed action due to an error
+func (l *Logger) LogError(
+	ctx context.Context,
+	tx bun.Tx,
+	user *db.User,
+	action string,
+	resourceType string,
+	resourceID any,
+	err error,
+	r *http.Request,
+) error {
+	errMsg := err.Error()
+	return l.log(ctx, tx, user, action, resourceType, resourceID, nil, "error", &errMsg, r)
+}
+
+func (l *Logger) log(
+	ctx context.Context,
+	tx bun.Tx,
+	user *db.User,
+	action string,
+	resourceType string,
+	resourceID any,
+	details map[string]any,
+	result string,
+	errorMessage *string,
+	r *http.Request,
+) error {
+	if user == nil {
+		return errors.New("user cannot be nil for audit logging")
+	}
+
+	// Convert resourceID to string
+	var resourceIDStr *string
+	if resourceID != nil {
+		idStr := fmt.Sprintf("%v", resourceID)
+		resourceIDStr = &idStr
+	}
+
+	// Marshal details to JSON
+	var detailsJSON json.RawMessage
+	if details != nil {
+		jsonBytes, err := json.Marshal(details)
+		if err != nil {
+			return errors.Wrap(err, "json.Marshal details")
+		}
+		detailsJSON = jsonBytes
+	}
+
+	// Extract IP and User-Agent from request
+	ipAddress := r.RemoteAddr
+	userAgent := r.UserAgent()
+
+	log := &db.AuditLog{
+		UserID:       user.ID,
+		Action:       action,
+		ResourceType: resourceType,
+		ResourceID:   resourceIDStr,
+		Details:      detailsJSON,
+		IPAddress:    ipAddress,
+		UserAgent:    userAgent,
+		Result:       result,
+		ErrorMessage: errorMessage,
+		CreatedAt:    time.Now().Unix(),
+	}
+
+	return db.CreateAuditLog(ctx, tx, log)
+}
+
+// GetRecentLogs retrieves recent audit logs with pagination
+func (l *Logger) GetRecentLogs(ctx context.Context, pageOpts *db.PageOpts) (*db.AuditLogs, error) {
+	tx, err := l.conn.BeginTx(ctx, nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "conn.BeginTx")
+	}
+	defer func() { _ = tx.Rollback() }()
+
+	logs, err := db.GetAuditLogs(ctx, tx, pageOpts, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	_ = tx.Commit() // read only transaction
+	return logs, nil
+}
+
+// GetLogsByUser retrieves audit logs for a specific user
+func (l *Logger) GetLogsByUser(ctx context.Context, userID int, pageOpts *db.PageOpts) (*db.AuditLogs, error) {
+	tx, err := l.conn.BeginTx(ctx, nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "conn.BeginTx")
+	}
+	defer func() { _ = tx.Rollback() }()
+
+	logs, err := db.GetAuditLogsByUser(ctx, tx, userID, pageOpts)
+	if err != nil {
+		return nil, err
+	}
+
+	_ = tx.Commit() // read only transaction
+	return logs, nil
+}
+
+// CleanupOldLogs deletes audit logs older than the specified number of days
+func (l *Logger) CleanupOldLogs(ctx context.Context, daysToKeep int) (int, error) {
+	if daysToKeep <= 0 {
+		return 0, errors.New("daysToKeep must be positive")
+	}
+
+	cutoffTime := time.Now().AddDate(0, 0, -daysToKeep).Unix()
+
+	tx, err := l.conn.BeginTx(ctx, nil)
+	if err != nil {
+		return 0, errors.Wrap(err, "conn.BeginTx")
+	}
+	defer func() { _ = tx.Rollback() }()
+
+	count, err := db.CleanupOldAuditLogs(ctx, tx, cutoffTime)
+	if err != nil {
+		return 0, err
+	}
+
+	err = tx.Commit()
+	if err != nil {
+		return 0, errors.Wrap(err, "tx.Commit")
+	}
+	return count, nil
+}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -1,3 +1,4 @@
+// Package config provides the environment based configuration for the program
 package config

 import (
@@ -7,6 +8,7 @@ import (
 	"git.haelnorr.com/h/golib/hwsauth"
 	"git.haelnorr.com/h/oslstats/internal/db"
 	"git.haelnorr.com/h/oslstats/internal/discord"
+	"git.haelnorr.com/h/oslstats/internal/rbac"
 	"git.haelnorr.com/h/oslstats/pkg/oauth"
 	"github.com/joho/godotenv"
 	"github.com/pkg/errors"
@@ -19,10 +21,11 @@ type Config struct {
 	HLOG    *hlog.Config
 	Discord *discord.Config
 	OAuth   *oauth.Config
+	RBAC    *rbac.Config
 	Flags   *Flags
 }

-// Load the application configuration and get a pointer to the Config object
+// GetConfig loads the application configuration and returns a pointer to the Config object
 // If doconly is specified, only the loader will be returned
 func GetConfig(flags *Flags) (*Config, *ezconf.ConfigLoader, error) {
 	err := godotenv.Load(flags.EnvFile)
@@ -31,14 +34,18 @@ func GetConfig(flags *Flags) (*Config, *ezconf.ConfigLoader, error) {
 	}

 	loader := ezconf.New()
-	loader.RegisterIntegrations(
+	err = loader.RegisterIntegrations(
 		hlog.NewEZConfIntegration(),
 		hws.NewEZConfIntegration(),
 		hwsauth.NewEZConfIntegration(),
 		db.NewEZConfIntegration(),
 		discord.NewEZConfIntegration(),
 		oauth.NewEZConfIntegration(),
+		rbac.NewEZConfIntegration(),
 	)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "loader.RegisterIntegrations")
+	}
 	if err := loader.ParseEnvVars(); err != nil {
 		return nil, nil, errors.Wrap(err, "loader.ParseEnvVars")
 	}
@@ -81,6 +88,11 @@ func GetConfig(flags *Flags) (*Config, *ezconf.ConfigLoader, error) {
 		return nil, nil, errors.New("OAuth Config not loaded")
 	}

+	rbaccfg, ok := loader.GetConfig("rbac")
+	if !ok {
+		return nil, nil, errors.New("RBAC Config not loaded")
+	}
+
 	config := &Config{
 		DB:      dbcfg.(*db.Config),
 		HWS:     hwscfg.(*hws.Config),
@@ -88,6 +100,7 @@ func GetConfig(flags *Flags) (*Config, *ezconf.ConfigLoader, error) {
 		HLOG:    hlogcfg.(*hlog.Config),
 		Discord: discordcfg.(*discord.Config),
 		OAuth:   oauthcfg.(*oauth.Config),
+		RBAC:    rbaccfg.(*rbac.Config),
 		Flags:   flags,
 	}

--- a/internal/contexts/devmode.go
+++ b/internal/contexts/devmode.go
@@ -2,14 +2,6 @@ package contexts

 import "context"

