From 5951091ff051b8f228cedadd15fc9c92956938bb Mon Sep 17 00:00:00 2001
From: Rosalie Wanders <rosalie@mailbox.org>
Date: Thu, 18 May 2023 14:14:28 +0200
Subject: [PATCH] SporeServer: improve /Moderation/Management/Users

---
 .../Pages/Moderation/Management/Users.cshtml  | 22 ++++++++++++------
 .../Moderation/Management/Users.cshtml.cs     | 23 +++++++++++++++++++
 2 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/SporeServer/Pages/Moderation/Management/Users.cshtml b/SporeServer/Pages/Moderation/Management/Users.cshtml
index c1bbbf7..089b155 100644
--- a/SporeServer/Pages/Moderation/Management/Users.cshtml
+++ b/SporeServer/Pages/Moderation/Management/Users.cshtml
@@ -46,7 +46,6 @@
                     {
                         var user = Model.Users[i];
                         bool odd = i % 2 != 0;
-                        int assetCount = 0; // await Model.GetAssetCountByUserAsync(user);
                         <tr>
                             <td class="avatar@(odd ? " , odd" : "")">
                                 <img src="/static/war/images/game/spd/NoAvatar.png" alt="Avatar" class="noavatar" />
@@ -57,12 +56,21 @@
                             <td class="username@(odd ? " , odd" : "")">
                                 <a href="sporeprofile:@(user.Id)" style="">@(user.UserName)</a>
                             </td>
-                            <td class="editButton@(odd ? " , odd" : "")">
-                                <a href="/Moderation/Management/User/Edit/@(user.Id)" style=""><img src="utfres://0x011c0bde!icon_settings.png" /></a>
-                            </td>
-                            <td class="banButton@(odd ? " , odd" : "")">
-                                <a href="sporeprofile:@(user.Id)" style=""><img src="utfres://AssetBrowserGraphics!0x9F681350.png" /></a>
-                            </td>
+                            @if (/* check if user isn't the current user */
+                                 Model.CurrentUser.Id != user.Id &&
+                                 /* check if user isn't an Admin */
+                                 !(await Model.IsUserInRoleAsync(user, "Admin")) &&
+                                 /* check if current user is a moderator, if so, they cannot manage other moderators */
+                                 ((await Model.IsUserInRoleAsync(Model.CurrentUser, "Moderator")) &&
+                                  !(await Model.IsUserInRoleAsync(user, "Moderator"))))
+                            {
+                                <td class="editButton@(odd ? " , odd" : "")">
+                                    <a href="/Moderation/Management/User/Edit/@(user.Id)" style=""><img src="utfres://0x011c0bde!icon_settings.png" /></a>
+                                </td>
+                                <td class="banButton@(odd ? " , odd" : "")">
+                                    <a href="sporeprofile:@(user.Id)" style=""><img src="utfres://AssetBrowserGraphics!0x9F681350.png" /></a>
+                                </td>
+                            }
                         </tr>
                     }
             </table>
diff --git a/SporeServer/Pages/Moderation/Management/Users.cshtml.cs b/SporeServer/Pages/Moderation/Management/Users.cshtml.cs
index 9c1ccce..cdefa19 100644
--- a/SporeServer/Pages/Moderation/Management/Users.cshtml.cs
+++ b/SporeServer/Pages/Moderation/Management/Users.cshtml.cs
@@ -1,3 +1,12 @@
+/*
+ * SporeServer - https://github.com/Rosalie241/SporeServer
+ *  Copyright (C) 2021 Rosalie Wanders <rosalie@mailbox.org>
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License version 3.
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
@@ -25,6 +34,10 @@ public UsersModel(UserManager<SporeServerUser> userManager, IUserSubscriptionMan
             _assetManager = assetManager;
         }
 
+        /// <summary>
+        ///     Current User
+        /// </summary>
+        public SporeServerUser CurrentUser { get; set; }
         /// <summary>
         ///     Search Results
         /// </summary>
@@ -38,10 +51,20 @@ public UsersModel(UserManager<SporeServerUser> userManager, IUserSubscriptionMan
         /// </summary>
         public bool Searched { get; set; }
 
+        /// <summary>
+        ///     Whether user is in specified role or not
+        /// </summary>
+        public async Task<bool> IsUserInRoleAsync(SporeServerUser user, string role)
+        {
+            return (await _userManager.GetRolesAsync(user)).Contains(role);
+        }
+
         public async Task<IActionResult> OnGet()
         {
             SearchString = Request.Query["searchText"];
 
+            CurrentUser = await _userManager.GetUserAsync(User);
+
             if (String.IsNullOrEmpty(SearchString))
             {
                 Users = await _userManager.Users