From 377f5bfabe3e821cf673d919c8619b69476ea279 Mon Sep 17 00:00:00 2001
From: Seth Vargo <seth@sethvargo.com>
Date: Fri, 6 Nov 2020 12:39:41 -0500
Subject: [PATCH] Use scopes for filtering, update CSS

---
 cmd/server/assets/admin/mobileapps/index.html |  81 +++++++++
 cmd/server/assets/admin/mobileapps/show.html  |  85 ---------
 cmd/server/assets/admin/realms/edit.html      |  40 ++---
 cmd/server/assets/admin/realms/index.html     |  78 ++++-----
 cmd/server/assets/admin/users/index.html      | 163 ++++++++----------
 cmd/server/assets/admin/users/new.html        |   4 +-
 internal/routes/server.go                     |   8 +-
 pkg/controller/admin/admin.go                 |   4 +
 pkg/controller/admin/mobile_apps.go           |   2 +-
 pkg/controller/admin/realms.go                |  26 ++-
 pkg/controller/admin/users_list.go            |  23 ++-
 pkg/controller/admin/users_operations.go      |   2 +-
 pkg/database/scopes.go                        |  54 ++++++
 pkg/database/user.go                          |  13 +-
 pkg/render/render.go                          |   8 +
 15 files changed, 324 insertions(+), 267 deletions(-)
 create mode 100644 cmd/server/assets/admin/mobileapps/index.html
 delete mode 100644 cmd/server/assets/admin/mobileapps/show.html
 create mode 100644 pkg/database/scopes.go

diff --git a/cmd/server/assets/admin/mobileapps/index.html b/cmd/server/assets/admin/mobileapps/index.html
new file mode 100644
index 000000000..a172c2e1a
--- /dev/null
+++ b/cmd/server/assets/admin/mobileapps/index.html
@@ -0,0 +1,81 @@
+{{define "admin/mobileapps/index"}}
+
+{{$apps := .apps}}
+
+<!doctype html>
+<html lang="en">
+<head>
+  {{template "head" .}}
+</head>
+
+<body class="tab-content">
+  {{template "admin/navbar" .}}
+
+  <main role="main" class="container">
+    {{template "flash" .}}
+
+    <div class="card mb-3 shadow-sm">
+      <div class="card-header">
+        <span class="oi oi-phone mr-2 ml-n1" aria-hidden="true"></span>
+        Mobile apps
+      </div>
+
+      <div class="card-body">
+        <form method="GET" action="/admin/mobileapps" id="search-form">
+          <div class="input-group">
+            <span class="input-group-prepend">
+              <div class="input-group-text bg-transparent">
+                <span class="oi oi-magnifying-glass" aria-hidden="true"></span>
+              </div>
+            </span>
+            <input type="search" name="q" id="search" value="{{.query}}" placeholder="Search"
+              autocomplete="off" class="form-control" />
+          </div>
+        </form>
+      </div>
+
+      {{if .apps}}
+        <table class="table table-bordered table-striped table-fixed table-inner-border-only border-top mb-0">
+          <thead>
+            <tr>
+              <th scope="col" width="40"></th>
+              <th scope="col">Mobile app</th>
+              <th scope="col" width="120">Realm</th>
+            </tr>
+          </thead>
+          <tbody>
+          {{range .apps}}
+            <tr>
+              <td class="text-center">
+                {{if .MobileApp.DeletedAt}}
+                  <span class="oi oi-circle-x text-danger"
+                    data-toggle="tooltip" title="Mobile app is disabled - it will be deleted in a few days"></span>
+                {{else}}
+                  <span class="oi oi-circle-check text-success"
+                    data-toggle="tooltip" title="Mobile app is enabled"></span>
+                {{end}}
+              </td>
+
+              <td>
+                <a href="/mobile-apps/{{.MobileApp.ID}}" class="text-truncate">{{.MobileApp.Name}}</a>
+              </td>
+
+              <td>
+                <a href="/admin/realms/{{.Realm.ID}}/edit">{{.Realm.Name}}</a>
+              </td>
+            </tr>
+          {{end}}
+          </tbody>
+        </table>
+      {{else}}
+        <p class="text-center">
+          <em>There are no mobile apps.</em>
+        </p>
+      {{end}}
+    </div>
+
+    {{template "shared/pagination" .}}
+  </main>
+</body>
+</html>
+{{end}}
diff --git a/cmd/server/assets/admin/mobileapps/show.html b/cmd/server/assets/admin/mobileapps/show.html
deleted file mode 100644
index 943173dc7..000000000
--- a/cmd/server/assets/admin/mobileapps/show.html
+++ /dev/null
@@ -1,85 +0,0 @@
-{{define "admin/mobileapps/show"}}
-
-{{$apps := .apps}}
-
-<!doctype html>
-<html lang="en">
-<head>
-  {{template "head" .}}
-</head>
-
-<body class="tab-content">
-  {{template "admin/navbar" .}}
-
-  <main role="main" class="container">
-    {{template "flash" .}}
-
-    <div class="card mb-3 shadow-sm">
-      <div class="card-header">
-        <span class="oi oi-phone mr-2 ml-n1" aria-hidden="true"></span>
-        Mobile apps
-      </div>
-
-      <div class="card-body">
-        <form method="GET" action="/admin/mobileapps" id="search-form">
-          <div class="input-group">
-            <span class="input-group-prepend">
-              <div class="input-group-text bg-transparent">
-                <span class="oi oi-magnifying-glass" aria-hidden="true"></span>
-              </div>
-            </span>
-            <input type="search" name="q" id="search" value="{{.query}}" placeholder="Search"
-              autocomplete="off" class="form-control" />
-          </div>
-        </form>
-      </div>
-
-      <div class="card-body">
-
-        {{if .apps}}
-        <div class="table-responsive">
-          <table class="table table-bordered table-striped bg-white">
-            <thead>
-              <tr>
-                <th scope="col">Mobile app</th>
-                <th scope="col" width="120">Realm</th>
-                <th scope="col" width="95">Enabled</th>
-              </tr>
-            </thead>
-            <tbody>
-            {{range .apps}}
-              <tr>
-
-                <td>
-                  <a href="/mobile-apps/{{.MobileApp.ID}}" class="text-truncate">{{.MobileApp.Name}}</a>
-                </td>
-
-                <td>
-                  <a href="/admin/realms/{{.Realm.ID}}/edit">{{.Realm.Name}}</a>
-                </td>
-
-                <td>
-                  {{if .MobileApp.DeletedAt}}
-                    <span class="badge badge-pill badge-danger">Deleted</span>
-                  {{else}}
-                    <span class="badge badge-pill badge-success">Enabled</span>
-                  {{end}}
-                </td>
-              </tr>
-            {{end}}
-            </tbody>
-          </table>
-        </div>
-        {{else}}
-        <p class="text-center">
-          <em>There are no mobile apps.</em>
-        </p>
-        {{end}}
-      </div>
-    </div>
-
-    {{template "shared/pagination" .}}
-  </main>
-</body>
-</html>
-{{end}}
diff --git a/cmd/server/assets/admin/realms/edit.html b/cmd/server/assets/admin/realms/edit.html
index c8798d4f5..7928c0ef6 100644
--- a/cmd/server/assets/admin/realms/edit.html
+++ b/cmd/server/assets/admin/realms/edit.html
@@ -24,16 +24,11 @@ <h1>Edit {{$realm.Name}}</h1>
     <div class="card mb-3 shadow-sm">
       <div class="card-header">Details</div>
       <div class="card-body">
-        <div class="alert alert-warning" class="mb-4">
-          Only a subset of realm fields are editable after creation. Work with
-          the realm administrator to update these values.
-        </div>
-
         <form method="POST" action="/admin/realms/{{$realm.ID}}">
           {{ .csrfField }}
           <input type="hidden" name="_method" value="PATCH" />
 