-type Key string
-
-func (c Key) String() string {
-	return "oslstats context key " + string(c)
-}
-
-var DevModeKey Key = Key("devmode")
-
 func DevMode(ctx context.Context) DevInfo {
 	devmode, ok := ctx.Value(DevModeKey).(DevInfo)
 	if !ok {
--- a/internal/contexts/keys.go
+++ b/internal/contexts/keys.go
@@ -0,0 +1,13 @@
+// Package contexts provides utilities for loading and extracting structs from contexts
+package contexts
+
+type Key string
+
+func (c Key) String() string {
+	return "oslstats context key " + string(c)
+}
+
+var (
+	DevModeKey         Key = Key("devmode")
+	PermissionCacheKey Key = Key("permissions")
+)
--- a/internal/contexts/permissions.go
+++ b/internal/contexts/permissions.go
@@ -0,0 +1,23 @@
+package contexts
+
+import (
+	"context"
+
+	"git.haelnorr.com/h/oslstats/internal/permissions"
+	"git.haelnorr.com/h/oslstats/internal/roles"
+)
+
+// Permissions retrieves the permission cache from context (type-safe)
+func Permissions(ctx context.Context) *PermissionCache {
+	cache, ok := ctx.Value(PermissionCacheKey).(*PermissionCache)
+	if !ok {
+		return nil
+	}
+	return cache
+}
+
+type PermissionCache struct {
+	Permissions map[permissions.Permission]bool
+	Roles       map[roles.Role]bool
+	HasWildcard bool
+}
--- a/internal/db/auditlog.go
+++ b/internal/db/auditlog.go
@@ -0,0 +1,151 @@
+package db
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+
+	"github.com/pkg/errors"
+	"github.com/uptrace/bun"
+)
+
+type AuditLog struct {
+	bun.BaseModel `bun:"table:audit_log,alias:al"`
+
+	ID           int             `bun:"id,pk,autoincrement"`
+	UserID       int             `bun:"user_id,notnull"`
+	Action       string          `bun:"action,notnull"`
+	ResourceType string          `bun:"resource_type,notnull"`
+	ResourceID   *string         `bun:"resource_id"`
+	Details      json.RawMessage `bun:"details,type:jsonb"`
+	IPAddress    string          `bun:"ip_address"`
+	UserAgent    string          `bun:"user_agent"`
+	Result       string          `bun:"result,notnull"` // success, denied, error
+	ErrorMessage *string         `bun:"error_message"`
+	CreatedAt    int64           `bun:"created_at,notnull"`
+
+	// Relations
+	User *User `bun:"rel:belongs-to,join:user_id=id"`
+}
+
+type AuditLogs struct {
+	AuditLogs []*AuditLog
+	Total     int
+	PageOpts  PageOpts
+}
+
+// CreateAuditLog creates a new audit log entry
+func CreateAuditLog(ctx context.Context, tx bun.Tx, log *AuditLog) error {
+	if log == nil {
+		return errors.New("log cannot be nil")
+	}
+
+	_, err := tx.NewInsert().
+		Model(log).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrap(err, "tx.NewInsert")
+	}
+
+	return nil
+}
+
+type AuditLogFilters struct {
+	UserID       *int
+	Action       *string
+	ResourceType *string
+	Result       *string
+}
+
+// GetAuditLogs retrieves audit logs with optional filters and pagination
+func GetAuditLogs(ctx context.Context, tx bun.Tx, pageOpts *PageOpts, filters *AuditLogFilters) (*AuditLogs, error) {
+	pageOpts = setDefaultPageOpts(pageOpts, 1, 50, bun.OrderDesc, "created_at")
+	query := tx.NewSelect().
+		Model((*AuditLog)(nil)).
+		Relation("User").
+		OrderBy(pageOpts.OrderBy, pageOpts.Order)
+
+	// Apply filters if provided
+	if filters != nil {
+		if filters.UserID != nil {
+			query = query.Where("al.user_id = ?", *filters.UserID)
+		}
+		if filters.Action != nil {
+			query = query.Where("al.action = ?", *filters.Action)
+		}
+		if filters.ResourceType != nil {
+			query = query.Where("al.resource_type = ?", *filters.ResourceType)
+		}
+		if filters.Result != nil {
+			query = query.Where("al.result = ?", *filters.Result)
+		}
+	}
+
+	// Get total count
+	total, err := query.Count(ctx)
+	if err != nil {
+		return nil, errors.Wrap(err, "query.Count")
+	}
+
+	// Get paginated results
+	logs := new([]*AuditLog)
+	err = query.
+		Offset(pageOpts.PerPage*(pageOpts.Page-1)).
+		Limit(pageOpts.PerPage).
+		Scan(ctx, &logs)
+	if err != nil && err != sql.ErrNoRows {
+		return nil, errors.Wrap(err, "query.Scan")
+	}
+
+	list := &AuditLogs{
+		AuditLogs: *logs,
+		Total:     total,
+		PageOpts:  *pageOpts,
+	}
+
+	return list, nil
+}
+
+// GetAuditLogsByUser retrieves audit logs for a specific user
+func GetAuditLogsByUser(ctx context.Context, tx bun.Tx, userID int, pageOpts *PageOpts) (*AuditLogs, error) {
+	if userID <= 0 {
+		return nil, errors.New("userID must be positive")
+	}
+
+	filters := &AuditLogFilters{
+		UserID: &userID,
+	}
+
+	return GetAuditLogs(ctx, tx, pageOpts, filters)
+}
+
+// GetAuditLogsByAction retrieves audit logs for a specific action
+func GetAuditLogsByAction(ctx context.Context, tx bun.Tx, action string, pageOpts *PageOpts) (*AuditLogs, error) {
+	if action == "" {
+		return nil, errors.New("action cannot be empty")
+	}
+
+	filters := &AuditLogFilters{
+		Action: &action,
+	}
+
+	return GetAuditLogs(ctx, tx, pageOpts, filters)
+}
+
+// CleanupOldAuditLogs deletes audit logs older than the specified timestamp
+func CleanupOldAuditLogs(ctx context.Context, tx bun.Tx, olderThan int64) (int, error) {
+	result, err := tx.NewDelete().
+		Model((*AuditLog)(nil)).
+		Where("created_at < ?", olderThan).
+		Exec(ctx)
+	if err != nil {
+		return 0, errors.Wrap(err, "tx.NewDelete")
+	}
+
+	rowsAffected, err := result.RowsAffected()
+	if err != nil {
+		return 0, errors.Wrap(err, "result.RowsAffected")
+	}
+
+	return int(rowsAffected), nil
+}
--- a/internal/db/discordtokens.go
+++ b/internal/db/discordtokens.go
@@ -22,14 +22,14 @@ type DiscordToken struct {

 // UpdateDiscordToken adds the provided discord token to the database.
 // If the user already has a token stored, it will replace that token instead.
-func (user *User) UpdateDiscordToken(ctx context.Context, tx bun.Tx, token *discord.Token) error {
+func (u *User) UpdateDiscordToken(ctx context.Context, tx bun.Tx, token *discord.Token) error {
 	if token == nil {
 		return errors.New("token cannot be nil")
 	}
 	expiresAt := time.Now().Add(time.Duration(token.ExpiresIn) * time.Second).Unix()

 	discordToken := &DiscordToken{
-		DiscordID:    user.DiscordID,
+		DiscordID:    u.DiscordID,
 		AccessToken:  token.AccessToken,
 		RefreshToken: token.RefreshToken,
 		ExpiresAt:    expiresAt,
@@ -44,7 +44,6 @@ func (user *User) UpdateDiscordToken(ctx context.Context, tx bun.Tx, token *disc
 		Set("refresh_token = EXCLUDED.refresh_token").
 		Set("expires_at = EXCLUDED.expires_at").
 		Exec(ctx)
-
 	if err != nil {
 		return errors.Wrap(err, "tx.NewInsert")
 	}
@@ -53,14 +52,14 @@ func (user *User) UpdateDiscordToken(ctx context.Context, tx bun.Tx, token *disc

 // DeleteDiscordTokens deletes a users discord OAuth tokens from the database.
 // It returns the DiscordToken so that it can be revoked via the discord API
-func (user *User) DeleteDiscordTokens(ctx context.Context, tx bun.Tx) (*DiscordToken, error) {
-	token, err := user.GetDiscordToken(ctx, tx)
+func (u *User) DeleteDiscordTokens(ctx context.Context, tx bun.Tx) (*DiscordToken, error) {
+	token, err := u.GetDiscordToken(ctx, tx)
 	if err != nil {
 		return nil, errors.Wrap(err, "user.GetDiscordToken")
 	}
 	_, err = tx.NewDelete().
 		Model((*DiscordToken)(nil)).
-		Where("discord_id = ?", user.DiscordID).
+		Where("discord_id = ?", u.DiscordID).
 		Exec(ctx)
 	if err != nil {
 		return nil, errors.Wrap(err, "tx.NewDelete")
@@ -69,11 +68,11 @@ func (user *User) DeleteDiscordTokens(ctx context.Context, tx bun.Tx) (*DiscordT
 }

 // GetDiscordToken retrieves the users discord token from the database
-func (user *User) GetDiscordToken(ctx context.Context, tx bun.Tx) (*DiscordToken, error) {
+func (u *User) GetDiscordToken(ctx context.Context, tx bun.Tx) (*DiscordToken, error) {
 	token := new(DiscordToken)
 	err := tx.NewSelect().
 		Model(token).
-		Where("discord_id = ?", user.DiscordID).
+		Where("discord_id = ?", u.DiscordID).
 		Limit(1).
 		Scan(ctx)
 	if err != nil {
--- a/internal/db/paginate.go
+++ b/internal/db/paginate.go
@@ -15,6 +15,25 @@ type OrderOpts struct {
 	Label   string
 }

