- Experiments
+ Studies
- Design and manage your HRI experiments
+ Manage your HRI research studies
-
diff --git a/src/app/unauthorized/page.tsx b/src/app/unauthorized/page.tsx
new file mode 100644
index 0000000..31400e0
--- /dev/null
+++ b/src/app/unauthorized/page.tsx
@@ -0,0 +1,105 @@
+import Link from "next/link";
+import { Button } from "~/components/ui/button";
+import {
+ Card,
+ CardContent,
+ CardDescription,
+ CardHeader,
+ CardTitle,
+} from "~/components/ui/card";
+import { auth } from "~/server/auth";
+
+export default async function UnauthorizedPage() {
+ const session = await auth();
+
+ return (
+
+
+ {/* Header */}
+
+
+
HRIStudio
+
+
Access Denied
+
+
+ {/* Unauthorized Card */}
+
+
+
+ Access Denied
+
+ You don't have permission to access this resource
+
+
+
+
+
Insufficient Permissions
+
+ This page requires additional privileges that your account
+ doesn't have. Please contact your administrator to request
+ access.
+
+
+
Current User:
+
{session.user.name ?? session.user.email}
+ {session.user.roles && session.user.roles.length > 0 ? (
+
+ Roles: {session.user.roles.map((r) => r.role).join(", ")}
+
+ ) : (
+
No roles assigned
+ )}
+
+
+
+
+
+
+
+
+
+ Need help?{" "}
+
+
+
+
+ {/* Footer */}
+
+
+ © 2024 HRIStudio. A platform for Human-Robot Interaction research.
+
+
+
+
+ );
+}
diff --git a/src/components/admin/admin-user-table.tsx b/src/components/admin/admin-user-table.tsx
new file mode 100644
index 0000000..29d2e29
--- /dev/null
+++ b/src/components/admin/admin-user-table.tsx
@@ -0,0 +1,359 @@
+"use client";
+
+import { useState } from "react";
+import { Button } from "~/components/ui/button";
+import { Badge } from "~/components/ui/badge";
+import { Input } from "~/components/ui/input";
+import { Label } from "~/components/ui/label";
+import {
+ Select,
+ SelectContent,
+ SelectItem,
+ SelectTrigger,
+ SelectValue,
+} from "~/components/ui/select";
+import {
+ Dialog,
+ DialogContent,
+ DialogDescription,
+ DialogHeader,
+ DialogTitle,
+ DialogTrigger,
+} from "~/components/ui/dialog";
+import { api } from "~/trpc/react";
+import { formatRole, getAvailableRoles } from "~/lib/auth-client";
+import type { SystemRole } from "~/lib/auth-client";
+
+interface UserWithRoles {
+ id: string;
+ name: string | null;
+ email: string;
+ image: string | null;
+ createdAt: Date;
+ roles: SystemRole[];
+}
+
+export function AdminUserTable() {
+ const [search, setSearch] = useState("");
+ const [selectedRole, setSelectedRole] = useState
("");
+ const [page, setPage] = useState(1);
+ const [selectedUser, setSelectedUser] = useState(null);
+ const [roleToAssign, setRoleToAssign] = useState("");
+
+ const {
+ data: usersData,
+ isLoading,
+ refetch,
+ } = api.users.list.useQuery({
+ page,
+ limit: 10,
+ search: search || undefined,
+ role: selectedRole || undefined,
+ });
+
+ const assignRole = api.users.assignRole.useMutation({
+ onSuccess: () => {
+ void refetch();
+ setSelectedUser(null);
+ setRoleToAssign("");
+ },
+ });
+
+ const removeRole = api.users.removeRole.useMutation({
+ onSuccess: () => {
+ void refetch();
+ },
+ });
+
+ const handleAssignRole = () => {
+ if (!selectedUser || !roleToAssign) return;
+
+ assignRole.mutate({
+ userId: selectedUser.id,
+ role: roleToAssign,
+ });
+ };
+
+ const handleRemoveRole = (userId: string, role: SystemRole) => {
+ removeRole.mutate({
+ userId,
+ role,
+ });
+ };
+
+ const availableRoles = getAvailableRoles();
+
+ if (isLoading) {
+ return (
+
+ );
+ }
+
+ return (
+
+ {/* Filters */}
+
+
+ Search Users
+
+
+ Filter by Role
+ setSelectedRole(value as SystemRole | "")}
+ >
+
+
+
+ All roles
+ {availableRoles.map((role) => (
+
+ {role.label}
+
+ ))}
+
+
+
+
+
+ {/* Users Table */}
+
+
+
+
+
+
+ User
+
+
+ Email
+
+
+ Roles
+
+
+ Created
+
+
+ Actions
+
+
+
+
+ {usersData?.users.map((user) => (
+
+
+
+
+
+ {(user.name ?? user.email).charAt(0).toUpperCase()}
+
+
+
+
+ {user.name ?? "Unnamed User"}
+
+
+ ID: {user.id.slice(0, 8)}...
