working better, small changes

2026-05-16 12:12:33 +02:00
parent 7d05209d48
commit 164dacb678
7 changed files with 128 additions and 25 deletions
--- a/ht_booking/.gitignore
+++ b/ht_booking/.gitignore
@@ -20,4 +20,5 @@ target/
 *.sqlite-*
 # Local secrets (hardcoded admin credentials)
-.env
+.env
 todo.md
--- a/ht_booking/assets/i18n/en/main.ftl
+++ b/ht_booking/assets/i18n/en/main.ftl
@@ -41,3 +41,7 @@ court-name = Name
 court-surface = Surface
 court-indoor = Indoor
 add-court = Add Court
 court-remove = Remove
 court-delete-prompt = To remove this court and all its bookings, type its name below to confirm:
 court-delete-mismatch = The name you typed does not match the court name.
 court-delete-error = Court name did not match — nothing was removed.
--- a/ht_booking/assets/i18n/sk/main.ftl
+++ b/ht_booking/assets/i18n/sk/main.ftl
@@ -41,3 +41,7 @@ court-name = Názov
 court-surface = Povrch
 court-indoor = Krytý
 add-court = Pridať kurt
 court-remove = Odstrániť
 court-delete-prompt = Ak chcete odstrániť tento kurt a všetky jeho rezervácie, na potvrdenie napíšte nižšie jeho názov:
 court-delete-mismatch = Zadaný názov sa nezhoduje s názvom kurtu.
 court-delete-error = Názov kurtu sa nezhodoval — nič sa neodstránilo.
--- a/ht_booking/assets/views/admin/courts.html
+++ b/ht_booking/assets/views/admin/courts.html
@@ -8,6 +8,10 @@
  <a href="/admin" class="text-sm text-blue-600 hover:underline">&larr; {{ t(key="back-to-calendar", lang=lang) }}</a>
 </div>
 {% if name_error %}
 <div class="mb-3 rounded bg-red-100 px-3 py-2 text-sm text-red-700">{{ t(key="court-delete-error", lang=lang) }}</div>
 {% endif %}
 <div class="mb-6 overflow-auto rounded-lg border bg-white">
  <table class="w-full text-sm">
    <thead>
@@ -15,6 +19,7 @@
        <th class="p-2">{{ t(key="court-name", lang=lang) }}</th>
        <th class="p-2">{{ t(key="court-surface", lang=lang) }}</th>
        <th class="p-2">{{ t(key="court-indoor", lang=lang) }}</th>
        <th class="p-2">{{ t(key="court-remove", lang=lang) }}</th>
      </tr>
    </thead>
    <tbody>
@@ -23,6 +28,15 @@
        <td class="p-2">{{ c.name }}</td>
        <td class="p-2">{{ c.surface }}</td>
        <td class="p-2">{{ c.indoor }}</td>
        <td class="p-2">
          <form method="post" action="/admin/courts/{{ c.id }}/delete"
            data-court-name="{{ c.name }}" onsubmit="return promptCourtDelete(this);">
            <input type="hidden" name="confirm_name">
            <button class="rounded bg-red-600 px-3 py-1 text-sm text-white hover:bg-red-700">
              {{ t(key="delete", lang=lang) }}
            </button>
          </form>
        </td>
      </tr>
      {% endfor %}
    </tbody>
@@ -49,3 +63,20 @@
  </form>
 </div>
 {% endblock content %}
 {% block js %}
 <script>
  // The name confirmation appears only after the Delete button is pressed.