+func setDefaultPageOpts(p *PageOpts, page, perpage int, order bun.Order, orderby string) *PageOpts {
+	if p == nil {
+		p = new(PageOpts)
+	}
+	if p.Page == 0 {
+		p.Page = page
+	}
+	if p.PerPage == 0 {
+		p.PerPage = perpage
+	}
+	if p.Order == "" {
+		p.Order = order
+	}
+	if p.OrderBy == "" {
+		p.OrderBy = orderby
+	}
+	return p
+}
+
 // TotalPages calculates the total number of pages
 func (p *PageOpts) TotalPages(total int) int {
 	if p.PerPage == 0 {
@@ -48,7 +67,7 @@ func (p *PageOpts) GetPageRange(total int, maxButtons int) []int {
 	// If total pages is less than max buttons, show all pages
 	if totalPages <= maxButtons {
 		pages := make([]int, totalPages)
-		for i := 0; i < totalPages; i++ {
+		for i := range totalPages {
 			pages[i] = i + 1
 		}
 		return pages
--- a/internal/db/permission.go
+++ b/internal/db/permission.go
@@ -0,0 +1,156 @@
+package db
+
+import (
+	"context"
+	"database/sql"
+
+	"git.haelnorr.com/h/oslstats/internal/permissions"
+	"github.com/pkg/errors"
+	"github.com/uptrace/bun"
+)
+
+type Permission struct {
+	bun.BaseModel `bun:"table:permissions,alias:p"`
+
+	ID          int                    `bun:"id,pk,autoincrement"`
+	Name        permissions.Permission `bun:"name,unique,notnull"`
+	DisplayName string                 `bun:"display_name,notnull"`
+	Description string                 `bun:"description"`
+	Resource    string                 `bun:"resource,notnull"`
+	Action      string                 `bun:"action,notnull"`
+	IsSystem    bool                   `bun:"is_system,default:false"`
+	CreatedAt   int64                  `bun:"created_at,notnull"`
+
+	Roles []Role `bun:"m2m:role_permissions,join:Permission=Role"`
+}
+
+// GetPermissionByName queries the database for a permission matching the given name
+// Returns nil, nil if no permission is found
+func GetPermissionByName(ctx context.Context, tx bun.Tx, name permissions.Permission) (*Permission, error) {
+	if name == "" {
+		return nil, errors.New("name cannot be empty")
+	}
+
+	perm := new(Permission)
+	err := tx.NewSelect().
+		Model(perm).
+		Where("name = ?", name).
+		Limit(1).
+		Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return nil, errors.Wrap(err, "tx.NewSelect")
+	}
+	return perm, nil
+}
+
+// GetPermissionByID queries the database for a permission matching the given ID
+// Returns nil, nil if no permission is found
+func GetPermissionByID(ctx context.Context, tx bun.Tx, id int) (*Permission, error) {
+	if id <= 0 {
+		return nil, errors.New("id must be positive")
+	}
+
+	perm := new(Permission)
+	err := tx.NewSelect().
+		Model(perm).
+		Where("id = ?", id).
+		Limit(1).
+		Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return nil, errors.Wrap(err, "tx.NewSelect")
+	}
+	return perm, nil
+}
+
+// GetPermissionsByResource queries for all permissions for a given resource
+func GetPermissionsByResource(ctx context.Context, tx bun.Tx, resource string) ([]*Permission, error) {
+	if resource == "" {
+		return nil, errors.New("resource cannot be empty")
+	}
+
+	var perms []*Permission
+	err := tx.NewSelect().
+		Model(&perms).
+		Where("resource = ?", resource).
+		Order("action ASC").
+		Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return nil, errors.Wrap(err, "tx.NewSelect")
+	}
+	return perms, nil
+}
+
+// GetPermissionsByIDs queries for permissions matching the given IDs
+func GetPermissionsByIDs(ctx context.Context, tx bun.Tx, ids []int) ([]*Permission, error) {
+	if len(ids) == 0 {
+		return []*Permission{}, nil
+	}
+
+	var perms []*Permission
+	err := tx.NewSelect().
+		Model(&perms).
+		Where("id IN (?)", bun.In(ids)).
+		Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return nil, errors.Wrap(err, "tx.NewSelect")
+	}
+	return perms, nil
+}
+
+// ListAllPermissions returns all permissions
+func ListAllPermissions(ctx context.Context, tx bun.Tx) ([]*Permission, error) {
+	var perms []*Permission
+	err := tx.NewSelect().
+		Model(&perms).
+		Order("resource ASC", "action ASC").
+		Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return nil, errors.Wrap(err, "tx.NewSelect")
+	}
+	return perms, nil
+}
+
+// CreatePermission creates a new permission
+func CreatePermission(ctx context.Context, tx bun.Tx, perm *Permission) error {
+	if perm == nil {
+		return errors.New("permission cannot be nil")
+	}
+
+	_, err := tx.NewInsert().
+		Model(perm).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrap(err, "tx.NewInsert")
+	}
+
+	return nil
+}
+
+// DeletePermission deletes a permission (checks IsSystem protection)
+func DeletePermission(ctx context.Context, tx bun.Tx, id int) error {
+	if id <= 0 {
+		return errors.New("id must be positive")
+	}
+
+	// Check if permission is system permission
+	perm, err := GetPermissionByID(ctx, tx, id)
+	if err != nil {
+		return errors.Wrap(err, "GetPermissionByID")
+	}
+	if perm == nil {
+		return errors.New("permission not found")
+	}
+	if perm.IsSystem {
+		return errors.New("cannot delete system permission")
+	}
+
+	_, err = tx.NewDelete().
+		Model((*Permission)(nil)).
+		Where("id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrap(err, "tx.NewDelete")
+	}
+
+	return nil
+}
--- a/internal/db/role.go
+++ b/internal/db/role.go
@@ -0,0 +1,214 @@
+package db
+
+import (
+	"context"
+	"database/sql"
+	"time"
+
+	"git.haelnorr.com/h/oslstats/internal/roles"
+	"github.com/pkg/errors"
+	"github.com/uptrace/bun"
+)
+
+type Role struct {
+	bun.BaseModel `bun:"table:roles,alias:r"`
+
+	ID          int        `bun:"id,pk,autoincrement"`
+	Name        roles.Role `bun:"name,unique,notnull"`
+	DisplayName string     `bun:"display_name,notnull"`
+	Description string     `bun:"description"`
+	IsSystem    bool       `bun:"is_system,default:false"`
+	CreatedAt   int64      `bun:"created_at,notnull"`
+	UpdatedAt   *int64     `bun:"updated_at"`
+
+	// Relations (loaded on demand)
+	Users       []User       `bun:"m2m:user_roles,join:Role=User"`
+	Permissions []Permission `bun:"m2m:role_permissions,join:Role=Permission"`
+}
+
+type RolePermission struct {
+	RoleID       int         `bun:",pk"`
+	Role         *Role       `bun:"rel:belongs-to,join:role_id=id"`
+	PermissionID int         `bun:",pk"`
+	Permission   *Permission `bun:"rel:belongs-to,join:permission_id=id"`
+}
+
+// GetRoleByName queries the database for a role matching the given name
+// Returns nil, nil if no role is found
+func GetRoleByName(ctx context.Context, tx bun.Tx, name roles.Role) (*Role, error) {
+	if name == "" {
+		return nil, errors.New("name cannot be empty")
+	}
+
+	role := new(Role)
+	err := tx.NewSelect().
+		Model(role).
+		Where("name = ?", name).
+		Limit(1).
+		Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return nil, errors.Wrap(err, "tx.NewSelect")
+	}
+	return role, nil
+}
+
+// GetRoleByID queries the database for a role matching the given ID
+// Returns nil, nil if no role is found
+func GetRoleByID(ctx context.Context, tx bun.Tx, id int) (*Role, error) {
+	if id <= 0 {
+		return nil, errors.New("id must be positive")
+	}
+
+	role := new(Role)
+	err := tx.NewSelect().
+		Model(role).
+		Where("id = ?", id).
+		Limit(1).
+		Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return nil, errors.Wrap(err, "tx.NewSelect")
+	}
+	return role, nil
+}
+
+// GetRoleWithPermissions loads a role and all its permissions
+func GetRoleWithPermissions(ctx context.Context, tx bun.Tx, id int) (*Role, error) {
+	if id <= 0 {
+		return nil, errors.New("id must be positive")
+	}
+
+	role := new(Role)
+	err := tx.NewSelect().
+		Model(role).
+		Where("id = ?", id).
+		Relation("Permissions").
+		Limit(1).
+		Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return nil, errors.Wrap(err, "tx.NewSelect")
+	}
+	return role, nil
+}
+
+// ListAllRoles returns all roles
+func ListAllRoles(ctx context.Context, tx bun.Tx) ([]*Role, error) {
+	var roles []*Role
+	err := tx.NewSelect().
+		Model(&roles).
+		Order("name ASC").
+		Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return nil, errors.Wrap(err, "tx.NewSelect")
+	}
+	return roles, nil
+}
+
+// CreateRole creates a new role
+func CreateRole(ctx context.Context, tx bun.Tx, role *Role) error {
+	if role == nil {
+		return errors.New("role cannot be nil")
+	}
+	role.CreatedAt = time.Now().Unix()
+
+	_, err := tx.NewInsert().
+		Model(role).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrap(err, "tx.NewInsert")
+	}
+
+	return nil
+}
+
+// UpdateRole updates an existing role
+func UpdateRole(ctx context.Context, tx bun.Tx, role *Role) error {
+	if role == nil {
+		return errors.New("role cannot be nil")
+	}
+	if role.ID <= 0 {
+		return errors.New("role id must be positive")
+	}
+
+	_, err := tx.NewUpdate().
+		Model(role).
+		WherePK().
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrap(err, "tx.NewUpdate")
+	}
+
+	return nil
+}
+
+// DeleteRole deletes a role (checks IsSystem protection)
+func DeleteRole(ctx context.Context, tx bun.Tx, id int) error {
+	if id <= 0 {
+		return errors.New("id must be positive")
+	}
+
+	// Check if role is system role
+	role, err := GetRoleByID(ctx, tx, id)
+	if err != nil {
+		return errors.Wrap(err, "GetRoleByID")
+	}
+	if role == nil {
+		return errors.New("role not found")
+	}
+	if role.IsSystem {
+		return errors.New("cannot delete system role")
+	}
+
+	_, err = tx.NewDelete().
+		Model((*Role)(nil)).
+		Where("id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrap(err, "tx.NewDelete")
+	}
+
+	return nil
+}
+
+// AddPermissionToRole grants a permission to a role
+func AddPermissionToRole(ctx context.Context, tx bun.Tx, roleID, permissionID int) error {
+	if roleID <= 0 {
+		return errors.New("roleID must be positive")
+	}
+	if permissionID <= 0 {
+		return errors.New("permissionID must be positive")
+	}
+	rolePerm := &RolePermission{
+		RoleID:       roleID,
+		PermissionID: permissionID,
+	}
+	_, err := tx.NewInsert().
+		Model(rolePerm).
+		On("CONFLICT (role_id, permission_id) DO NOTHING").
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrap(err, "tx.NewInsert")
+	}
+
+	return nil
+}
+
+// RemovePermissionFromRole revokes a permission from a role
+func RemovePermissionFromRole(ctx context.Context, tx bun.Tx, roleID, permissionID int) error {
+	if roleID <= 0 {
+		return errors.New("roleID must be positive")
+	}
+	if permissionID <= 0 {
+		return errors.New("permissionID must be positive")
+	}
+
+	_, err := tx.NewDelete().
+		Model((*RolePermission)(nil)).
+		Where("role_id = ?", roleID).
+		Where("permission_id = ?", permissionID).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrap(err, "tx.NewDelete")
+	}
+
+	return nil
+}
--- a/internal/db/season.go
+++ b/internal/db/season.go
@@ -23,7 +23,7 @@ type Season struct {
 }

 type SeasonList struct {
-	Seasons  []Season
+	Seasons  []*Season
 	Total    int
 	PageOpts PageOpts
 }
@@ -50,24 +50,10 @@ func NewSeason(ctx context.Context, tx bun.Tx, name, shortname string, start tim
 }

 func ListSeasons(ctx context.Context, tx bun.Tx, pageOpts *PageOpts) (*SeasonList, error) {
-	if pageOpts == nil {
-		pageOpts = &PageOpts{}
-	}
-	if pageOpts.Page == 0 {
-		pageOpts.Page = 1
-	}
-	if pageOpts.PerPage == 0 {
-		pageOpts.PerPage = 10
-	}
-	if pageOpts.Order == "" {
-		pageOpts.Order = bun.OrderDesc
-	}
-	if pageOpts.OrderBy == "" {
-		pageOpts.OrderBy = "name"
-	}
-	seasons := []Season{}
+	pageOpts = setDefaultPageOpts(pageOpts, 1, 10, bun.OrderDesc, "start_date")
+	seasons := new([]*Season)
 	err := tx.NewSelect().
-		Model(&seasons).
+		Model(seasons).
 		OrderBy(pageOpts.OrderBy, pageOpts.Order).
 		Offset(pageOpts.PerPage * (pageOpts.Page - 1)).
 		Limit(pageOpts.PerPage).
@@ -76,13 +62,13 @@ func ListSeasons(ctx context.Context, tx bun.Tx, pageOpts *PageOpts) (*SeasonLis
 		return nil, errors.Wrap(err, "tx.NewSelect")
 	}
 	total, err := tx.NewSelect().
-		Model(&seasons).
+		Model(seasons).
 		Count(ctx)
-	if err != nil && err != sql.ErrNoRows {
+	if err != nil {
 		return nil, errors.Wrap(err, "tx.NewSelect")
 	}
 	sl := &SeasonList{
-		Seasons:  seasons,
+		Seasons:  *seasons,
 		Total:    total,
 		PageOpts: *pageOpts,
 	}
--- a/internal/db/user.go
+++ b/internal/db/user.go
@@ -2,10 +2,13 @@ package db

 import (
 	"context"
+	"database/sql"
 	"fmt"
 	"time"

