From a9def611f6456b5bd91d57157619a19c0ca9aacc Mon Sep 17 00:00:00 2001
From: Anthony Stirling <77850077+Frooodle@users.noreply.github.com.>
Date: Fri, 1 Aug 2025 20:34:11 +0100
Subject: [PATCH] admin permission switch

---
 app/core/src/main/resources/templates/account.html       | 2 +-
 .../proprietary/controller/AdminJobController.java       | 6 +++---
 .../security/config/AccountWebController.java            | 9 +++++++--
 .../security/controller/api/AdminSettingsController.java | 2 +-
 .../security/controller/api/DatabaseController.java      | 2 +-
 .../security/controller/api/UserController.java          | 8 ++++----
 .../security/controller/web/DatabaseWebController.java   | 2 +-
 .../security/controller/web/TeamWebController.java       | 4 ++--
 .../security/service/AppUpdateAuthService.java           | 2 +-
 9 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/app/core/src/main/resources/templates/account.html b/app/core/src/main/resources/templates/account.html
index 33a0d9f47..8f4deb535 100644
--- a/app/core/src/main/resources/templates/account.html
+++ b/app/core/src/main/resources/templates/account.html
@@ -32,7 +32,7 @@
               </div>
               
               <!-- Admin Settings Banner (for admins only) -->
-              <div th:if="${role == 'ROLE_ADMIN'}" class="data-panel data-mb-3" style="background-color: var(--md-sys-color-secondary-container);">
+              <div th:if="${isSystemAdmin}" class="data-panel data-mb-3" style="background-color: var(--md-sys-color-secondary-container);">
 				  <div class="data-body" style="display: flex; align-items: center; justify-content: space-between; padding: 1rem 1.5rem; background-color: var(--md-sys-color-secondary-container);">
 				    <div style="display: flex; align-items: center; gap: 1rem;">
 				      <span class="material-symbols-rounded" style="font-size: 2rem; color: var(--md-sys-color-secondary);">
diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/controller/AdminJobController.java b/app/proprietary/src/main/java/stirling/software/proprietary/controller/AdminJobController.java
index cdb8f24a3..7e7ae3a1f 100644
--- a/app/proprietary/src/main/java/stirling/software/proprietary/controller/AdminJobController.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/controller/AdminJobController.java
@@ -33,7 +33,7 @@ public class AdminJobController {
      * @return Job statistics
      */
     @GetMapping("/api/v1/admin/job/stats")
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
     public ResponseEntity<JobStats> getJobStats() {
         JobStats stats = taskManager.getJobStats();
         log.info(
@@ -49,7 +49,7 @@ public class AdminJobController {
      * @return Queue statistics
      */
     @GetMapping("/api/v1/admin/job/queue/stats")
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
     public ResponseEntity<?> getQueueStats() {
         Map<String, Object> queueStats = jobQueue.getQueueStats();
         log.info("Admin requested queue stats: {} queued jobs", queueStats.get("queuedJobs"));
@@ -62,7 +62,7 @@ public class AdminJobController {
      * @return A response indicating how many jobs were cleaned up
      */
     @PostMapping("/api/v1/admin/job/cleanup")
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
     public ResponseEntity<?> cleanupOldJobs() {
         int beforeCount = taskManager.getJobStats().getTotalJobs();
         taskManager.cleanupOldJobs();
diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/security/config/AccountWebController.java b/app/proprietary/src/main/java/stirling/software/proprietary/security/config/AccountWebController.java
index 0d846fc3d..0b0072787 100644
--- a/app/proprietary/src/main/java/stirling/software/proprietary/security/config/AccountWebController.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/config/AccountWebController.java
@@ -203,7 +203,7 @@ public class AccountWebController {
         return "login";
     }
 
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
     @GetMapping("/usage")
     public String showUsage() {
         if (!runningEE) {
@@ -212,7 +212,7 @@ public class AccountWebController {
         return "usage";
     }
 