+
+
+
+
+ {user.email}
+
+
+
+ {user.roles.length > 0 ? (
+ user.roles.map((role) => (
+
+
+ {formatRole(role)}
+
+ handleRemoveRole(user.id, role)}
+ disabled={removeRole.isPending}
+ >
+ ×
+
+
+ ))
+ ) : (
+
No roles
+ )}
+
+
+
+ {new Date(user.createdAt).toLocaleDateString()}
+
+
+
+
+
+ setSelectedUser(user)}
+ >
+ Manage
+
+
+
+
+ Manage User Roles
+
+ Assign or remove roles for {user.name ?? user.email}
+
+
+
+
+
Assign Role
+
+
+ setRoleToAssign(value as SystemRole)
+ }
+ >
+
+
+
+ {availableRoles
+ .filter(
+ (role) =>
+ !user.roles.includes(role.value),
+ )
+ .map((role) => (
+
+ {role.label}
+
+ ))}
+
+
+
+ {assignRole.isPending
+ ? "Assigning..."
+ : "Assign"}
+
+
+
+
+
+
Current Roles
+
+ {user.roles.length > 0 ? (
+ user.roles.map((role) => (
+
+
+
+ {formatRole(role)}
+
+
+ {
+ availableRoles.find(
+ (r) => r.value === role,
+ )?.description
+ }
+
+
+
+ handleRemoveRole(user.id, role)
+ }
+ disabled={removeRole.isPending}
+ >
+ Remove
+
+
+ ))
+ ) : (
+
+ No roles assigned
+
+ )}
+
+
+
+
+
+
+ ))}
+
+
+
+
+
+ {/* Pagination */}
+ {usersData && usersData.pagination.pages > 1 && (
+
+
+ Showing {usersData.users.length} of {usersData.pagination.total}{" "}
+ users
+
+
+ setPage(page - 1)}
+ disabled={page === 1}
+ >
+ Previous
+
+
+ {page} of {usersData.pagination.pages}
+
+ setPage(page + 1)}
+ disabled={page === usersData.pagination.pages}
+ >
+ Next
+
+
+
+ )}
+
+ {/* Error Messages */}
+ {assignRole.error && (
+
+
Error assigning role
+
{assignRole.error.message}
+
+ )}
+
+ {removeRole.error && (
+
+
Error removing role
+
{removeRole.error.message}
+
+ )}
+
+
+
+ System Roles Overview
+
+
+ Roles define user permissions and access levels within HRIStudio
+
+
+
+
+ {availableRoles.map((role) => (
+
+
+
+
+
+ {role.label}
+
+
+
+ {roleStats[role.value as keyof typeof roleStats] || 0} users
+
+
+
+
+ {role.description}
+
+
+
+ Key Permissions:
+
+
+ {getRolePermissions(role.value)
+ ?.slice(0, 3)
+ .map((permission, index) => (
+
+ ))}
+ {getRolePermissions(role.value)?.length > 3 && (
+
+
+
+ +{getRolePermissions(role.value).length - 3} more
+
+
+ )}
+
+
+
+ ))}
+
+
+
+
+
+
+
+
+
+ Role Hierarchy
+
+
+ Administrator has access to all features. Users can have multiple
+ roles for different access levels.