 	"git.haelnorr.com/h/golib/hwsauth"
+	"git.haelnorr.com/h/oslstats/internal/permissions"
+	"git.haelnorr.com/h/oslstats/internal/roles"
 	"github.com/bwmarrin/discordgo"
 	"github.com/pkg/errors"
 	"github.com/uptrace/bun"
@@ -20,10 +23,18 @@ type User struct {
 	Username  string `bun:"username,unique"`     // Username (unique)
 	CreatedAt int64  `bun:"created_at"`          // Epoch timestamp when the user was added to the database
 	DiscordID string `bun:"discord_id,unique"`
+
+	Roles []*Role `bun:"m2m:user_roles,join:User=Role"`
 }

-func (user *User) GetID() int {
-	return user.ID
+type Users struct {
+	Users    []*User
+	Total    int
+	PageOpts PageOpts
+}
+
+func (u *User) GetID() int {
+	return u.ID
 }

 // CreateUser creates a new user with the given username and password
@@ -114,3 +125,103 @@ func IsUsernameUnique(ctx context.Context, tx bun.Tx, username string) (bool, er
 	}
 	return count == 0, nil
 }
+
+// GetRoles loads all the roles for this user
+func (u *User) GetRoles(ctx context.Context, tx bun.Tx) ([]*Role, error) {
+	if u == nil {
+		return nil, errors.New("user cannot be nil")
+	}
+
+	err := tx.NewSelect().
+		Model(u).
+		Relation("Roles").
+		Where("id = ?", u.ID).
+		Scan(ctx)
+	if err != nil {
+		return nil, errors.Wrap(err, "tx.NewSelect")
+	}
+	return u.Roles, nil
+}
+
+// GetPermissions loads and returns all permissions for this user
+func (u *User) GetPermissions(ctx context.Context, tx bun.Tx) ([]*Permission, error) {
+	if u == nil {
+		return nil, errors.New("user cannot be nil")
+	}
+
+	var permissions []*Permission
+	err := tx.NewSelect().
+		Model(&permissions).
+		Join("JOIN role_permissions AS rp on rp.permission_id = p.id").
+		Join("JOIN user_roles AS ur ON ur.role_id = rp.role_id").
+		Where("ur.user_id = ?", u.ID).
+		Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return nil, errors.Wrap(err, "tx.NewSelect")
+	}
+	return permissions, nil
+}
+
+// HasPermission checks if user has a specific permission (including wildcard check)
+func (u *User) HasPermission(ctx context.Context, tx bun.Tx, permissionName permissions.Permission) (bool, error) {
+	if u == nil {
+		return false, errors.New("user cannot be nil")
+	}
+	if permissionName == "" {
+		return false, errors.New("permissionName cannot be empty")
+	}
+
+	perms, err := u.GetPermissions(ctx, tx)
+	if err != nil {
+		return false, err
+	}
+
+	for _, p := range perms {
+		if p.Name == permissionName || p.Name == permissions.Wildcard {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+// HasRole checks if user has a specific role
+func (u *User) HasRole(ctx context.Context, tx bun.Tx, roleName roles.Role) (bool, error) {
+	if u == nil {
+		return false, errors.New("user cannot be nil")
+	}
+	return HasRole(ctx, tx, u.ID, roleName)
+}
+
+// IsAdmin is a convenience method to check if user has admin role
+func (u *User) IsAdmin(ctx context.Context, tx bun.Tx) (bool, error) {
+	if u == nil {
+		return false, errors.New("user cannot be nil")
+	}
+	return u.HasRole(ctx, tx, "admin")
+}
+
+func GetUsers(ctx context.Context, tx bun.Tx, pageOpts *PageOpts) (*Users, error) {
+	pageOpts = setDefaultPageOpts(pageOpts, 1, 50, bun.OrderAsc, "id")
+	users := new([]*User)
+	err := tx.NewSelect().
+		Model(users).
+		OrderBy(pageOpts.OrderBy, pageOpts.Order).
+		Limit(pageOpts.PerPage).
+		Offset(pageOpts.PerPage * (pageOpts.Page - 1)).
+		Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return nil, errors.Wrap(err, "tx.NewSelect")
+	}
+	total, err := tx.NewSelect().
+		Model(users).
+		Count(ctx)
+	if err != nil {
+		return nil, errors.Wrap(err, "tx.NewSelect")
+	}
+	list := &Users{
+		Users:    *users,
+		Total:    total,
+		PageOpts: *pageOpts,
+	}
+	return list, nil
+}
--- a/internal/db/userrole.go
+++ b/internal/db/userrole.go
@@ -0,0 +1,86 @@
+package db
+
+import (
+	"context"
+
+	"git.haelnorr.com/h/oslstats/internal/roles"
+	"github.com/pkg/errors"
+	"github.com/uptrace/bun"
+)
+
+type UserRole struct {
+	UserID int   `bun:",pk"`
+	User   *User `bun:"rel:belongs-to,join:user_id=id"`
+	RoleID int   `bun:",pk"`
+	Role   *Role `bun:"rel:belongs-to,join:role_id=id"`
+}
+
+// AssignRole grants a role to a user
+func AssignRole(ctx context.Context, tx bun.Tx, userID, roleID int) error {
+	if userID <= 0 {
+		return errors.New("userID must be positive")
+	}
+	if roleID <= 0 {
+		return errors.New("roleID must be positive")
+	}
+
+	userRole := &UserRole{
+		UserID: userID,
+		RoleID: roleID,
+	}
+	_, err := tx.NewInsert().
+		Model(userRole).
+		On("CONFLICT (user_id, role_id) DO NOTHING").
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrap(err, "tx.NewInsert")
+	}
+
+	return nil
+}
+
+// RevokeRole removes a role from a user
+func RevokeRole(ctx context.Context, tx bun.Tx, userID, roleID int) error {
+	if userID <= 0 {
+		return errors.New("userID must be positive")
+	}
+	if roleID <= 0 {
+		return errors.New("roleID must be positive")
+	}
+
+	_, err := tx.NewDelete().
+		Model((*UserRole)(nil)).
+		Where("user_id = ?", userID).
+		Where("role_id = ?", roleID).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrap(err, "tx.NewDelete")
+	}
+
+	return nil
+}
+
+// HasRole checks if a user has a specific role
+func HasRole(ctx context.Context, tx bun.Tx, userID int, roleName roles.Role) (bool, error) {
+	if userID <= 0 {
+		return false, errors.New("userID must be positive")
+	}
+	if roleName == "" {
+		return false, errors.New("roleName cannot be empty")
+	}
+	user := new(User)
+	err := tx.NewSelect().
+		Model(user).
+		Relation("Roles").
+		Where("u.id = ? ", userID).
+		Scan(ctx)
+	if err != nil {
+		return false, errors.Wrap(err, "tx.NewSelect")
+	}
+	for _, role := range user.Roles {
+		if role.Name == roleName {
+			return true, nil
+		}
+	}
+	return false, nil
+}
--- a/internal/embedfs/embedfs.go
+++ b/internal/embedfs/embedfs.go
@@ -1,3 +1,4 @@
+// Package embedfs creates an embedded filesystem with the static web assets
 package embedfs

 import (
@@ -7,12 +8,12 @@ import (
 	"github.com/pkg/errors"
 )