  function promptCourtDelete(form) {
    var expected = form.dataset.courtName;
    var typed = prompt('{{ t(key="court-delete-prompt", lang=lang) }}\n\n' + expected);
    if (typed === null) return false; // cancelled
    if (typed.trim() !== expected) {
      alert('{{ t(key="court-delete-mismatch", lang=lang) }}');
      return false;
    }
    form.confirm_name.value = typed.trim();
    return true;
  }
 </script>
 {% endblock js %}
--- a/ht_booking/assets/views/base.html
+++ b/ht_booking/assets/views/base.html
@@ -15,7 +15,7 @@
      <a href="/" class="text-lg font-bold">{{ t(key="brand", lang=lang) }}</a>
      <nav class="flex items-center gap-4 text-sm">
        <a href="/" class="hover:underline">{{ t(key="nav-calendar", lang=lang) }}</a>
-        {% if is_admin %}
+        {% if logged_in | default(value=false) %}
        <a href="/admin" class="hover:underline">{{ t(key="admin-title", lang=lang) }}</a>
        <a href="/admin/courts" class="hover:underline">{{ t(key="manage-courts", lang=lang) }}</a>
        <form method="post" action="/admin/logout" class="inline">
--- a/ht_booking/src/controllers/admin.rs
+++ b/ht_booking/src/controllers/admin.rs
@@ -36,6 +36,23 @@ pub struct AdminAuth {
    pub user: users::Model,
 }
 /// Returns the logged-in admin user if the request carries a valid admin
 /// cookie. Unlike the [`AdminAuth`] guard this never rejects, so public pages
 /// can detect an admin visitor without redirecting non-admins away.
 pub async fn current_admin(ctx: &AppContext, jar: &CookieJar) -> Option<users::Model> {
    let admin = admin_email();
    if admin.is_empty() {
        return None;
    }
    let token = jar.get(AUTH_COOKIE).map(|c| c.value().to_string())?;
    let (secret, _) = jwt_settings(ctx)?;
    let claims = jwt::JWT::new(&secret).validate(&token).ok()?;
    let user = users::Model::find_by_pid(&ctx.db, &claims.claims.pid)
        .await
        .ok()?;
    (user.email == admin).then_some(user)
 }
 impl FromRequestParts<AppContext> for AdminAuth {
    type Rejection = Redirect;
@@ -43,28 +60,11 @@ impl FromRequestParts<AppContext> for AdminAuth {
        parts: &mut Parts,
        ctx: &AppContext,
    ) -> std::result::Result<Self, Self::Rejection> {
        let deny = || Redirect::to("/admin/login");
        let admin = admin_email();
        if admin.is_empty() {
            return Err(deny());
        }
        let jar = CookieJar::from_headers(&parts.headers);
-        let token = jar
+        match current_admin(ctx, &jar).await {
-            .get(AUTH_COOKIE)
+            Some(user) => Ok(Self { user }),
-            .map(|c| c.value().to_string())
+            None => Err(Redirect::to("/admin/login")),
            .ok_or_else(deny)?;
        let (secret, _) = jwt_settings(ctx).ok_or_else(deny)?;
        let claims = jwt::JWT::new(&secret)
            .validate(&token)
            .map_err(|_| deny())?;
        let user = users::Model::find_by_pid(&ctx.db, &claims.claims.pid)
            .await
            .map_err(|_| deny())?;
        if user.email != admin {
            return Err(deny());
        }
        Ok(Self { user })
    }
 }
@@ -138,18 +138,25 @@ pub async fn dashboard(
    Query(q): Query<calendar::CalQuery>,
 ) -> Result<Response> {
    let lang = current_lang(&jar);
-    let page = build_calendar(&ctx, &lang, true, q.court, q.week).await?;
+    let page = build_calendar(&ctx, &lang, true, true, q.court, q.week).await?;
    format::render().view(&v, "calendar/week.html", &page)
 }
 // ---------------------------------------------------------------- courts ---
 #[derive(Debug, Deserialize)]
 pub struct CourtsQuery {
    /// Set to `name` when a court-delete confirmation name did not match.
    pub err: Option<String>,
 }
 #[debug_handler]
 pub async fn courts_page(
    _auth: AdminAuth,
    ViewEngine(v): ViewEngine<TeraView>,
    State(ctx): State<AppContext>,
    jar: CookieJar,
    Query(q): Query<CourtsQuery>,
 ) -> Result<Response> {
    let lang = current_lang(&jar);
    let list = courts::Entity::find()
@@ -170,7 +177,13 @@ pub async fn courts_page(
    format::render().view(
        &v,
        "admin/courts.html",
-        data!({ "lang": lang, "is_admin": true, "courts": items }),
+        data!({
            "lang": lang,
            "is_admin": true,
            "logged_in": true,
            "courts": items,
            "name_error": q.err.as_deref() == Some("name"),
        }),
    )
 }
@@ -198,6 +211,43 @@ pub async fn create_court(
    Ok(Redirect::to("/admin/courts").into_response())
 }
 #[derive(Debug, Deserialize)]
 pub struct DeleteCourtForm {
    /// The court name the admin retyped to confirm removal.
    pub confirm_name: String,
 }
 /// Removes a court. As a safeguard the admin must retype the court's exact
 /// name; a mismatch aborts and redirects back with an error. Deleting a court
 /// also removes all of its bookings, since they would otherwise be orphaned.
