From 19603698f8249b01cda314276e1d382036804e9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kov=C3=A1cs=20Zsombor?=
 <125221225+KoZsombat@users.noreply.github.com>
Date: Wed, 20 May 2026 19:28:55 +0200
Subject: [PATCH 1/2] navbar admin dash access for all roles that need it

---
 apps/iris/src/components/navbar.tsx           | 11 +++++---
 apps/iris/src/routes/_private/admin/route.tsx |  3 ++-
 apps/iris/src/utils/admin-access.ts           | 27 +++++++++++++++++++
 3 files changed, 36 insertions(+), 5 deletions(-)
 create mode 100644 apps/iris/src/utils/admin-access.ts

diff --git a/apps/iris/src/components/navbar.tsx b/apps/iris/src/components/navbar.tsx
index 1967a8b2..b0829947 100644
--- a/apps/iris/src/components/navbar.tsx
+++ b/apps/iris/src/components/navbar.tsx
@@ -27,6 +27,7 @@ import {
 } from '@/components/ui/dropdown-menu';
 import { Spinner } from '@/components/ui/spinner';
 import { LanguageSelector } from '@/components/util/language-selector';
+import { canAccessAdminUi } from '@/utils/admin-access';
 import { authClient } from '@/utils/authentication';
 
 type NavbarProps = {
@@ -64,7 +65,9 @@ export function Navbar({
           </div>
 
           {data && showLinks && (
-            <NavLinks userRoles={data.user ? data.user.roles : ['user']} />
+            <NavLinks
+              userPermissions={data.user ? data.user.permissions : []}
+            />
           )}
 
           <div className="ml-auto flex items-center gap-3">
@@ -188,11 +191,11 @@ export function Navbar({
   );
 }
 
-function NavLinks({ userRoles }: { userRoles?: string[] }) {
+function NavLinks({ userPermissions }: { userPermissions?: string[] }) {
   const navigate = useNavigate();
   const { t } = useTranslation();
 
-  const isAdmin = userRoles?.includes('admin');
+  const canSeeAdminUi = canAccessAdminUi(userPermissions);
 
   return (
     <div className="ml-8 hidden items-center gap-6 md:flex">
@@ -214,7 +217,7 @@ function NavLinks({ userRoles }: { userRoles?: string[] }) {
         <Book />
         {t('substitutions')}
       </Button>
-      {isAdmin && (
+      {canSeeAdminUi && (
         <Button
           className="text-muted-foreground hover:text-foreground"
           onClick={() => navigate({ to: '/admin' })}
diff --git a/apps/iris/src/routes/_private/admin/route.tsx b/apps/iris/src/routes/_private/admin/route.tsx
index 630cf126..92d21e33 100644
--- a/apps/iris/src/routes/_private/admin/route.tsx
+++ b/apps/iris/src/routes/_private/admin/route.tsx
@@ -4,6 +4,7 @@ import { useTranslation } from 'react-i18next';
 import { AdminSidebar } from '@/components/admin/sidebar';
 import { Navbar } from '@/components/navbar';
 import { SidebarProvider, SidebarTrigger } from '@/components/ui/sidebar';
+import { canAccessAdminUi } from '@/utils/admin-access';
 import { authClient } from '@/utils/authentication';
 
 export const Route = createFileRoute('/_private/admin')({
@@ -20,7 +21,7 @@ function AppLayoutComponent() {
   }, [t]);
 
   useEffect(() => {
-    if (session?.user && !session.user.roles.includes('admin')) {
+    if (session?.user && !canAccessAdminUi(session.user.permissions)) {
       navigate({
         replace: true,
         to: '/',
diff --git a/apps/iris/src/utils/admin-access.ts b/apps/iris/src/utils/admin-access.ts
new file mode 100644
index 00000000..3ce5f138
--- /dev/null
+++ b/apps/iris/src/utils/admin-access.ts
@@ -0,0 +1,27 @@
+const ADMIN_UI_PERMISSIONS = [
+  'import:timetable',
+  'substitution:create',
+  'movedLesson:create',
+  'announcements:create',
+  'system-messages:manage',
+  'doorlock:stats:read',
+  'doorlock:devices:read',
+  'doorlock:cards:read',
+  'doorlock:logs:read',
+  'users:read',
+  'roles:read',
+] as const;
+
+export function canAccessAdminUi(permissions?: string[] | null): boolean {
+  if (!permissions) {
+    return false;
+  }
+
+  if (permissions.includes('*')) {
+    return true;
+  }
+
+  return ADMIN_UI_PERMISSIONS.some((permission) =>
+    permissions.includes(permission)
+  );
+}

