feat: finalize Users and Permissions

Author: aeltorio

client/get-openapi.ts

@@ -2,7 +2,7 @@ import fs from "fs";
 
 import swaggerJsdoc from "swagger-jsdoc";
 
-export const API_VERSION = "1.6.0";
+export const API_VERSION = "1.7.0";
 
 const options = {
   encoding: "utf8",

client/public/openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.0.0",
   "info": {
     "title": "Feedback Flow API",
-    "version": "1.6.0"
+    "version": "1.7.0"
   },
   "paths": {
     "/api/testers": {
@@ -92,7 +92,7 @@
       },
       "post": {
         "summary": "Get testers filtered by OAuth IDs (supports pagination)",
-        "description": "Returns a list of testers filtered by OAuth IDs provided in the request body. Requires admin permission.",
+        "description": "Returns a list of testers filtered by OAuth IDs provided in the request body. Requires admin permission. If limit is not provided, all matching testers are returned.",
         "tags": [
           "Testers"
         ],
@@ -320,6 +320,48 @@
             "description": "ID already exists in the database"
           }
         }
+      },
+      "delete": {
+        "summary": "Remove ID from existing tester",
+        "description": "Removes an ID from a tester. Requires admin permission.",
+        "tags": [
+          "Testers"
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "uuid": {
+                    "type": "string"
+                  },
+                  "name": {
+                    "type": "string"
+                  },
+                  "id": {
+                    "type": "string"
+                  }
+                },
+                "required": [
+                  "id"
+                ]
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "ID successfully removed from tester"
+          },
+          "400": {
+            "description": "Invalid request or missing required fields"
+          },
+          "403": {
+            "description": "Unauthorized request"
+          }
+        }
       }
     },
     "/api/purchase/{purchaseId}": {

client/src/locales/base/fr-FR.json

@@ -271,13 +271,13 @@
   "failed-loading-user-permissions": "Échec du chargement des autorisations de l'utilisateur",
   "error-saving-permissions": "Erreur lors de l'enregistrement des permissions",
   "tester": "Testeur",
-  "assign": "Attribuer",
-  "assign-selected": "Attribuer la sélection",
-  "assign-tester": "Attribuer un testeur",
-  "assigned-successfully": "Attribué avec succès",
+  "assign": "Assigner",
+  "assign-selected": "Assigner la sélection",
+  "assign-tester": "Assigner un testeur",
+  "assigned-successfully": "Assigné avec succès",
   "choose-tester": "Choisissez un testeur",
   "confirm-unassign-selected": "Êtes-vous sûr de vouloir annuler l'assignation des identifiants sélectionnés à leurs testeurs ?",
-  "create-and-assign": "Créer et attribuer",
+  "create-and-assign": "Créer et assigner",
   "create-tester": "Créer un testeur",
   "enter-tester-name": "Entrez le nom du testeur",
   "error-assigning-testers": "Erreur lors de l'assignation des testeurs",

client/src/pages/users-and-permissions.tsx

@@ -34,9 +34,12 @@ import { Checkbox } from "@heroui/checkbox";
 import { Table, TableHeader, TableColumn, TableBody, TableRow, TableCell } from "@heroui/table";
 import { addToast } from "@heroui/toast";
 import ConfirmDeleteModal from "@/components/modals/confirm-delete-modal";
+import { useAuth0 } from "@auth0/auth0-react";
 // import { Toast } from "@heroui/toast"; // Not using Toast API directly, using message state
 
 export default function UsersAndPermissionsPage() {
+    const { user } = useAuth0();
+    const currentUserId = (user?.sub || "").toString().trim();
     const { getAuth0ManagementToken, listAuth0Users, getUserPermissions, addPermissionToUser, removePermissionFromUser, deleteAuth0User, postJson, deleteJson } = useSecuredApi();
     const postJsonRef = useRef(postJson);
     useEffect(() => { postJsonRef.current = postJson; }, [postJson]);
@@ -299,6 +302,8 @@ export default function UsersAndPermissionsPage() {
     };
 
     const toggleSelectUser = (userId: string) => {
+        // Prevent selecting the current logged-in user to avoid accidental self-unassign/delete
+        if (userId === currentUserId) return;
         setSelectedUserIds((prev) => ({ ...prev, [userId]: !prev[userId] }));
     };
 
