feat(store): CreateScreenUser nimmt role-Parameter; ListScreenUsers schließt restricted ein

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-27 21:31:15 +01:00 · 2026-03-27 21:31:15 +01:00 · 18ba448f05
commit 18ba448f05
parent 700567071b
1 changed files with 11 additions and 7 deletions
--- a/server/backend/internal/store/auth.go
+++ b/server/backend/internal/store/auth.go
@ -155,11 +155,15 @@ func (s *AuthStore) EnsureAdminUser(ctx context.Context, tenantSlug, password st
 	return nil
 }

-// CreateScreenUser creates a new user with role 'screen_user' for the tenant
-// identified by tenantSlug. The password is hashed with bcrypt (cost 12).
+// CreateScreenUser creates a new user with the given role for the tenant
+// identified by tenantSlug. role must be "screen_user" or "restricted".
+// The password is hashed with bcrypt (cost 12).
 // Returns pgx.ErrNoRows if the tenant does not exist, or a wrapped error if
 // the username is already taken (unique constraint violation).
-func (s *AuthStore) CreateScreenUser(ctx context.Context, tenantSlug, username, password string) (*User, error) {
+func (s *AuthStore) CreateScreenUser(ctx context.Context, tenantSlug, username, password, role string) (*User, error) {
+	if role != "screen_user" && role != "restricted" {
+		return nil, fmt.Errorf("auth: invalid role: %s", role)
+	}
 	var tenantID string
 	err := s.pool.QueryRow(ctx, `select id from tenants where slug = $1`, tenantSlug).Scan(&tenantID)
 	if err != nil {
@ -176,9 +180,9 @@ func (s *AuthStore) CreateScreenUser(ctx context.Context, tenantSlug, username,

 	row := s.pool.QueryRow(ctx,
 		`insert into users(tenant_id, username, password_hash, role)
-		 values($1, $2, $3, 'screen_user')
-		 returning id, tenant_id, $4::text, username, password_hash, role, created_at`,
-		tenantID, username, string(hash), tenantSlug)
+		 values($1, $2, $3, $4)
+		 returning id, tenant_id, $5::text, username, password_hash, role, created_at`,
+		tenantID, username, string(hash), role, tenantSlug)
 	u, err := scanUserWithSlug(row)
 	if err != nil {
 		return nil, fmt.Errorf("auth: create screen user: %w", err)
@ -192,7 +196,7 @@ func (s *AuthStore) ListScreenUsers(ctx context.Context, tenantSlug string) ([]*
 		`select u.id, u.tenant_id, coalesce(t.slug, ''), u.username, u.password_hash, u.role, u.created_at
 		   from users u
 		   left join tenants t on t.id = u.tenant_id
-		  where t.slug = $1 and u.role = 'screen_user'
+		  where t.slug = $1 and u.role IN ('screen_user', 'restricted')
 		  order by u.username`, tenantSlug)
 	if err != nil {
 		return nil, fmt.Errorf("auth: list screen users: %w", err)