From 18ba448f05c861e5cad637f46c47b56212857e31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jesko=20Ansch=C3=BCtz?= <jesko@linuxmuster.net>
Date: Fri, 27 Mar 2026 21:31:15 +0100
Subject: [PATCH] =?UTF-8?q?feat(store):=20CreateScreenUser=20nimmt=20role-?=
 =?UTF-8?q?Parameter;=20ListScreenUsers=20schlie=C3=9Ft=20restricted=20ein?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 server/backend/internal/store/auth.go | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/server/backend/internal/store/auth.go b/server/backend/internal/store/auth.go
index f076b95..2ab98ac 100644
--- a/server/backend/internal/store/auth.go
+++ b/server/backend/internal/store/auth.go
@@ -155,11 +155,15 @@ func (s *AuthStore) EnsureAdminUser(ctx context.Context, tenantSlug, password st
 	return nil
 }
 
-// CreateScreenUser creates a new user with role 'screen_user' for the tenant
-// identified by tenantSlug. The password is hashed with bcrypt (cost 12).
+// CreateScreenUser creates a new user with the given role for the tenant
+// identified by tenantSlug. role must be "screen_user" or "restricted".
+// The password is hashed with bcrypt (cost 12).
 // Returns pgx.ErrNoRows if the tenant does not exist, or a wrapped error if
 // the username is already taken (unique constraint violation).
-func (s *AuthStore) CreateScreenUser(ctx context.Context, tenantSlug, username, password string) (*User, error) {
+func (s *AuthStore) CreateScreenUser(ctx context.Context, tenantSlug, username, password, role string) (*User, error) {
+	if role != "screen_user" && role != "restricted" {
+		return nil, fmt.Errorf("auth: invalid role: %s", role)
+	}
 	var tenantID string
 	err := s.pool.QueryRow(ctx, `select id from tenants where slug = $1`, tenantSlug).Scan(&tenantID)
 	if err != nil {
@@ -176,9 +180,9 @@ func (s *AuthStore) CreateScreenUser(ctx context.Context, tenantSlug, username,
 
 	row := s.pool.QueryRow(ctx,
 		`insert into users(tenant_id, username, password_hash, role)
-		 values($1, $2, $3, 'screen_user')
-		 returning id, tenant_id, $4::text, username, password_hash, role, created_at`,
-		tenantID, username, string(hash), tenantSlug)
+		 values($1, $2, $3, $4)
+		 returning id, tenant_id, $5::text, username, password_hash, role, created_at`,
+		tenantID, username, string(hash), role, tenantSlug)
 	u, err := scanUserWithSlug(row)
 	if err != nil {
 		return nil, fmt.Errorf("auth: create screen user: %w", err)
@@ -192,7 +196,7 @@ func (s *AuthStore) ListScreenUsers(ctx context.Context, tenantSlug string) ([]*
 		`select u.id, u.tenant_id, coalesce(t.slug, ''), u.username, u.password_hash, u.role, u.created_at
 		   from users u
 		   left join tenants t on t.id = u.tenant_id
-		  where t.slug = $1 and u.role = 'screen_user'
+		  where t.slug = $1 and u.role IN ('screen_user', 'restricted')
 		  order by u.username`, tenantSlug)
 	if err != nil {
 		return nil, fmt.Errorf("auth: list screen users: %w", err)