@@ -334,6 +339,11 @@ export default function UsersAndPermissionsPage() {
     };
 
     const unassignId = async (id: string) => {
+        // Prevent self-unassign to avoid breaking the current user's session
+        if (id === currentUserId) {
+            addToast({ title: t('error'), description: t('cannot-unassign-self'), variant: 'solid' });
+            return;
+        }
         try {
             // find the tester object for id via map
             const userObj = users.find(u => u.user_id === id) ?? usersWithTester.find(u => u.user_id === id);
@@ -368,6 +378,8 @@ export default function UsersAndPermissionsPage() {
 
     const doUnassignSelected = async (ids: string[]) => {
         if (ids.length === 0) return;
+        // Never unassign the current logged-in user
+        ids = ids.filter(id => id !== currentUserId);
         // for simplification, call delete for each id in parallel
         try {
             await Promise.all(ids.map(async (id) => {
@@ -431,6 +443,11 @@ export default function UsersAndPermissionsPage() {
     };
 
     const deleteUser = async (userId: string) => {
+        // Prevent deleting the current logged-in user from the UI
+        if (userId === currentUserId) {
+            addToast({ title: t('error'), description: t('cannot-delete-self'), variant: 'solid' });
+            return;
+        }
         try {
             if (!token) throw new Error('No management token');
             const mgmtToken = token.access_token;
@@ -549,10 +566,10 @@ export default function UsersAndPermissionsPage() {
                 <TableHeader>
                     <TableColumn>
                         <Checkbox isSelected={Object.keys(selectedUserIds).length > 0 && Object.keys(selectedUserIds).every(k => selectedUserIds[k])} onValueChange={(v) => {
-                            // select/unselect all
+                            // select/unselect all (skip the current user)
                             if (v) {
                                 const map: Record<string, boolean> = {};
-                                (usersWithTester.length ? usersWithTester : users).forEach(u => { if (u.user_id) map[u.user_id] = true });
+                                (usersWithTester.length ? usersWithTester : users).forEach(u => { if (u.user_id && u.user_id !== currentUserId) map[u.user_id] = true });
                                 setSelectedUserIds(map);
                             } else {
                                 setSelectedUserIds({});
@@ -579,10 +596,12 @@ export default function UsersAndPermissionsPage() {
                                     {!assignedName && u.user_id && (
                                         <Button color="secondary" onPress={() => u.user_id && openAssignModalForOne(u.user_id)}>{t('assign')}</Button>
                                     )}
-                                    {assignedName && u.user_id && (
+                                    {assignedName && u.user_id && u.user_id !== currentUserId && (
                                         <Button color="warning" onPress={() => unassignId(u.user_id)}>{t('unassign')}</Button>
                                     )}
-                                    <Button className="ml-2" color="danger" onPress={() => { setConfirmDeleteUser(u); setConfirmDeleteOpen(true); }} disabled={deletingUserId === u.user_id} isLoading={deletingUserId === u.user_id}>{t('delete')}</Button>
+                                    {u.user_id !== currentUserId && (
+                                        <Button className="ml-2" color="danger" onPress={() => { setConfirmDeleteUser(u); setConfirmDeleteOpen(true); }} disabled={deletingUserId === u.user_id} isLoading={deletingUserId === u.user_id}>{t('delete')}</Button>
+                                    )}
                                 </TableCell>
                             </TableRow>
                         )

cloudflare-worker/src/routes/testers/index.ts

@@ -366,6 +366,25 @@ export const setupTesterRoutes = (router: Router, env: Env) => {
                 // Check for collisions in the DB
                 const existing = await db.idMappings.existsMultiple(idArray);
                 if (existing.length > 0) {
+                    // Determine owners of the existing IDs
+                    const owners = await Promise.all(existing.map((id) => db.idMappings.getTesterUuid(id)));
+                    const uniqueOwners = Array.from(new Set(owners.filter(Boolean)));
+                    // If all conflicting ids are already bound to the same tester we are adding to,
+                    // return a 409 error with a specific message about duplicate ID on the same tester.
+                    if (uniqueOwners.length === 1 && uniqueOwners[0] === tester.uuid) {
+                        return new Response(
+                            JSON.stringify({ success: false, error: "ID already exists in the database", existing }),
+                            {
+                                status: 409,
+                                headers: {
+                                    ...router.corsHeaders,
+                                    "Content-Type": "application/json",
+                                },
+                            },
+                        );
+                    }
+
+                    // Otherwise, at least one ID already exists for another tester
                     return new Response(
                         JSON.stringify({ success: false, error: "Some IDs already exist in the database", existing }),
                         {