From 96c05a6ed8775cec2bde2b34d54972511de0936e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kov=C3=A1cs=20Zsombor?=
 <125221225+KoZsombat@users.noreply.github.com>
Date: Wed, 20 May 2026 19:35:52 +0200
Subject: [PATCH 2/2] clanker fixes

---
 apps/iris/src/components/navbar.tsx           |  7 +++-
 .../src/components/util/permission-guard.tsx  | 10 ++---
 apps/iris/src/hooks/use-has-permission.ts     | 21 +++++++++-
 apps/iris/src/routes/_private/admin/route.tsx | 41 ++++++++-----------
 apps/iris/src/utils/admin-access.ts           | 27 ------------
 5 files changed, 46 insertions(+), 60 deletions(-)
 delete mode 100644 apps/iris/src/utils/admin-access.ts

diff --git a/apps/iris/src/components/navbar.tsx b/apps/iris/src/components/navbar.tsx
index b0829947..671d8ef2 100644
--- a/apps/iris/src/components/navbar.tsx
+++ b/apps/iris/src/components/navbar.tsx
@@ -27,7 +27,10 @@ import {
 } from '@/components/ui/dropdown-menu';
 import { Spinner } from '@/components/ui/spinner';
 import { LanguageSelector } from '@/components/util/language-selector';
-import { canAccessAdminUi } from '@/utils/admin-access';
+import {
+  ADMIN_UI_PERMISSIONS,
+  useHasPermission,
+} from '@/hooks/use-has-permission';
 import { authClient } from '@/utils/authentication';
 
 type NavbarProps = {
@@ -195,7 +198,7 @@ function NavLinks({ userPermissions }: { userPermissions?: string[] }) {
   const navigate = useNavigate();
   const { t } = useTranslation();
 
-  const canSeeAdminUi = canAccessAdminUi(userPermissions);
+  const canSeeAdminUi = useHasPermission(ADMIN_UI_PERMISSIONS, userPermissions);
 
   return (
     <div className="ml-8 hidden items-center gap-6 md:flex">
diff --git a/apps/iris/src/components/util/permission-guard.tsx b/apps/iris/src/components/util/permission-guard.tsx
index 21183be0..6a00205d 100644
--- a/apps/iris/src/components/util/permission-guard.tsx
+++ b/apps/iris/src/components/util/permission-guard.tsx
@@ -1,10 +1,11 @@
 import { Navigate } from '@tanstack/react-router';
 import type { ReactNode } from 'react';
+import { useHasPermission } from '@/hooks/use-has-permission';
 import { authClient } from '@/utils/authentication';
 
 type PermissionGuardProps = {
   children: ReactNode;
-  permission: string;
+  permission: string | readonly string[];
 };
 
 export function PermissionGuard({
@@ -12,15 +13,14 @@ export function PermissionGuard({
   permission,
 }: PermissionGuardProps) {
   const { data } = authClient.useSession();
-
   const user = data?.user;
+  const hasPermission = useHasPermission(permission, user?.permissions);
+
   if (!user) {
     return <Navigate to="/auth/login" />;
   }
 
-  if (
-    !(user.permissions.includes(permission) || user.permissions.includes('*'))
-  ) {
+  if (!hasPermission) {
     return <Navigate search={{ error: 'unauthorized' }} to="/auth/error" />;
   }
 