+
+
+
+
+
+ {Array.from({ length: 4 }).map((_, i) => (
+
+
+
+
+
+
+
+
+
+ ))}
+
+ {/* Total Users */}
+
+
+
+ Total Users
+
+
+
+ {displayStats.totalUsers}
+
+
+ All roles
+
+
+
+
+
+ {/* Total Studies */}
+
+
+
+ Studies
+
+
+
+ {displayStats.totalStudies}
+
+
+ Active
+
+
+
+
+
+ {/* Total Experiments */}
+
+
+
+ Experiments
+
+
+
+
+ {displayStats.totalExperiments}
+
+
+
+ Published
+
+
+
+
+
+ {/* Total Trials */}
+
+
+
+ Trials
+
+
+
+ {displayStats.totalTrials}
+
+
+ {displayStats.activeTrials} running
+
+
+
+
+
+ {/* System Health */}
+
+
+
+ System Health
+
+
+
+
+
+
+ {displayStats.systemHealth === "healthy" ? "Healthy" : "Issues"}
+
+
+ All services operational
+
+
+
+
+ {/* Uptime */}
+
+
+
+ Uptime
+
+
+
+ {displayStats.uptime}
+ Since last restart
+
+
+
+ {/* Storage Usage */}
+
+
+
+ Storage Used
+
+
+
+ {displayStats.storageUsed}
+ Media & database
+
+
+
+ {/* Recent Activity */}
+
+
+
+ Recent Activity
+
+
+
+
+
2 trials started today
+
1 new user registered
+
+ 3 experiments published
+
+
+
+
;
+
+export function PasswordChangeForm() {
+ const [showForm, setShowForm] = useState(false);
+
+ const form = useForm({
+ resolver: zodResolver(passwordSchema),
+ defaultValues: {
+ currentPassword: "",
+ newPassword: "",
+ confirmPassword: "",
+ },
+ });
+
+ const changePassword = api.users.changePassword.useMutation({
+ onSuccess: () => {
+ form.reset();
+ setShowForm(false);
+ },
+ onError: (error) => {
+ console.error("Error changing password:", error);
+ },
+ });
+
+ const onSubmit = (data: PasswordFormData) => {
+ changePassword.mutate({
+ currentPassword: data.currentPassword,
+ newPassword: data.newPassword,
+ });
+ };
+
+ const handleCancel = () => {
+ form.reset();
+ setShowForm(false);
+ };
+
+ if (!showForm) {
+ return (
+
+
+
+ Change your account password for enhanced security
+
+
+
+
+ setShowForm(true)} variant="outline">
+ Change Password
+
+
+
;
+
+interface ProfileEditFormProps {
+ user: {
+ id: string;
+ name: string | null;
+ email: string | null;
+ image: string | null;
+ };
+}
+
+export function ProfileEditForm({ user }: ProfileEditFormProps) {
+ const [isEditing, setIsEditing] = useState(false);
+ const router = useRouter();
+
+ const form = useForm({
+ resolver: zodResolver(profileSchema),
+ defaultValues: {
+ name: user.name ?? "",
+ email: user.email ?? "",
+ },
+ });
+
+ const updateProfile = api.users.update.useMutation({
+ onSuccess: () => {
+ setIsEditing(false);
+ router.refresh();
+ },
+ onError: (error) => {
+ console.error("Error updating profile:", error);
+ },
+ });
+
+ const onSubmit = (data: ProfileFormData) => {
+ updateProfile.mutate({
+ id: user.id,
+ name: data.name,
+ email: data.email,
+ });
+ };
+
+ const handleCancel = () => {
+ form.reset();
+ setIsEditing(false);
+ };
+
+ if (!isEditing) {
+ return (
+
+
+
+
Name
+
+ {user.name ?? "Not set"}
+
+
+
+
Email
+
+ {user.email ?? "Not set"}
+
+
+
+
+
+ setIsEditing(true)} variant="outline">
+ Edit Profile
+
+
+
,
+ VariantProps {}
+
+function Badge({ className, variant, ...props }: BadgeProps) {
+ return (
+
+ )
+}
+
+export { Badge, badgeVariants }
diff --git a/src/components/ui/dialog.tsx b/src/components/ui/dialog.tsx
new file mode 100644
index 0000000..f940d2e
--- /dev/null
+++ b/src/components/ui/dialog.tsx
@@ -0,0 +1,120 @@
+import * as React from "react"
+import * as DialogPrimitive from "@radix-ui/react-dialog"
+import { X } from "lucide-react"
+
+import { cn } from "~/lib/utils"
+
+const Dialog = DialogPrimitive.Root
+
+const DialogTrigger = DialogPrimitive.Trigger
+
+const DialogPortal = DialogPrimitive.Portal
+
+const DialogClose = DialogPrimitive.Close
+
+const DialogOverlay = React.forwardRef<
+ React.ElementRef,
+ React.ComponentPropsWithoutRef
+>(({ className, ...props }, ref) => (
+ ,