 #[debug_handler]
 pub async fn delete_court(
    _auth: AdminAuth,
    State(ctx): State<AppContext>,
    Path(id): Path<i32>,
    Form(form): Form<DeleteCourtForm>,
 ) -> Result<Response> {
    let court = courts::Entity::find_by_id(id)
        .one(&ctx.db)
        .await?
        .ok_or(Error::NotFound)?;
    let actual = court
        .name
        .clone()
        .unwrap_or_else(|| format!("Court {}", court.id));
    if form.confirm_name.trim() != actual {
        return Ok(Redirect::to("/admin/courts?err=name").into_response());
    }
    bookings::Entity::delete_many()
        .filter(bookings::Column::CourtId.eq(id))
        .exec(&ctx.db)
        .await?;
    courts::Entity::delete_by_id(id).exec(&ctx.db).await?;
    Ok(Redirect::to("/admin/courts").into_response())
 }
 // --------------------------------------------------------------- bookings --
 fn hour_options() -> Vec<serde_json::Value> {
@@ -242,6 +292,7 @@ pub async fn booking_new(
        data!({
            "lang": lang,
            "is_admin": true,
            "logged_in": true,
            "mode": "new",
            "action": "/admin/booking",
            "court_id": court_id,
@@ -321,6 +372,7 @@ pub async fn booking_edit(
        data!({
            "lang": lang,
            "is_admin": true,
            "logged_in": true,
            "mode": "edit",
            "action": format!("/admin/booking/{id}"),
            "court_id": booking.court_id,
@@ -384,6 +436,7 @@ pub fn routes() -> Routes {
        .add("/", get(dashboard))
        .add("/courts", get(courts_page))
        .add("/courts", post(create_court))
        .add("/courts/{id}/delete", post(delete_court))
        .add("/booking", get(booking_new))
        .add("/booking", post(booking_create))
        .add("/booking/{id}", get(booking_edit))
--- a/ht_booking/src/controllers/calendar.rs
+++ b/ht_booking/src/controllers/calendar.rs
@@ -62,7 +62,10 @@ pub struct Row {
 #[derive(Debug, Serialize)]
 pub struct CalendarPage {
    pub lang: String,
    /// `true` only on the admin dashboard — enables the editable cells.
    pub is_admin: bool,
    /// `true` whenever the admin is signed in — controls the nav links.
    pub logged_in: bool,
    pub base_path: String,
    pub has_courts: bool,
    pub courts: Vec<CourtOpt>,
@@ -102,6 +105,7 @@ pub async fn build_calendar(
    ctx: &AppContext,
    lang: &str,
    is_admin: bool,
    logged_in: bool,
    q_court: Option<i32>,
    q_week: Option<String>,
 ) -> Result<CalendarPage> {
@@ -191,6 +195,7 @@ pub async fn build_calendar(
    Ok(CalendarPage {
        lang: lang.to_string(),
        is_admin,
        logged_in,
        base_path: if is_admin { "/admin" } else { "/" }.to_string(),
        has_courts: !courts_opts.is_empty(),
        courts: courts_opts,
@@ -216,7 +221,12 @@ pub async fn index(
    Query(q): Query<CalQuery>,
 ) -> Result<Response> {
    let lang = current_lang(&jar);
-    let page = build_calendar(&ctx, &lang, false, q.court, q.week).await?;
+    // The public calendar is read-only for everyone, admin included. When an
    // admin is signed in we still flag it so the nav keeps the admin links.
    let logged_in = crate::controllers::admin::current_admin(&ctx, &jar)
        .await
        .is_some();
    let page = build_calendar(&ctx, &lang, false, logged_in, q.court, q.week).await?;
    format::render().view(&v, "calendar/week.html", &page)
 }