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
     @GetMapping("/adminSettings")
     public String showAddUserForm(
             HttpServletRequest request, Model model, Authentication authentication) {
@@ -426,6 +426,11 @@ public class AccountWebController {
                 model.addAttribute("username", username);
                 model.addAttribute("messageType", messageType);
                 model.addAttribute("role", user.get().getRolesAsString());
+                model.addAttribute("isSystemAdmin", user.get().isSystemAdmin());
+                System.out.println("user.get().getRolesAsString()" + user.get().getRolesAsString());
+
+                System.out.println(
+                        "isSystemAdmin\", user.get().isSystemAdmin()" + user.get().isSystemAdmin());
                 model.addAttribute("settings", settingsJson);
                 model.addAttribute("changeCredsFlag", user.get().isFirstLogin());
                 model.addAttribute("currentPage", "account");
diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/AdminSettingsController.java b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/AdminSettingsController.java
index ebe856b00..593badf13 100644
--- a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/AdminSettingsController.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/AdminSettingsController.java
@@ -43,7 +43,7 @@ import stirling.software.proprietary.security.model.api.admin.UpdateSettingsRequ
 @Tag(name = "Admin Settings", description = "Admin-only Settings Management APIs")
 @RequestMapping("/api/v1/admin/settings")
 @RequiredArgsConstructor
-@PreAuthorize("hasRole('ROLE_ADMIN')")
+@PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
 @Slf4j
 public class AdminSettingsController {
 
diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/DatabaseController.java b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/DatabaseController.java
index dec64c46f..6f56da057 100644
--- a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/DatabaseController.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/DatabaseController.java
@@ -33,7 +33,7 @@ import stirling.software.proprietary.security.service.DatabaseService;
 @Slf4j
 @Controller
 @RequestMapping("/api/v1/database")
-@PreAuthorize("hasRole('ROLE_ADMIN')")
+@PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
 @Conditional(H2SQLCondition.class)
 @Tag(name = "Database", description = "Database APIs for backup, import, and management")
 @RequiredArgsConstructor
diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/UserController.java b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/UserController.java
index 4401403c6..4b1f39faf 100644
--- a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/UserController.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/UserController.java
@@ -207,7 +207,7 @@ public class UserController {
         return "redirect:/account";
     }
 
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
     @PostMapping("/admin/saveUser")
     public RedirectView saveUser(
             @RequestParam(name = "username", required = true) String username,
@@ -279,7 +279,7 @@ public class UserController {
                 true);
     }
 
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
     @PostMapping("/admin/changeRole")
     @Transactional
     public RedirectView changeRole(
@@ -342,7 +342,7 @@ public class UserController {
                 true);
     }
 
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
     @PostMapping("/admin/changeUserEnabled/{username}")
     public RedirectView changeUserEnabled(
             @PathVariable("username") String username,
@@ -392,7 +392,7 @@ public class UserController {
                 true);
     }
 
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
     @PostMapping("/admin/deleteUser/{username}")
     public RedirectView deleteUser(
             @PathVariable("username") String username, Authentication authentication) {
diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/web/DatabaseWebController.java b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/web/DatabaseWebController.java
index 940c0c13f..e8534d074 100644
--- a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/web/DatabaseWebController.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/web/DatabaseWebController.java
@@ -24,7 +24,7 @@ public class DatabaseWebController {
 
     private final DatabaseService databaseService;
 
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
     @GetMapping("/database")
     public String database(HttpServletRequest request, Model model, Authentication authentication) {
         String error = request.getParameter("error");
diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/web/TeamWebController.java b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/web/TeamWebController.java
index 2dd9b3478..36546d457 100644
--- a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/web/TeamWebController.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/web/TeamWebController.java
@@ -36,7 +36,7 @@ public class TeamWebController {
     private final UserRepository userRepository;
 
     @GetMapping
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
     public String listTeams(HttpServletRequest request, Model model) {
         // Get teams with user counts using a DTO projection
         List<TeamWithUserCountDTO> allTeamsWithCounts = teamRepository.findAllTeamsWithUserCount();
@@ -87,7 +87,7 @@ public class TeamWebController {
     }
 
     @GetMapping("/{id}")
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
     public String viewTeamDetails(
             HttpServletRequest request, @PathVariable("id") Long id, Model model) {
         // Get the team
diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/security/service/AppUpdateAuthService.java b/app/proprietary/src/main/java/stirling/software/proprietary/security/service/AppUpdateAuthService.java
index 19e300585..0c1370da9 100644
--- a/app/proprietary/src/main/java/stirling/software/proprietary/security/service/AppUpdateAuthService.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/service/AppUpdateAuthService.java
@@ -37,7 +37,7 @@ class AppUpdateAuthService implements ShowAdminInterface {
         }
         Optional<User> user = userRepository.findByUsername(authentication.getName());
         if (user.isPresent() && showUpdateOnlyAdmin) {
-            return "ROLE_ADMIN".equals(user.get().getRolesAsString());
+            return user.get().isSystemAdmin();
         }
         return showUpdate;
     }