+ React.ComponentPropsWithoutRef
+>(({ className, children, ...props }, ref) => (
+
+
+ {children}
+
+ Close
+
+
+
+))
+DialogContent.displayName = DialogPrimitive.Content.displayName
+
+const DialogHeader = ({
+ className,
+ ...props
+}: React.HTMLAttributes) => (
+
+)
+DialogHeader.displayName = "DialogHeader"
+
+const DialogFooter = ({
+ className,
+ ...props
+}: React.HTMLAttributes) => (
+
+)
+DialogFooter.displayName = "DialogFooter"
+
+const DialogTitle = React.forwardRef<
+ React.ElementRef,
+ React.ComponentPropsWithoutRef
+>(({ className, ...props }, ref) => (
+ ,
+ React.ComponentPropsWithoutRef
+>(({ className, ...props }, ref) => (
+ ,
+ React.ComponentPropsWithoutRef
+>(({ className, children, ...props }, ref) => (
+ span]:line-clamp-1",
+ className
+ )}
+ {...props}
+ >
+ {children}
+
+
+
+))
+SelectTrigger.displayName = SelectPrimitive.Trigger.displayName
+
+const SelectScrollUpButton = React.forwardRef<
+ React.ElementRef,
+ React.ComponentPropsWithoutRef
+>(({ className, ...props }, ref) => (
+
+
+))
+SelectScrollUpButton.displayName = SelectPrimitive.ScrollUpButton.displayName
+
+const SelectScrollDownButton = React.forwardRef<
+ React.ElementRef,
+ React.ComponentPropsWithoutRef
+>(({ className, ...props }, ref) => (
+
+
+))
+SelectScrollDownButton.displayName =
+ SelectPrimitive.ScrollDownButton.displayName
+
+const SelectContent = React.forwardRef<
+ React.ElementRef,
+ React.ComponentPropsWithoutRef
+>(({ className, children, position = "popper", ...props }, ref) => (
+
+
+
+ {children}
+
+
+
+))
+SelectContent.displayName = SelectPrimitive.Content.displayName
+
+const SelectLabel = React.forwardRef<
+ React.ElementRef,
+ React.ComponentPropsWithoutRef
+>(({ className, ...props }, ref) => (
+ ,
+ React.ComponentPropsWithoutRef
+>(({ className, children, ...props }, ref) => (
+
+
+
+
+
+
+ {children}
+
+))
+SelectItem.displayName = SelectPrimitive.Item.displayName
+
+const SelectSeparator = React.forwardRef<
+ React.ElementRef,
+ React.ComponentPropsWithoutRef
+>(({ className, ...props }, ref) => (
+ ) {
+ return (
+ = {
+ administrator: "Administrator",
+ researcher: "Researcher",
+ wizard: "Wizard",
+ observer: "Observer",
+ };
+
+ return roleMap[role] || role;
+}
+
+/**
+ * Get role description
+ */
+export function getRoleDescription(role: SystemRole): string {
+ const descriptions: Record = {
+ administrator: "Full system access and user management",
+ researcher: "Can create and manage studies and experiments",
+ wizard: "Can control robots during trials and experiments",
+ observer: "Read-only access to studies and trial data",
+ };
+
+ return descriptions[role] || "Unknown role";
+}
+
+/**
+ * Get available roles for assignment
+ */
+export function getAvailableRoles(): Array<{
+ value: SystemRole;
+ label: string;
+ description: string;
+}> {
+ const roles: SystemRole[] = ["administrator", "researcher", "wizard", "observer"];
+
+ return roles.map((role) => ({
+ value: role,
+ label: formatRole(role),
+ description: getRoleDescription(role),
+ }));
+}
+
+/**
+ * Get role badge color classes
+ */
+export function getRoleColor(role: SystemRole): string {
+ switch (role) {
+ case "administrator":
+ return "bg-red-100 text-red-800 border-red-200";
+ case "researcher":
+ return "bg-blue-100 text-blue-800 border-blue-200";
+ case "wizard":
+ return "bg-purple-100 text-purple-800 border-purple-200";
+ case "observer":
+ return "bg-green-100 text-green-800 border-green-200";
+ default:
+ return "bg-gray-100 text-gray-800 border-gray-200";
+ }
+}
+
+/**
+ * Get role permissions list (client-side mock data)
+ */
+export function getRolePermissions(role: SystemRole): string[] {
+ const rolePermissions: Record = {
+ administrator: [
+ "Full system access",
+ "User management",
+ "System configuration",