-//go:embed files/*
+//go:embed web/*
 var embeddedFiles embed.FS

-// Gets the embedded files
+// GetEmbeddedFS gets the embedded files
 func GetEmbeddedFS() (fs.FS, error) {
-	subFS, err := fs.Sub(embeddedFiles, "files")
+	subFS, err := fs.Sub(embeddedFiles, "web")
 	if err != nil {
 		return nil, errors.Wrap(err, "fs.Sub")
 	}
--- a/internal/embedfs/web/assets/error.png
+++ b/internal/embedfs/web/assets/error.png
--- a/internal/embedfs/web/assets/favicon.ico
+++ b/internal/embedfs/web/assets/favicon.ico
--- a/internal/embedfs/web/assets/logo.png
+++ b/internal/embedfs/web/assets/logo.png
--- a/internal/embedfs/web/css/input.css
+++ b/internal/embedfs/web/css/input.css
--- a/internal/embedfs/web/css/output.css
+++ b/internal/embedfs/web/css/output.css
@@ -318,6 +318,9 @@
  .mb-2 {
    margin-bottom: calc(var(--spacing) * 2);
  }
+  .mb-3 {
+    margin-bottom: calc(var(--spacing) * 3);
+  }
  .mb-4 {
    margin-bottom: calc(var(--spacing) * 4);
  }
@@ -439,9 +442,6 @@
  .flex-1 {
    flex: 1;
  }
-  .flex-shrink-0 {
-    flex-shrink: 0;
-  }
  .shrink-0 {
    flex-shrink: 0;
  }
--- a/internal/embedfs/web/js/copytoclipboard.js
+++ b/internal/embedfs/web/js/copytoclipboard.js
--- a/internal/embedfs/web/js/pagination.js
+++ b/internal/embedfs/web/js/pagination.js
--- a/internal/embedfs/web/js/theme.js
+++ b/internal/embedfs/web/js/theme.js
--- a/internal/embedfs/web/js/toasts.js
+++ b/internal/embedfs/web/js/toasts.js
--- a/internal/embedfs/web/vendored/alpinejs@3.15.4.min.js
+++ b/internal/embedfs/web/vendored/alpinejs@3.15.4.min.js
--- a/internal/embedfs/web/vendored/htmx-ext-ws.min.js
+++ b/internal/embedfs/web/vendored/htmx-ext-ws.min.js
--- a/internal/embedfs/web/vendored/htmx@2.0.8.min.js
+++ b/internal/embedfs/web/vendored/htmx@2.0.8.min.js
--- a/internal/handlers/admin_dashboard.go
+++ b/internal/handlers/admin_dashboard.go
@@ -0,0 +1,36 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"git.haelnorr.com/h/golib/hws"
+	"git.haelnorr.com/h/oslstats/internal/db"
+	"git.haelnorr.com/h/oslstats/internal/view/page"
+	"github.com/pkg/errors"
+	"github.com/uptrace/bun"
+)
+
+func AdminDashboard(s *hws.Server, conn *bun.DB) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
+		defer cancel()
+
+		tx, err := conn.BeginTx(ctx, nil)
+		if err != nil {
+			throwInternalServiceError(s, w, r, "Database error", errors.Wrap(err, "conn.BeginTx"))
+			return
+		}
+		defer func() { _ = tx.Rollback() }()
+
+		users, err := db.GetUsers(ctx, tx, nil)
+		if err != nil {
+			throwInternalServiceError(s, w, r, "Database error", errors.Wrap(err, "db.GetUsers"))
+			return
+		}
+		_ = tx.Commit()
+
+		renderSafely(page.AdminDashboard(users), s, r, w)
+	})
+}
--- a/internal/handlers/admin_users.go
+++ b/internal/handlers/admin_users.go
@@ -0,0 +1,44 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"git.haelnorr.com/h/golib/hws"
+	"git.haelnorr.com/h/oslstats/internal/db"
+	"git.haelnorr.com/h/oslstats/internal/view/component/admin"
+	"github.com/pkg/errors"
+	"github.com/uptrace/bun"
+)
+
+// AdminUsersList shows all users
+func AdminUsersList(s *hws.Server, conn *bun.DB) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+		defer cancel()
+
+		tx, err := conn.BeginTx(ctx, nil)
+		if err != nil {
+			throwInternalServiceError(s, w, r, "DB Transaction failed", errors.Wrap(err, "conn.BeginTx"))
+			return
+		}
+		defer func() { _ = tx.Rollback() }()
+
+		// Get all users
+		pageOpts, err := pageOptsFromForm(r)
+		if err != nil {
+			throwBadRequest(s, w, r, "invalid form data", err)
+			return
+		}
+		users, err := db.GetUsers(ctx, tx, pageOpts)
+		if err != nil {
+			throwInternalServiceError(s, w, r, "Failed to load users", errors.Wrap(err, "db.GetUsers"))
+			return
+		}
+
+		_ = tx.Commit()
+
+		renderSafely(admin.UserList(users), s, r, w)
+	})
+}
--- a/internal/handlers/auth_helpers.go
+++ b/internal/handlers/auth_helpers.go
@@ -0,0 +1,56 @@
+package handlers
+
+import (
+	"context"
+
+	"git.haelnorr.com/h/oslstats/internal/db"
+	"git.haelnorr.com/h/oslstats/internal/rbac"
+	"git.haelnorr.com/h/oslstats/internal/roles"
+	"github.com/pkg/errors"
+	"github.com/uptrace/bun"
+)
+
+// shouldGrantAdmin checks if user's Discord ID is in admin list
+func shouldGrantAdmin(user *db.User, cfg *rbac.Config) bool {
+	if cfg == nil || user == nil {
+		return false
+	}
+	if user.DiscordID == cfg.AdminDiscordID {
+		return true
+	}
+	return false
+}
+
+// ensureUserHasAdminRole grants admin role if not already granted
+func ensureUserHasAdminRole(ctx context.Context, tx bun.Tx, user *db.User) error {
+	if user == nil {
+		return errors.New("user cannot be nil")
+	}
+
+	// Check if user already has admin role
+	hasAdmin, err := user.HasRole(ctx, tx, roles.Admin)
+	if err != nil {
+		return errors.Wrap(err, "user.HasRole")
+	}
+
+	if hasAdmin {
+		return nil // Already admin
+	}
+
+	// Get admin role
+	adminRole, err := db.GetRoleByName(ctx, tx, roles.Admin)
+	if err != nil {
+		return errors.Wrap(err, "db.GetRoleByName")
+	}
+	if adminRole == nil {
+		return errors.New("admin role not found in database")
+	}
+
+	// Grant admin role
+	err = db.AssignRole(ctx, tx, user.ID, adminRole.ID)
+	if err != nil {
+		return errors.Wrap(err, "db.AssignRole")
+	}
+
+	return nil
+}
--- a/internal/handlers/callback.go
+++ b/internal/handlers/callback.go
@@ -193,6 +193,15 @@ func login(
 		if err != nil {
 			return nil, errors.Wrap(err, "user.UpdateDiscordToken")
 		}
+
+		// Check if user should be granted admin role (environment-based)
+		if shouldGrantAdmin(user, cfg.RBAC) {
+			err := ensureUserHasAdminRole(ctx, tx, user)
+			if err != nil {
+				return nil, errors.Wrap(err, "ensureUserHasAdminRole")
+			}
+		}
+
 		err := auth.Login(w, r, user, true)
 		if err != nil {
 			return nil, errors.Wrap(err, "auth.Login")
--- a/internal/handlers/errors.go
+++ b/internal/handlers/errors.go
@@ -20,16 +20,13 @@ func throwError(
 	err error,
 	level hws.ErrorLevel,
 ) {
-	err = s.ThrowError(w, r, hws.HWSError{
+	s.ThrowError(w, r, hws.HWSError{
 		StatusCode:      statusCode,
 		Message:         msg,
 		Error:           err,
 		Level:           level,
 		RenderErrorPage: true, // throw* family always renders error pages
 	})
-	if err != nil {
-		s.ThrowFatal(w, err)
-	}
 }

 // throwInternalServiceError handles 500 errors (server failures)
--- a/internal/handlers/newseason.go
+++ b/internal/handlers/newseason.go
@@ -180,7 +180,7 @@ func NewSeasonSubmit(
 // Helper function to validate alphanumeric strings
 func isAlphanumeric(s string) bool {
 	for _, r := range s {
-		if !((r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9')) {
+		if ((r < 'A') || (r > 'Z')) && ((r < '0') || (r > '9')) {
 			return false
 		}
 	}
--- a/internal/handlers/notifytest.go
+++ b/internal/handlers/notifytest.go
--- a/internal/handlers/page_opt_helpers.go
+++ b/internal/handlers/page_opt_helpers.go
@@ -0,0 +1,68 @@
+package handlers
+
+import (
+	"net/http"
+	"strconv"
+
+	"git.haelnorr.com/h/oslstats/internal/db"
+	"github.com/pkg/errors"
+	"github.com/uptrace/bun"
+)
+
+func pageOptsFromForm(r *http.Request) (*db.PageOpts, error) {
+	var pageNum, perPage int
+	var order bun.Order
+	var orderBy string
+	var err error
+
+	if pageStr := r.FormValue("page"); pageStr != "" {
+		pageNum, err = strconv.Atoi(pageStr)
+		if err != nil {
+			return nil, errors.Wrap(err, "invalid page number")
+		}
+	}
+	if perPageStr := r.FormValue("per_page"); perPageStr != "" {
+		perPage, err = strconv.Atoi(perPageStr)
+		if err != nil {
+			return nil, errors.Wrap(err, "invalid per_page number")
+		}
+	}
+	order = bun.Order(r.FormValue("order"))
+	orderBy = r.FormValue("order_by")
+
+	pageOpts := &db.PageOpts{
+		Page:    pageNum,
+		PerPage: perPage,
+		Order:   order,
+		OrderBy: orderBy,
+	}
+	return pageOpts, nil
+}
+
+func pageOptsFromQuery(r *http.Request) (*db.PageOpts, error) {
+	var pageNum, perPage int
+	var order bun.Order
+	var orderBy string
+	var err error
+	if pageStr := r.URL.Query().Get("page"); pageStr != "" {
+		pageNum, err = strconv.Atoi(pageStr)
+		if err != nil {
+			return nil, errors.Wrap(err, "invalid page number")
+		}
+	}
+	if perPageStr := r.URL.Query().Get("per_page"); perPageStr != "" {
+		perPage, err = strconv.Atoi(perPageStr)
+		if err != nil {
+			return nil, errors.Wrap(err, "invalid per_page number")
+		}
+	}
+	order = bun.Order(r.URL.Query().Get("order"))
+	orderBy = r.URL.Query().Get("order_by")
+	pageOpts := &db.PageOpts{
+		Page:    pageNum,
+		PerPage: perPage,
+		Order:   order,
+		OrderBy: orderBy,
+	}
+	return pageOpts, nil
+}
--- a/internal/handlers/permtest.go
+++ b/internal/handlers/permtest.go
@@ -0,0 +1,24 @@
+package handlers
+
+import (
+	"net/http"
+	"strconv"
+
+	"git.haelnorr.com/h/golib/hws"
+	"git.haelnorr.com/h/oslstats/internal/db"
+	"git.haelnorr.com/h/oslstats/internal/roles"
+	"github.com/uptrace/bun"
+)
+
+func PermTester(s *hws.Server, conn *bun.DB) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		user := db.CurrentUser(r.Context())
+		tx, _ := conn.BeginTx(r.Context(), nil)
+		isAdmin, err := user.HasRole(r.Context(), tx, roles.Admin)
+		tx.Rollback()
+		if err != nil {
+			throwInternalServiceError(s, w, r, "Error", err)
+		}
+		_, _ = w.Write([]byte(strconv.FormatBool(isAdmin)))
+	})
+}
--- a/internal/handlers/seasons.go
+++ b/internal/handlers/seasons.go
@@ -2,9 +2,7 @@ package handlers

 import (
 	"context"
-	"fmt"
 	"net/http"
-	"strconv"
 	"time"