-          <h6 class="card-title">Name</h6>
+          <h6 class="mb-3">Name</h6>
           <div class="form-label-group">
             <input type="text" class="form-control" value="{{$realm.Name}}" disabled />
             <label for="name">Realm name</label>
@@ -45,7 +40,8 @@ <h6 class="card-title">Name</h6>
           </div>
 
           {{if .supportsPerRealmSigning}}
-          <h6 class="card-title">Certificate</h6>
+          <hr>
+          <h6 class="mb-3">Certificate</h6>
           <div class="form-group">
             <select class="form-control custom-select" disabled>
               <option selected>
@@ -70,7 +66,8 @@ <h6 class="card-title">Certificate</h6>
           {{end}}
 
           {{if $systemSMSConfig}}
-          <h6 class="card-title">SMS Config</h6>
+          <hr>
+          <h6 class="mb-3">SMS Config</h6>
           <div class="form-group form-check">
             <input type="checkbox" name="can_use_system_sms_config" id="can-use-system-sms-config" class="form-check-input" value="1" {{if $realm.CanUseSystemSMSConfig}} checked{{end}}>
             <label class="form-check-label" for="can-use-system-sms-config">
@@ -85,22 +82,21 @@ <h6 class="card-title">SMS Config</h6>
           </div>
           {{end}}
 
-          <h6 class="card-title">Abuse prevention</h6>
-          <div class="card-text mb-3">
-            {{if $realm.AbusePreventionEnabled}}
-            <div class="card-text text-success mt-n2">Enabled</div>
-            {{else}}
-            <div class="card-text mt-n2">Disabled</div>
-            {{end}}
-          </div>
+          <hr>
+          <h6 class="mb-2">Abuse prevention</h6>
+          {{if $realm.AbusePreventionEnabled}}
+          <div class="text-success">Enabled</div>
+          <div>Calculated limit: <span class="text-monospace">{{.quotaLimit}}</span></div>
+          <div>Remaining: <span class="text-monospace">{{.quotaRemaining}}</span></div>
+          {{else}}
+          <div class="text-secondary">Disabled</div>
+          {{end}}
 
