feat: restrict admin access to club operations and rollout test environment

2026-03-18 09:08:45 +01:00
parent 9cb80e4517
commit 821459966c
22 changed files with 507 additions and 203 deletions
@@ -0,0 +1,113 @@
+using Microsoft.EntityFrameworkCore;
+using Npgsql;
+using WorkClub.Application.Clubs.DTOs;
+using WorkClub.Domain.Entities;
+using WorkClub.Infrastructure.Data;
+
+namespace WorkClub.Api.Services;
+
+public class AdminClubService
+{
+    private readonly AppDbContext _context;
+
+    public AdminClubService(AppDbContext context)
+    {
+        _context = context;
+    }
+
+    public async Task<List<ClubDetailDto>> GetAllClubsAsync()
+    {
+        var strategy = _context.Database.CreateExecutionStrategy();
+        return await strategy.ExecuteAsync(async () =>
+        {
+            await using var transaction = await _context.Database.BeginTransactionAsync();
+            await _context.Database.ExecuteSqlRawAsync("SET LOCAL ROLE app_admin");
+            var clubs = await _context.Clubs.ToListAsync();
+            await _context.Database.ExecuteSqlRawAsync("RESET ROLE");
+            await transaction.CommitAsync();
+
+            return clubs.Select(c => new ClubDetailDto(
+                c.Id, c.Name, c.SportType.ToString(), c.Description, c.CreatedAt, c.UpdatedAt)).ToList();
+        });
+    }
+
+    public async Task<ClubDetailDto> CreateClubAsync(CreateClubRequest request)
+    {
+        var tenantId = Guid.NewGuid().ToString();
+        var club = new Club
+        {
+            Id = Guid.NewGuid(),
+            TenantId = tenantId,
+            Name = request.Name,
+            SportType = request.SportType,
+            Description = request.Description,
+            CreatedAt = DateTimeOffset.UtcNow,
+            UpdatedAt = DateTimeOffset.UtcNow
+        };
+
+        var strategy = _context.Database.CreateExecutionStrategy();
+        await strategy.ExecuteAsync(async () =>
+        {
+            await using var transaction = await _context.Database.BeginTransactionAsync();
+            await _context.Database.ExecuteSqlRawAsync("SET LOCAL ROLE app_admin");
+            _context.Clubs.Add(club);
+            await _context.SaveChangesAsync();
+            await _context.Database.ExecuteSqlRawAsync("RESET ROLE");
+            await transaction.CommitAsync();
+        });
+
+        return new ClubDetailDto(club.Id, club.Name, club.SportType.ToString(), club.Description, club.CreatedAt, club.UpdatedAt);
+    }
+
+    public async Task<(ClubDetailDto? club, string? error)> UpdateClubAsync(Guid id, UpdateClubRequest request)
+    {
+        var strategy = _context.Database.CreateExecutionStrategy();
+        return await strategy.ExecuteAsync<(ClubDetailDto? club, string? error)>(async () =>
+        {
+            await using var transaction = await _context.Database.BeginTransactionAsync();
+            await _context.Database.ExecuteSqlRawAsync("SET LOCAL ROLE app_admin");
+            
+            var club = await _context.Clubs.FindAsync(id);
+            if (club == null)
+            {
+                await _context.Database.ExecuteSqlRawAsync("RESET ROLE");
+                return (null, "Club not found");
+            }
+
+            club.Name = request.Name;
+            club.SportType = request.SportType;
+            club.Description = request.Description;
+            club.UpdatedAt = DateTimeOffset.UtcNow;
+
+            await _context.SaveChangesAsync();
+            await _context.Database.ExecuteSqlRawAsync("RESET ROLE");
+            await transaction.CommitAsync();
+
+            return (new ClubDetailDto(club.Id, club.Name, club.SportType.ToString(), club.Description, club.CreatedAt, club.UpdatedAt), null);
+        });
+    }
+
+    public async Task<bool> DeleteClubAsync(Guid id)
+    {
+        var strategy = _context.Database.CreateExecutionStrategy();
+        return await strategy.ExecuteAsync<bool>(async () =>
+        {
+            await using var transaction = await _context.Database.BeginTransactionAsync();
+            await _context.Database.ExecuteSqlRawAsync("SET LOCAL ROLE app_admin");
+            
+            var club = await _context.Clubs.FindAsync(id);
+            if (club == null)
+            {
+                await _context.Database.ExecuteSqlRawAsync("RESET ROLE");
+                return false;
+            }
+
+            _context.Clubs.Remove(club);
+            await _context.SaveChangesAsync();
+            await _context.Database.ExecuteSqlRawAsync("RESET ROLE");
+            await transaction.CommitAsync();
+
+            return true;
+        });
+    }
+}
@@ -60,7 +60,6 @@ public class MemberSyncService
        var roleClaim = httpContext.User.FindFirst(System.Security.Claims.ClaimTypes.Role)?.Value ?? "Member";
        var clubRole = roleClaim.ToLowerInvariant() switch
        {
-            "admin" => ClubRole.Admin,
            "manager" => ClubRole.Manager,
            "member" => ClubRole.Member,
            "viewer" => ClubRole.Viewer,