+ "Audit logs access",
+ "Data export/import",
+ ],
+ researcher: [
+ "Create/manage studies",
+ "Design experiments",
+ "Analyze trial data",
+ "Manage participants",
+ "Export research data",
+ ],
+ wizard: [
+ "Control robots during trials",
+ "Execute experiment steps",
+ "Monitor trial progress",
+ "Record interventions",
+ "Access wizard interface",
+ ],
+ observer: [
+ "View studies and experiments",
+ "Watch trial executions",
+ "Access analysis reports",
+ "View participant data",
+ "Read-only system access",
+ ],
+ };
+
+ return rolePermissions[role] || [];
+}
diff --git a/src/server/api/routers/users.ts b/src/server/api/routers/users.ts
index e435585..b25fb42 100644
--- a/src/server/api/routers/users.ts
+++ b/src/server/api/routers/users.ts
@@ -1,6 +1,7 @@
import { TRPCError } from "@trpc/server";
import { and, count, eq, ilike, or, type SQL } from "drizzle-orm";
import { z } from "zod";
+import bcrypt from "bcryptjs";
import {
adminProcedure,
@@ -199,6 +200,58 @@ export const usersRouter = createTRPCRouter({
return updatedUser;
}),
+ changePassword: protectedProcedure
+ .input(
+ z.object({
+ currentPassword: z.string().min(1, "Current password is required"),
+ newPassword: z
+ .string()
+ .min(6, "Password must be at least 6 characters"),
+ }),
+ )
+ .mutation(async ({ ctx, input }) => {
+ const { currentPassword, newPassword } = input;
+ const userId = ctx.session.user.id;
+
+ // Get current user with password
+ const user = await ctx.db.query.users.findFirst({
+ where: eq(users.id, userId),
+ });
+
+ if (!user?.password) {
+ throw new TRPCError({
+ code: "NOT_FOUND",
+ message: "User not found",
+ });
+ }
+
+ // Verify current password
+ const isValidPassword = await bcrypt.compare(
+ currentPassword,
+ user.password,
+ );
+ if (!isValidPassword) {
+ throw new TRPCError({
+ code: "UNAUTHORIZED",
+ message: "Current password is incorrect",
+ });
+ }
+
+ // Hash new password
+ const hashedNewPassword = await bcrypt.hash(newPassword, 12);
+
+ // Update password
+ await ctx.db
+ .update(users)
+ .set({
+ password: hashedNewPassword,
+ updatedAt: new Date(),
+ })
+ .where(eq(users.id, userId));
+
+ return { success: true };
+ }),
+
assignRole: adminProcedure
.input(
z.object({
diff --git a/src/server/auth/config.ts b/src/server/auth/config.ts
index 6a91e3e..3c7ae64 100644
--- a/src/server/auth/config.ts
+++ b/src/server/auth/config.ts
@@ -2,6 +2,7 @@ import { type DefaultSession, type NextAuthConfig } from "next-auth";
import Credentials from "next-auth/providers/credentials";
import bcrypt from "bcryptjs";
import { eq } from "drizzle-orm";
+import { z } from "zod";
import { db } from "~/server/db";
import { users } from "~/server/db/schema";
@@ -16,15 +17,20 @@ declare module "next-auth" {
interface Session extends DefaultSession {
user: {
id: string;
- // ...other properties
- // role: UserRole;
+ roles: Array<{
+ role: "administrator" | "researcher" | "wizard" | "observer";
+ grantedAt: Date;
+ grantedBy: string | null;
+ }>;
} & DefaultSession["user"];
}
- // interface User {
- // // ...other properties
- // // role: UserRole;
- // }
+ interface User {
+ id: string;
+ email: string;
+ name: string | null;
+ image: string | null;
+ }
}
/**
@@ -33,6 +39,14 @@ declare module "next-auth" {
* @see https://next-auth.js.org/configuration/options
*/
export const authConfig = {
+ session: {
+ strategy: "jwt",
+ maxAge: 30 * 24 * 60 * 60, // 30 days
+ },
+ pages: {
+ signIn: "/auth/signin",
+ error: "/auth/error",
+ },
providers: [
Credentials({
name: "credentials",
@@ -41,38 +55,37 @@ export const authConfig = {
password: { label: "Password", type: "password" },
},
async authorize(credentials) {
- if (!credentials?.email || !credentials?.password) {
- return null;
- }
+ const parsed = z
+ .object({