 	"git.haelnorr.com/h/golib/hws"
@@ -27,38 +25,18 @@ func SeasonsPage(
 			return
 		}
 		defer tx.Rollback()
-		var pageNum, perPage int
-		var order bun.Order
-		var orderBy string
-		if pageStr := r.URL.Query().Get("page"); pageStr != "" {
-			pageNum, err = strconv.Atoi(pageStr)
+		pageOpts, err := pageOptsFromQuery(r)
 		if err != nil {
-				throwBadRequest(s, w, r, "Invalid page number", err)
+			throwBadRequest(s, w, r, "invalid query", err)
 			return
 		}
-		}
-		if perPageStr := r.URL.Query().Get("per_page"); perPageStr != "" {
-			perPage, err = strconv.Atoi(perPageStr)
-			if err != nil {
-				throwBadRequest(s, w, r, "Invalid per_page number", err)
-				return
-			}
-		}
-		order = bun.Order(r.URL.Query().Get("order"))
-		orderBy = r.URL.Query().Get("order_by")
-		pageOpts := &db.PageOpts{
-			Page:    pageNum,
-			PerPage: perPage,
-			Order:   order,
-			OrderBy: orderBy,
-		}
 		seasons, err := db.ListSeasons(ctx, tx, pageOpts)
 		if err != nil {
 			throwInternalServiceError(s, w, r, "Database error", errors.Wrap(err, "db.ListSeasons"))
 			return
 		}
 		tx.Commit()
-		renderSafely(page.SeasonsList(seasons), s, r, w)
+		renderSafely(page.SeasonsPage(seasons), s, r, w)
 	})
 }

@@ -76,36 +54,11 @@ func SeasonsList(
 			return
 		}

-		// Extract pagination/sort params from form
-		var pageNum, perPage int
-		var order bun.Order
-		var orderBy string
-		var err error
-
-		if pageStr := r.FormValue("page"); pageStr != "" {
-			pageNum, err = strconv.Atoi(pageStr)
+		pageOpts, err := pageOptsFromForm(r)
 		if err != nil {
-				throwBadRequest(s, w, r, "Invalid page number", err)
+			throwBadRequest(s, w, r, "invalid form data", err)
 			return
 		}
-		}
-		if perPageStr := r.FormValue("per_page"); perPageStr != "" {
-			perPage, err = strconv.Atoi(perPageStr)
-			if err != nil {
-				throwBadRequest(s, w, r, "Invalid per_page number", err)
-				return
-			}
-		}
-		order = bun.Order(r.FormValue("order"))
-		orderBy = r.FormValue("order_by")
-
-		pageOpts := &db.PageOpts{
-			Page:    pageNum,
-			PerPage: perPage,
-			Order:   order,
-			OrderBy: orderBy,
-		}
-		fmt.Println(pageOpts)

 		// Database query
 		tx, err := conn.BeginTx(ctx, nil)
--- a/internal/permissions/constants.go
+++ b/internal/permissions/constants.go
@@ -0,0 +1,23 @@
+// Package permissions provides constants for RBAC
+package permissions
+
+type Permission string
+
+func (p Permission) String() string {
+	return string(p)
+}
+
+const (
+	// Wildcard - grants all permissions
+	Wildcard Permission = "*"
+
+	// Seasons permissions
+	SeasonsCreate Permission = "seasons.create"
+	SeasonsUpdate Permission = "seasons.update"
+	SeasonsDelete Permission = "seasons.delete"
+
+	// Users permissions
+	UsersUpdate      Permission = "users.update"
+	UsersBan         Permission = "users.ban"
+	UsersManageRoles Permission = "users.manage_roles"
+)
--- a/internal/rbac/cache_middleware.go
+++ b/internal/rbac/cache_middleware.go
@@ -0,0 +1,95 @@
+package rbac
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"git.haelnorr.com/h/golib/hws"
+	"git.haelnorr.com/h/oslstats/internal/contexts"
+	"git.haelnorr.com/h/oslstats/internal/db"
+	"git.haelnorr.com/h/oslstats/internal/permissions"
+	"git.haelnorr.com/h/oslstats/internal/roles"
+	"github.com/pkg/errors"
+)
+
+// LoadPermissionsMiddleware loads user permissions into context after authentication
+// MUST run AFTER auth.Authenticate() middleware
+func (c *Checker) LoadPermissionsMiddleware() hws.Middleware {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			user := db.CurrentUser(r.Context())
+
+			if user == nil {
+				// No authenticated user - continue without permissions
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Start transaction for loading permissions
+			ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
+			defer cancel()
+			tx, err := c.conn.BeginTx(ctx, nil)
+			if err != nil {
+				// Log but don't block - permission checks will fail gracefully
+				c.s.LogError(hws.HWSError{
+					Message: "Failed to start database transaction",
+					Error:   errors.Wrap(err, "c.conn.BeginTx"),
+					Level:   hws.ErrorERROR,
+				})
+				next.ServeHTTP(w, r)
+				return
+			}
+			defer func() { _ = tx.Rollback() }()
+
+			// Load user's roles_ and permissions
+			roles_, err := user.GetRoles(ctx, tx)
+			if err != nil {
+				c.s.LogError(hws.HWSError{
+					Message: "Failed to get user roles",
+					Error:   errors.Wrap(err, "user.GetRoles"),
+					Level:   hws.ErrorERROR,
+				})
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			perms, err := user.GetPermissions(ctx, tx)
+			if err != nil {
+				c.s.LogError(hws.HWSError{
+					Message: "Failed to get user permissions",
+					Error:   errors.Wrap(err, "user.GetPermissions"),
+					Level:   hws.ErrorERROR,
+				})
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			_ = tx.Commit() // read only transaction
+
+			// Build permission cache
+			cache := &contexts.PermissionCache{
+				Permissions: make(map[permissions.Permission]bool),
+				Roles:       make(map[roles.Role]bool),
+			}
+
+			// Check for wildcard permission
+			hasWildcard := false
+			for _, perm := range perms {
+				cache.Permissions[perm.Name] = true
+				if perm.Name == permissions.Wildcard {
+					hasWildcard = true
+				}
+			}
+			cache.HasWildcard = hasWildcard
+
+			for _, role := range roles_ {
+				cache.Roles[role.Name] = true
+			}
+
+			// Add cache to context (type-safe)
+			ctx = context.WithValue(ctx, contexts.PermissionCacheKey, cache)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
--- a/internal/rbac/checker.go
+++ b/internal/rbac/checker.go
@@ -0,0 +1,111 @@
+package rbac
+
+import (
+	"context"
+
+	"git.haelnorr.com/h/golib/hws"
+	"git.haelnorr.com/h/oslstats/internal/contexts"
+	"git.haelnorr.com/h/oslstats/internal/db"
+	"git.haelnorr.com/h/oslstats/internal/permissions"
+	"git.haelnorr.com/h/oslstats/internal/roles"
+	"github.com/pkg/errors"
+	"github.com/uptrace/bun"
+)
+
+type Checker struct {
+	conn *bun.DB
+	s    *hws.Server
+}
+
+func NewChecker(conn *bun.DB, s *hws.Server) (*Checker, error) {
+	if conn == nil {
+		return nil, errors.New("conn cannot be nil")
+	}
+	if s == nil {
+		return nil, errors.New("server cannot be nil")
+	}
+	return &Checker{conn: conn, s: s}, nil
+}
+
+// UserHasPermission checks if user has a specific permission (uses cache)
+func (c *Checker) UserHasPermission(ctx context.Context, user *db.User, permission permissions.Permission) (bool, error) {
+	if user == nil {
+		return false, nil
+	}
+
+	// Try cache first
+	cache := contexts.Permissions(ctx)
+	if cache != nil {
+		if cache.HasWildcard {
+			return true, nil
+		}
+		if has, exists := cache.Permissions[permission]; exists {
+			return has, nil
+		}
+	}
+
+	// Fallback to database
+	tx, err := c.conn.BeginTx(ctx, nil)
+	if err != nil {
+		return false, errors.Wrap(err, "conn.BeginTx")
+	}
+	defer func() { _ = tx.Rollback() }()
+
+	has, err := user.HasPermission(ctx, tx, permission)
+	if err != nil {
+		return false, err
+	}
+
+	return has, nil
+}
+
+// UserHasRole checks if user has a specific role (uses cache)
+func (c *Checker) UserHasRole(ctx context.Context, user *db.User, role roles.Role) (bool, error) {
+	if user == nil {
+		return false, nil
+	}
+
+	cache := contexts.Permissions(ctx)
+	if cache != nil {
+		if has, exists := cache.Roles[role]; exists {
+			return has, nil
+		}
+	}
+
+	// Fallback to database
+	tx, err := c.conn.BeginTx(ctx, nil)
+	if err != nil {
+		return false, errors.Wrap(err, "conn.BeginTx")
+	}
+	defer func() { _ = tx.Rollback() }()
+
+	return user.HasRole(ctx, tx, role)
+}
+
+// UserHasAnyPermission checks if user has ANY of the given permissions
+func (c *Checker) UserHasAnyPermission(ctx context.Context, user *db.User, permissions ...permissions.Permission) (bool, error) {
+	for _, perm := range permissions {
+		has, err := c.UserHasPermission(ctx, user, perm)
+		if err != nil {
+			return false, err
+		}
+		if has {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+// UserHasAllPermissions checks if user has ALL of the given permissions
+func (c *Checker) UserHasAllPermissions(ctx context.Context, user *db.User, permissions ...permissions.Permission) (bool, error) {
+	for _, perm := range permissions {
+		has, err := c.UserHasPermission(ctx, user, perm)
+		if err != nil {
+			return false, err
+		}
+		if !has {
+			return false, nil
+		}
+	}
+	return true, nil
+}
--- a/internal/rbac/config.go
+++ b/internal/rbac/config.go
@@ -0,0 +1,22 @@
+// Package rbac provides Role-Based Access Control functionality
+package rbac
+
+import (
+	"errors"
+
+	"git.haelnorr.com/h/golib/env"
+)
+
+type Config struct {
+	AdminDiscordID string // ENV ADMIN_DISCORD_ID: Discord ID to grant admin role on first login (required)
+}
+
+func ConfigFromEnv() (any, error) {
+	cfg := &Config{
+		AdminDiscordID: env.String("ADMIN_DISCORD_ID", ""),
+	}
+	if cfg.AdminDiscordID == "" {
+		return nil, errors.New("env var not set: ADMIN_DISCORD_ID")
+	}
+	return cfg, nil
+}
--- a/internal/rbac/ezconf.go
+++ b/internal/rbac/ezconf.go
@@ -0,0 +1,41 @@
+package rbac
+
+import (
+	"runtime"
+	"strings"
+)
+
+// EZConfIntegration provides integration with ezconf for automatic configuration
+type EZConfIntegration struct {
+	configFunc func() (any, error)
+	name       string
+}
+
+// PackagePath returns the path to the config package for source parsing
+func (e EZConfIntegration) PackagePath() string {
+	_, filename, _, _ := runtime.Caller(0)
+	// Return directory of this file
+	return filename[:len(filename)-len("/ezconf.go")]
+}
+
+// ConfigFunc returns the ConfigFromEnv function for ezconf
+func (e EZConfIntegration) ConfigFunc() func() (any, error) {
+	return func() (any, error) {
+		return e.configFunc()
+	}
+}
+
+// Name returns the name to use when registering with ezconf
+func (e EZConfIntegration) Name() string {
+	return strings.ToLower(e.name)
+}
+
+// GroupName returns the display name for grouping environment variables
+func (e EZConfIntegration) GroupName() string {
+	return e.name
+}
+
+// NewEZConfIntegration creates a new EZConf integration helper
+func NewEZConfIntegration() EZConfIntegration {
+	return EZConfIntegration{name: "RBAC", configFunc: ConfigFromEnv}
+}
--- a/internal/rbac/protection_middleware.go
+++ b/internal/rbac/protection_middleware.go
@@ -0,0 +1,101 @@
+package rbac
+
+import (
+	"net/http"
+
+	"git.haelnorr.com/h/golib/cookies"
+	"git.haelnorr.com/h/golib/hws"
+	"git.haelnorr.com/h/oslstats/internal/db"
+	"git.haelnorr.com/h/oslstats/internal/permissions"
+	"git.haelnorr.com/h/oslstats/internal/roles"
+)
+
+// RequirePermission creates middleware that requires a specific permission
+func (c *Checker) RequirePermission(server *hws.Server, permission permissions.Permission) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			user := db.CurrentUser(r.Context())
+			if user == nil {
+				// Not logged in - redirect to login with page_from
+				cookies.SetPageFrom(w, r, r.URL.Path)
+				http.Redirect(w, r, "/login", http.StatusSeeOther)
+				return
+			}
+
+			has, err := c.UserHasPermission(r.Context(), user, permission)
+			if err != nil {
+				// Log error and return 500
+				server.ThrowError(w, r, hws.HWSError{
+					StatusCode:      http.StatusInternalServerError,
+					Message:         "Permission check failed",
+					Error:           err,
+					Level:           hws.ErrorERROR,
+					RenderErrorPage: true,
+				})
+				return
+			}
+
+			if !has {
+				// User lacks permission - return 403
+				server.ThrowError(w, r, hws.HWSError{
+					StatusCode:      http.StatusForbidden,
+					Message:         "You don't have permission to access this resource",
+					Error:           nil,
+					Level:           hws.ErrorDEBUG,
+					RenderErrorPage: true,
+				})
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// RequireRole creates middleware that requires a specific role
+func (c *Checker) RequireRole(server *hws.Server, role roles.Role) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			user := db.CurrentUser(r.Context())
+			if user == nil {
+				// Not logged in - redirect to login
+				cookies.SetPageFrom(w, r, r.URL.Path)
+				http.Redirect(w, r, "/login", http.StatusSeeOther)
+				return
+			}
+
+			has, err := c.UserHasRole(r.Context(), user, role)
+			if err != nil {
+				// Log error and return 500
+				hwserr := hws.HWSError{
+					StatusCode:      http.StatusInternalServerError,
+					Message:         "Role check failed",
+					Error:           err,
+					Level:           hws.ErrorERROR,
+					RenderErrorPage: true,
+				}
+				server.ThrowError(w, r, hwserr)
+				return
+			}
+
+			if !has {
+				// User lacks role - return 403
+				server.ThrowError(w, r, hws.HWSError{
+					StatusCode:      http.StatusForbidden,
+					Message:         "You don't have the required role to access this resource",
+					Error:           nil,
+					Level:           hws.ErrorDEBUG,
+					RenderErrorPage: true,
+				})
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// RequireAdmin is a convenience middleware for admin-only routes
+func (c *Checker) RequireAdmin(server *hws.Server) func(http.Handler) http.Handler {
+	return c.RequireRole(server, roles.Admin)
+}
--- a/internal/roles/constants.go
+++ b/internal/roles/constants.go
@@ -0,0 +1,13 @@
+// Package roles provides constants for the RBAC
+package roles
+
+type Role string
+
+func (r Role) String() string {
+	return string(r)
+}
+
+const (
+	Admin Role = "admin"
+	User  Role = "user"
+)
--- a/internal/view/component/admin/user_list.templ
+++ b/internal/view/component/admin/user_list.templ
@@ -0,0 +1,6 @@
+package admin
+
+import "git.haelnorr.com/h/oslstats/internal/db"
+
+templ UserList(users *db.Users) {
+}
--- a/internal/view/component/nav/navbarright.templ
+++ b/internal/view/component/nav/navbarright.templ
@@ -1,6 +1,10 @@
 package nav