diff --git a/apps/iris/src/hooks/use-has-permission.ts b/apps/iris/src/hooks/use-has-permission.ts
index 665f613e..5bd93350 100644
--- a/apps/iris/src/hooks/use-has-permission.ts
+++ b/apps/iris/src/hooks/use-has-permission.ts
@@ -1,5 +1,19 @@
+export const ADMIN_UI_PERMISSIONS = [
+  'import:timetable',
+  'substitution:create',
+  'movedLesson:create',
+  'announcements:create',
+  'system-messages:manage',
+  'doorlock:stats:read',
+  'doorlock:devices:read',
+  'doorlock:cards:read',
+  'doorlock:logs:read',
+  'users:read',
+  'roles:read',
+] as const;
+
 export function useHasPermission(
-  permission: string,
+  permission: string | readonly string[],
   permissions?: string[] | null
 ): boolean {
   if (!permissions) {
@@ -8,5 +22,10 @@ export function useHasPermission(
   if (permissions.includes('*')) {
     return true;
   }
+
+  if (typeof permission !== 'string') {
+    return permission.some((item) => permissions.includes(item));
+  }
+
   return permissions.includes(permission);
 }
diff --git a/apps/iris/src/routes/_private/admin/route.tsx b/apps/iris/src/routes/_private/admin/route.tsx
index 92d21e33..95232bc2 100644
--- a/apps/iris/src/routes/_private/admin/route.tsx
+++ b/apps/iris/src/routes/_private/admin/route.tsx
@@ -1,11 +1,11 @@
-import { createFileRoute, Outlet, useNavigate } from '@tanstack/react-router';
+import { createFileRoute, Outlet } from '@tanstack/react-router';
 import { useEffect } from 'react';
 import { useTranslation } from 'react-i18next';
 import { AdminSidebar } from '@/components/admin/sidebar';
 import { Navbar } from '@/components/navbar';
 import { SidebarProvider, SidebarTrigger } from '@/components/ui/sidebar';
-import { canAccessAdminUi } from '@/utils/admin-access';
-import { authClient } from '@/utils/authentication';
+import { PermissionGuard } from '@/components/util/permission-guard';
+import { ADMIN_UI_PERMISSIONS } from '@/hooks/use-has-permission';
 
 export const Route = createFileRoute('/_private/admin')({
   component: AppLayoutComponent,
@@ -13,34 +13,25 @@ export const Route = createFileRoute('/_private/admin')({
 
 function AppLayoutComponent() {
   const { t } = useTranslation();
-  const { data: session } = authClient.useSession();
-  const navigate = useNavigate();
 
   useEffect(() => {
     document.title = t('PageTitles.adminPanel');
   }, [t]);
 
-  useEffect(() => {
-    if (session?.user && !canAccessAdminUi(session.user.permissions)) {
-      navigate({
-        replace: true,
-        to: '/',
-      });
-    }
-  }, [session, navigate]);
-
   return (
-    <SidebarProvider>
-      <AdminSidebar />
-      <main className="flex grow flex-col">
-        <Navbar showLinks={false} showLogo={false}>
-          <SidebarTrigger />
-        </Navbar>
+    <PermissionGuard permission={ADMIN_UI_PERMISSIONS}>
+      <SidebarProvider>
+        <AdminSidebar />
+        <main className="flex grow flex-col">
+          <Navbar showLinks={false} showLogo={false}>
+            <SidebarTrigger />
+          </Navbar>
 
-        <div className="grow overflow-auto p-4">
-          <Outlet />
-        </div>
-      </main>
-    </SidebarProvider>
+          <div className="grow overflow-auto p-4">
+            <Outlet />
+          </div>
+        </main>
+      </SidebarProvider>
+    </PermissionGuard>
   );
 }
diff --git a/apps/iris/src/utils/admin-access.ts b/apps/iris/src/utils/admin-access.ts
deleted file mode 100644
index 3ce5f138..00000000
--- a/apps/iris/src/utils/admin-access.ts
+++ /dev/null
@@ -1,27 +0,0 @@
-const ADMIN_UI_PERMISSIONS = [
-  'import:timetable',
-  'substitution:create',
-  'movedLesson:create',
-  'announcements:create',
-  'system-messages:manage',
-  'doorlock:stats:read',
-  'doorlock:devices:read',
-  'doorlock:cards:read',
-  'doorlock:logs:read',
-  'users:read',
-  'roles:read',
-] as const;
-
-export function canAccessAdminUi(permissions?: string[] | null): boolean {
-  if (!permissions) {
-    return false;
-  }
-
-  if (permissions.includes('*')) {
-    return true;
-  }
-
-  return ADMIN_UI_PERMISSIONS.some((permission) =>
-    permissions.includes(permission)
-  );
-}