+ email: z.string().email(),
+ password: z.string().min(6),
+ })
+ .safeParse(credentials);
+
+ if (!parsed.success) return null;
const user = await db.query.users.findFirst({
- where: eq(users.email, credentials.email as string),
+ where: eq(users.email, parsed.data.email),
});
- if (!user?.password) {
- return null;
- }
+ if (!user?.password) return null;
const isValidPassword = await bcrypt.compare(
- credentials.password as string,
+ parsed.data.password,
user.password,
);
- if (!isValidPassword) {
- return null;
- }
+ if (!isValidPassword) return null;
return {
id: user.id,
email: user.email,
name: user.name,
+ image: user.image,
};
},
}),
],
- session: {
- strategy: "jwt",
- },
callbacks: {
jwt: ({ token, user }) => {
if (user) {
@@ -80,12 +93,41 @@ export const authConfig = {
}
return token;
},
- session: ({ session, token }) => ({
- ...session,
- user: {
- ...session.user,
- id: token.id as string,
- },
- }),
+ session: async ({ session, token }) => {
+ if (token.id) {
+ // Fetch user roles from database
+ const userWithRoles = await db.query.users.findFirst({
+ where: eq(users.id, token.id as string),
+ with: {
+ systemRoles: {
+ with: {
+ grantedByUser: {
+ columns: {
+ id: true,
+ name: true,
+ email: true,
+ },
+ },
+ },
+ },
+ },
+ });
+
+ return {
+ ...session,
+ user: {
+ ...session.user,
+ id: token.id as string,
+ roles:
+ userWithRoles?.systemRoles?.map((sr) => ({
+ role: sr.role,
+ grantedAt: sr.grantedAt,
+ grantedBy: sr.grantedBy,
+ })) ?? [],
+ },
+ };
+ }
+ return session;
+ },
},
} satisfies NextAuthConfig;
diff --git a/src/server/auth/utils.ts b/src/server/auth/utils.ts
new file mode 100644
index 0000000..61d1020
--- /dev/null
+++ b/src/server/auth/utils.ts
@@ -0,0 +1,230 @@
+import { auth } from "./index";
+import { redirect } from "next/navigation";
+import { db } from "~/server/db";
+import { users, userSystemRoles } from "~/server/db/schema";
+import { eq, and } from "drizzle-orm";
+import type { Session } from "next-auth";
+
+// Role types from schema
+export type SystemRole = "administrator" | "researcher" | "wizard" | "observer";
+export type StudyRole = "owner" | "researcher" | "wizard" | "observer";
+
+/**
+ * Get the current session or redirect to login
+ */
+export async function requireAuth() {
+ const session = await auth();
+ if (!session?.user) {
+ redirect("/auth/signin");
+ }
+ return session;
+}
+
+/**
+ * Get the current session without redirecting
+ */
+export async function getSession() {
+ return await auth();
+}
+
+/**
+ * Check if the current user has a specific system role
+ */
+export function hasRole(session: Session | null, role: SystemRole): boolean {
+ if (!session?.user?.roles) return false;
+ return session.user.roles.some((userRole) => userRole.role === role);
+}
+
+/**
+ * Check if the current user is an administrator
+ */
+export function isAdmin(session: Session | null): boolean {
+ return hasRole(session, "administrator");
+}
+
+/**
+ * Check if the current user is a researcher or admin
+ */
+export function isResearcher(session: Session | null): boolean {
+ return hasRole(session, "researcher") || isAdmin(session);
+}
+
+/**
+ * Check if the current user is a wizard or admin
+ */
+export function isWizard(session: Session | null): boolean {
+ return hasRole(session, "wizard") || isAdmin(session);
+}
+
+/**
+ * Check if the current user has any of the specified roles
+ */
+export function hasAnyRole(session: Session | null, roles: SystemRole[]): boolean {
+ if (!session?.user?.roles) return false;
+ return session.user.roles.some((userRole) =>
+ roles.includes(userRole.role)
+ );
+}
+
+/**
+ * Require admin role or redirect
+ */
+export async function requireAdmin() {
+ const session = await requireAuth();
+ if (!isAdmin(session)) {
+ redirect("/unauthorized");