-import "git.haelnorr.com/h/oslstats/internal/db"
+import (
+	"context"
+	"git.haelnorr.com/h/oslstats/internal/contexts"
+	"git.haelnorr.com/h/oslstats/internal/db"
+)

 type ProfileItem struct {
 	name string // Label to display
@@ -8,8 +12,8 @@ type ProfileItem struct {
 }

 // Return the list of profile links
-func getProfileItems() []ProfileItem {
-	return []ProfileItem{
+func getProfileItems(ctx context.Context) []ProfileItem {
+	items := []ProfileItem{
 		{
 			name: "Profile",
 			href: "/profile",
@@ -19,12 +23,23 @@ func getProfileItems() []ProfileItem {
 			href: "/account",
 		},
 	}
+
+	// Add admin link if user has admin role
+	cache := contexts.Permissions(ctx)
+	if cache != nil && cache.Roles["admin"] {
+		items = append(items, ProfileItem{
+			name: "Admin Panel",
+			href: "/admin",
+		})
+	}
+
+	return items
 }

 // Returns the right portion of the navbar
 templ navRight() {
 	{{ user := db.CurrentUser(ctx) }}
-	{{ items := getProfileItems() }}
+	{{ items := getProfileItems(ctx) }}
 	<div class="flex items-center gap-2">
 		<div class="sm:flex sm:gap-2">
 			if user != nil {
--- a/internal/view/component/season/status.templ
+++ b/internal/view/component/season/status.templ
@@ -0,0 +1,71 @@
+package season
+
+import "git.haelnorr.com/h/oslstats/internal/db"
+import "time"
+
+// StatusBadge renders a season status badge
+// Parameters:
+//   - season: pointer to db.Season
+//   - compact: bool - true for list view (text only, small), false for detail view (icon + text, large)
+//   - useShortLabels: bool - true for "Active/Finals", false for "In Progress/Finals in Progress"
+templ StatusBadge(season *db.Season, compact bool, useShortLabels bool) {
+	{{
+		now := time.Now()
+		status := ""
+		statusColor := ""
+		statusBg := ""
+		
+		// Determine status based on dates
+		if now.Before(season.StartDate) {
+			status = "Upcoming"
+			statusColor = "text-blue"
+			statusBg = "bg-blue/10 border-blue"
+		} else if !season.EndDate.IsZero() && now.After(season.EndDate.Time) {
+			status = "Completed"
+			statusColor = "text-green"
+			statusBg = "bg-green/10 border-green"
+		} else if !season.FinalsStartDate.IsZero() && now.After(season.FinalsStartDate.Time) {
+			if !season.FinalsEndDate.IsZero() && now.After(season.FinalsEndDate.Time) {
+				status = "Completed"
+				statusColor = "text-green"
+				statusBg = "bg-green/10 border-green"
+			} else {
+				if useShortLabels {
+					status = "Finals"
+				} else {
+					status = "Finals in Progress"
+				}
+				statusColor = "text-yellow"
+				statusBg = "bg-yellow/10 border-yellow"
+			}
+		} else {
+			if useShortLabels {
+				status = "Active"
+			} else {
+				status = "In Progress"
+			}
+			statusColor = "text-green"
+			statusBg = "bg-green/10 border-green"
+		}
+		
+		// Determine size classes
+		var sizeClasses string
+		var textSize string
+		var iconSize string
+		if compact {
+			sizeClasses = "px-2 py-1"
+			textSize = "text-xs"
+			iconSize = "text-sm"
+		} else {
+			sizeClasses = "px-4 py-2"
+			textSize = "text-lg"
+			iconSize = "text-2xl"
+		}
+	}}
+	<div class={ "rounded-lg border-2 inline-flex items-center gap-2 " + sizeClasses + " " + statusBg }>
+		if !compact {
+			<span class={ iconSize + " " + statusColor }>●</span>
+		}
+		<span class={ textSize + " font-semibold " + statusColor }>{ status }</span>
+	</div>
+}
--- a/internal/view/layout/admin_dashboard.templ
+++ b/internal/view/layout/admin_dashboard.templ
@@ -0,0 +1,8 @@
+package layout
+
+templ AdminDashboard() {
+	@Global("Admin")
+	<div>
+		{ children... }
+	</div>
+}
--- a/internal/view/layout/global.templ
+++ b/internal/view/layout/global.templ
@@ -3,7 +3,7 @@ package layout
 import "git.haelnorr.com/h/oslstats/internal/view/component/popup"
 import "git.haelnorr.com/h/oslstats/internal/view/component/nav"
 import "git.haelnorr.com/h/oslstats/internal/view/component/footer"
-import "git.haelnorr.com/h/oslstats/pkg/contexts"
+import "git.haelnorr.com/h/oslstats/internal/contexts"

