modified: web/blueprints/group_admin.py

modified: web/blueprints/site_admin.py modified: web/roles.py modified: web/templates/admin/group_members.html
2026-04-13 18:02:55 +02:00
parent be26484606
commit 31b45d4db4
4 changed files with 219 additions and 7 deletions
--- a/web/blueprints/group_admin.py
+++ b/web/blueprints/group_admin.py
@@ -9,10 +9,13 @@ from flask import Blueprint, render_template, request, redirect, url_for, sessio
 from config import Config
 from mailer import send_mail
 import panel_db as db
-from roles import GROUP_MANAGEMENT_ROLES, GROUP_ROLE_OPTIONS, GROUP_ROLE_SET, role_label
+from roles import GROUP_MANAGEMENT_ROLES, GROUP_ROLE_OPTIONS, GROUP_ROLE_SET, OWNER_ONLY_ROLES, role_label

 group_admin = Blueprint("group_admin", __name__, url_prefix="/group-admin")

+# Role options that group admins are allowed to assign (owner excluded)
+_NON_OWNER_ROLE_OPTIONS = [(r, l) for r, l in GROUP_ROLE_OPTIONS if r not in OWNER_ONLY_ROLES]
+
 ALL_PERMISSIONS = [
    ("view_dashboard",     "Dashboard"),
    ("view_players",       "Players"),
@@ -74,7 +77,7 @@ def members():
    return render_template("group_admin/members.html",
        group=group, members=members, non_members=non_members, pending_invites=pending_invites,
        all_permissions=ALL_PERMISSIONS,
-        role_options=GROUP_ROLE_OPTIONS,
+        role_options=_NON_OWNER_ROLE_OPTIONS,
        role_label=role_label)


@@ -84,6 +87,9 @@ def member_add():
    group_id = session["group_id"]
    user_id  = request.form.get("user_id", type=int)
    role     = request.form.get("role", "viewer")
+    if role in OWNER_ONLY_ROLES:
+        flash("The Group Owner role can only be assigned by a Site Admin.", "danger")
+        return redirect(url_for("group_admin.members"))
    if role not in GROUP_ROLE_SET:
        flash("Invalid role selected.", "danger")
        return redirect(url_for("group_admin.members"))
@@ -113,6 +119,10 @@ def member_invite():
        flash("Invalid role selected.", "danger")
        return redirect(url_for("group_admin.members"))

+    if role in OWNER_ONLY_ROLES:
+        flash("The Group Owner role can only be assigned by a Site Admin.", "danger")
+        return redirect(url_for("group_admin.members"))
+
    if db.count_active_group_invites(group_id) >= Config.INVITE_MAX_ACTIVE_PER_GROUP:
        flash("Active invite limit reached for this group. Revoke old invites or wait for expiry.", "danger")
        return redirect(url_for("group_admin.members"))
@@ -222,6 +232,9 @@ def member_edit(user_id):

    if request.method == "POST":
        role = request.form.get("role", "viewer")
+        if role in OWNER_ONLY_ROLES:
+            flash("The Group Owner role can only be assigned by a Site Admin.", "danger")
+            return redirect(url_for("group_admin.members"))
        if role not in GROUP_ROLE_SET:
            flash("Invalid role selected.", "danger")
            return redirect(url_for("group_admin.members"))
@@ -233,7 +246,7 @@ def member_edit(user_id):
    return render_template("group_admin/member_edit.html",
        group=group, user=user, member=member,
        current_perms=current_perms, all_permissions=ALL_PERMISSIONS,
-        role_options=GROUP_ROLE_OPTIONS,
+        role_options=_NON_OWNER_ROLE_OPTIONS,
        role_label=role_label)