+ }
+ return session;
+}
+
+/**
+ * Require researcher role or redirect
+ */
+export async function requireResearcher() {
+ const session = await requireAuth();
+ if (!isResearcher(session)) {
+ redirect("/unauthorized");
+ }
+ return session;
+}
+
+/**
+ * Get user roles from database
+ */
+export async function getUserRoles(userId: string) {
+ const userWithRoles = await db.query.users.findFirst({
+ where: eq(users.id, userId),
+ with: {
+ systemRoles: {
+ with: {
+ grantedByUser: {
+ columns: {
+ id: true,
+ name: true,
+ email: true,
+ },
+ },
+ },
+ },
+ },
+ });
+
+ return userWithRoles?.systemRoles ?? [];
+}
+
+/**
+ * Grant a system role to a user
+ */
+export async function grantRole(
+ userId: string,
+ role: SystemRole,
+ grantedBy: string
+) {
+ // Check if user already has this role
+ const existingRole = await db.query.userSystemRoles.findFirst({
+ where: and(
+ eq(userSystemRoles.userId, userId),
+ eq(userSystemRoles.role, role)
+ ),
+ });
+
+ if (existingRole) {
+ throw new Error(`User already has role: ${role}`);
+ }
+
+ // Grant the role
+ const newRole = await db
+ .insert(userSystemRoles)
+ .values({
+ userId,
+ role,
+ grantedBy,
+ })
+ .returning();
+
+ return newRole[0];
+}
+
+/**
+ * Revoke a system role from a user
+ */
+export async function revokeRole(userId: string, role: SystemRole) {
+ const deletedRole = await db
+ .delete(userSystemRoles)
+ .where(
+ and(
+ eq(userSystemRoles.userId, userId),
+ eq(userSystemRoles.role, role)
+ )
+ )
+ .returning();
+
+ if (deletedRole.length === 0) {
+ throw new Error(`User does not have role: ${role}`);
+ }
+
+ return deletedRole[0];
+}
+
+/**
+ * Check if a user owns or has admin access to a resource
+ */
+export function canAccessResource(
+ session: Session | null,
+ resourceOwnerId: string
+): boolean {
+ if (!session?.user) return false;
+
+ // Admin can access anything
+ if (isAdmin(session)) return true;
+
+ // Owner can access their own resources
+ if (session.user.id === resourceOwnerId) return true;
+
+ return false;
+}
+
+/**
+ * Format role for display
+ */
+export function formatRole(role: SystemRole): string {
+ const roleMap: Record = {
+ administrator: "Administrator",
+ researcher: "Researcher",
+ wizard: "Wizard",
+ observer: "Observer",
+ };
+
+ return roleMap[role] || role;
+}
+
+/**
+ * Get role description
+ */
+export function getRoleDescription(role: SystemRole): string {
+ const descriptions: Record = {
+ administrator: "Full system access and user management",
+ researcher: "Can create and manage studies and experiments",
+ wizard: "Can control robots during trials and experiments",
+ observer: "Read-only access to studies and trial data",
+ };
+
+ return descriptions[role] || "Unknown role";
+}
+
+/**
+ * Get available roles for assignment
+ */
+export function getAvailableRoles(): Array<{
+ value: SystemRole;
+ label: string;
+ description: string;
+}> {
+ const roles: SystemRole[] = ["administrator", "researcher", "wizard", "observer"];
+
+ return roles.map((role) => ({
+ value: role,
+ label: formatRole(role),
+ description: getRoleDescription(role),
+ }));
+}
diff --git a/src/server/db/schema.ts b/src/server/db/schema.ts
index e9a13f7..df93f2f 100644
--- a/src/server/db/schema.ts
+++ b/src/server/db/schema.ts
@@ -13,7 +13,7 @@ import {
timestamp,
unique,
uuid,
- varchar
+ varchar,
} from "drizzle-orm/pg-core";
import { type AdapterAccount } from "next-auth/adapters";
@@ -23,7 +23,7 @@ import { type AdapterAccount } from "next-auth/adapters";
*
* @see https://orm.drizzle.team/docs/goodies#multi-project-schema
*/
-export const createTable = pgTableCreator((name) => `hristudio_${name}`);
+export const createTable = pgTableCreator((name) => `hs_${name}`);
// Enums
export const systemRoleEnum = pgEnum("system_role", [