 // Global page layout. Includes HTML document settings, header tags
 // navbar and footer
@@ -22,7 +22,7 @@ templ Global(title string) {
 			<meta charset="UTF-8"/>
 			<meta name="viewport" content="width=device-width, initial-scale=1"/>
 			<title>{ title }</title>
-			<link rel="icon" type="image/x-icon" href="/static/favicon.ico"/>
+			<link rel="icon" type="image/x-icon" href="/static/assets/favicon.ico"/>
 			<link href="/static/css/output.css" rel="stylesheet"/>
 			<script src="/static/vendored/htmx@2.0.8.min.js"></script>
 			<script src="/static/vendored/htmx-ext-ws.min.js"></script>
--- a/internal/view/page/admin_dashboard.templ
+++ b/internal/view/page/admin_dashboard.templ
@@ -0,0 +1,10 @@
+package page
+
+import "git.haelnorr.com/h/oslstats/internal/view/layout"
+import "git.haelnorr.com/h/oslstats/internal/view/component/admin"
+import "git.haelnorr.com/h/oslstats/internal/db"
+
+templ AdminDashboard(users *db.Users) {
+	@layout.AdminDashboard()
+	@admin.UserList(users)
+}
--- a/internal/view/page/season.templ
+++ b/internal/view/page/season.templ
@@ -2,6 +2,7 @@ package page

 import "git.haelnorr.com/h/oslstats/internal/db"
 import "git.haelnorr.com/h/oslstats/internal/view/layout"
+import seasoncomp "git.haelnorr.com/h/oslstats/internal/view/component/season"
 import "time"
 import "strconv"

@@ -54,14 +55,14 @@ templ SeasonDetails(season *db.Season) {
 					<div class="flex justify-between items-center">
 						<span class="text-subtext0">Start Date:</span>
 						<span class="text-text font-semibold">
-							{ formatDate(season.StartDate) }
+							{ formatDateLong(season.StartDate) }
 						</span>
 					</div>
 					<div class="flex justify-between items-center">
 						<span class="text-subtext0">End Date:</span>
 						<span class="text-text font-semibold">
 							if !season.EndDate.IsZero() {
-								{ formatDate(season.EndDate.Time) }
+								{ formatDateLong(season.EndDate.Time) }
 							} else {
 								<span class="text-subtext1 italic">Not set</span>
 							}
@@ -90,7 +91,7 @@ templ SeasonDetails(season *db.Season) {
 						<span class="text-subtext0">Start Date:</span>
 						<span class="text-text font-semibold">
 							if !season.FinalsStartDate.IsZero() {
-								{ formatDate(season.FinalsStartDate.Time) }
+								{ formatDateLong(season.FinalsStartDate.Time) }
 							} else {
 								<span class="text-subtext1 italic">Not set</span>
 							}
@@ -100,7 +101,7 @@ templ SeasonDetails(season *db.Season) {
 						<span class="text-subtext0">End Date:</span>
 						<span class="text-text font-semibold">
 							if !season.FinalsEndDate.IsZero() {
-								{ formatDate(season.FinalsEndDate.Time) }
+								{ formatDateLong(season.FinalsEndDate.Time) }
 							} else {
 								<span class="text-subtext1 italic">Not set</span>
 							}
@@ -124,51 +125,14 @@ templ SeasonDetails(season *db.Season) {
 			<div class="bg-surface0 border border-surface1 rounded-lg p-6">
 				<h2 class="text-2xl font-bold text-text mb-4">Status</h2>
 				<div class="flex items-center gap-3">
-					@SeasonStatus(season)
+					@seasoncomp.StatusBadge(season, false, false)
 				</div>
 			</div>
 		</div>
 	</div>
 }

-templ SeasonStatus(season *db.Season) {
-	{{
-		now := time.Now()
-		status := ""
-		statusColor := ""
-		statusBg := ""
-		
-		if now.Before(season.StartDate) {
-			status = "Upcoming"
-			statusColor = "text-blue"
-			statusBg = "bg-blue/10 border-blue"
-		} else if !season.EndDate.IsZero() && now.After(season.EndDate.Time) {
-			status = "Completed"
-			statusColor = "text-green"
-			statusBg = "bg-green/10 border-green"
-		} else if !season.FinalsStartDate.IsZero() && now.After(season.FinalsStartDate.Time) {
-			if !season.FinalsEndDate.IsZero() && now.After(season.FinalsEndDate.Time) {
-				status = "Completed"
-				statusColor = "text-green"
-				statusBg = "bg-green/10 border-green"
-			} else {
-				status = "Finals in Progress"
-				statusColor = "text-yellow"
-				statusBg = "bg-yellow/10 border-yellow"
-			}
-		} else {
-			status = "In Progress"
-			statusColor = "text-green"
-			statusBg = "bg-green/10 border-green"
-		}
-	}}
-	<div class={ "px-4 py-2 rounded-lg border-2 inline-flex items-center gap-2 " + statusBg }>
-		<span class={ "text-2xl " + statusColor }>●</span>
-		<span class={ "text-lg font-semibold " + statusColor }>{ status }</span>
-	</div>
-}
-
-func formatDate(t time.Time) string {
+func formatDateLong(t time.Time) string {
 	return t.Format("January 2, 2006")
 }

--- a/internal/view/page/seasons_list.templ
+++ b/internal/view/page/seasons_list.templ
@@ -4,7 +4,9 @@ import "git.haelnorr.com/h/oslstats/internal/db"
 import "git.haelnorr.com/h/oslstats/internal/view/layout"
 import "git.haelnorr.com/h/oslstats/internal/view/component/pagination"
 import "git.haelnorr.com/h/oslstats/internal/view/component/sort"
+import "git.haelnorr.com/h/oslstats/internal/view/component/season"
 import "fmt"
+import "time"
 import "github.com/uptrace/bun"

 templ SeasonsPage(seasons *db.SeasonList) {
@@ -18,6 +20,16 @@ templ SeasonsPage(seasons *db.SeasonList) {
 templ SeasonsList(seasons *db.SeasonList) {
 	{{
 		sortOpts := []db.OrderOpts{
+			{
+				Order:   bun.OrderDesc,
+				OrderBy: "start_date",
+				Label:   "Start Date (Newest First)",
+			},
+			{
+				Order:   bun.OrderAsc,
+				OrderBy: "start_date",
+				Label:   "Start Date (Oldest First)",
+			},
 			{
 				Order:   bun.OrderAsc,
 				OrderBy: "name",
@@ -28,16 +40,6 @@ templ SeasonsList(seasons *db.SeasonList) {
 				OrderBy: "name",
 				Label:   "Name (Z-A)",
 			},
-			{
-				Order:   bun.OrderAsc,
-				OrderBy: "short_name",
-				Label:   "Short Name (A-Z)",
-			},
-			{
-				Order:   bun.OrderDesc,
-				OrderBy: "short_name",
-				Label:   "Short Name (Z-A)",
-			},
 		}
 	}}
 	<div id="seasons-list-container">
@@ -74,12 +76,25 @@ templ SeasonsList(seasons *db.SeasonList) {
 			} else {
 				<!-- Card grid -->
 				<div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
-					for _, season := range seasons.Seasons {
+					for _, s := range seasons.Seasons {
 						<a
 							class="bg-mantle border border-surface1 rounded-lg p-6 hover:bg-surface0 transition-colors"
-							href={ fmt.Sprintf("/seasons/%s", season.ShortName) }
+							href={ fmt.Sprintf("/seasons/%s", s.ShortName) }
 						>
-							<h3 class="text-xl font-bold text-text mb-2">{ season.Name }</h3>
+							<!-- Header: Name + Status Badge -->
+							<div class="flex justify-between items-start mb-3">
+								<h3 class="text-xl font-bold text-text">{ s.Name }</h3>
+								@season.StatusBadge(s, true, true)
+							</div>
+							<!-- Info Row: Short Name + Start Date -->
+							<div class="flex items-center gap-3 text-sm">
+								<span class="px-2 py-1 bg-surface1 rounded text-subtext0 font-mono">
+									{ s.ShortName }
+								</span>
+								<span class="text-subtext0">
+									Started: { formatDate(s.StartDate) }
+								</span>
+							</div>
 						</a>
 					}
 				</div>
@@ -90,3 +105,7 @@ templ SeasonsList(seasons *db.SeasonList) {
 		<script src="/static/js/pagination.js"></script>
 	</div>
 }
+
+func formatDate(t time.Time) string {
+	return t.Format("02/01/2006") // DD/MM/YYYY
+}
--- a/pkg/embedfs/files/favicon.ico
+++ b/pkg/embedfs/files/favicon.ico
--- a/pkg/oauth/config.go
+++ b/pkg/oauth/config.go
@@ -1,3 +1,4 @@
+// Package oauth provides OAuth utilities for generating and checking secure state tokens
 package oauth

 import (
Author	SHA1	Message	Date
Haelnorr	4c31c24069	fixed relationship issues	2026-02-05 00:10:10 +11:00
Haelnorr	20308fe35c	moved packages out of pkg	2026-02-04 18:57:33 +11:00
Haelnorr	d2b1a252ea	rbac system first stage	2026-02-03 21:37:06 +11:00
Haelnorr	24bbc5337b	updated seasons list	2026-02-02 22:39:03 +11:00