-          <h6 class="card-title">Mobile apps</h6>
-          <div class="card-text mb-3">
-            <div class="mt-n2">
-              <a href="/admin/mobileapps?q={{$realm.Name}}">Realm mobile apps</a>
-            </div>
-          </div>
+          <hr>
+          <h6 class="mb-2">Mobile apps</h6>
+          <a href="/admin/mobileapps?q={{$realm.Name}}">View mobile apps &rarr;</a>
 
+          <hr>
           <button type="submit" class="btn btn-primary btn-block">Update realm</button>
         </form>
       </div>
diff --git a/cmd/server/assets/admin/realms/index.html b/cmd/server/assets/admin/realms/index.html
index 0d48c97ac..9a99694f0 100644
--- a/cmd/server/assets/admin/realms/index.html
+++ b/cmd/server/assets/admin/realms/index.html
@@ -15,48 +15,44 @@
     {{template "flash" .}}
 
     <div class="card mb-3 shadow-sm">
-      <div class="card-header">Realms</div>
-      <div class="card-body">
-        <div class="clearfix mb-3">
-          <a class="btn btn-outline-secondary btn-sm float-right" href="/admin/realms/new">
-            <span class="oi oi-plus" aria-hidden="true"></span>
-            New realm
-          </a>
-        </div>
-
-        {{if $realms}}
-          <div class="table-responsive">
-            <table class="table table-bordered table-striped bg-white">
-              <thead>
-                <tr>
-                  <th scope="col" width="50" class="text-center">ID</th>
-                  <th scope="col">Name</th>
-                  <th scope="col" width="125">Region code</th>
-                  <th scope="col" width="125">Signing key</th>
-                </tr>
-              </thead>
-              <tbody>
-              {{range $realms}}
-                <tr>
-                  <td class="text-center">{{.ID}}</td>
-                  <td>
-                    <a href="/admin/realms/{{.ID}}/edit">{{.Name}}</a>
-                  </td>
-                  <td>{{.RegionCode}}</td>
-                  <td>
-                    {{if .UseRealmCertificateKey}}Realm{{else}}System{{end}}
-                  </td>
-                </tr>
-              {{end}}
-              </tbody>
-            </table>
-          </div>
-        {{else}}
-          <p class="text-center">
-            <em>There are no realms.</em>
-          </p>
-        {{end}}
+      <div class="card-header">
+        <span class="oi oi-badge mr-2 ml-n1" aria-hidden="true"></span>
+        Realms
+        <a href="/admin/realms/new" class="float-right mr-n1 text-secondary" data-toggle="tooltip" title="New realm">
+          <span class="oi oi-plus small" aria-hidden="true"></span>
+        </a>
       </div>
+
+      {{if $realms}}
+        <table class="table table-bordered table-striped table-fixed table-inner-border-only mb-0">
+          <thead>
+            <tr>
+              <th scope="col" width="50" class="text-center">ID</th>
+              <th scope="col">Name</th>
+              <th scope="col" width="100" class="text-center">Region</th>
+              <th scope="col" width="120" class="text-center">Signing key</th>
+            </tr>
+          </thead>
+          <tbody>
+          {{range $realms}}
+            <tr>
+              <td class="text-center">{{.ID}}</td>
+              <td>
+                <a href="/admin/realms/{{.ID}}/edit">{{.Name}}</a>
+              </td>
+              <td class="text-center">{{.RegionCode}}</td>
+              <td class="text-center">
+                {{if .UseRealmCertificateKey}}Realm{{else}}System{{end}}
+              </td>
+            </tr>
+          {{end}}
+          </tbody>
+        </table>
+      {{else}}
+        <p class="card-body text-center mb-0">
+          <em>There are no users{{if .query}} that match the query{{end}}.</em>
+        </p>
+      {{end}}
     </div>
   </main>
 </body>
diff --git a/cmd/server/assets/admin/users/index.html b/cmd/server/assets/admin/users/index.html
index 945644faa..28f988d72 100644
--- a/cmd/server/assets/admin/users/index.html
+++ b/cmd/server/assets/admin/users/index.html
@@ -16,107 +16,94 @@
     {{template "flash" .}}
 
     <div class="card mb-3 shadow-sm">
-      <div class="card-header">Users</div>
+      <div class="card-header">
+        <span class="oi oi-person mr-2 ml-n1" aria-hidden="true"></span>
+        Users
+        <a href="/admin/users/new" class="float-right mr-n1 text-secondary" data-toggle="tooltip" title="New system admin">
+          <span class="oi oi-plus small" aria-hidden="true"></span>
+        </a>
+      </div>
+
       <div class="card-body">
         <form method="GET" action="/admin/users" id="search-form">
           <div class="input-group">
             <span class="input-group-prepend">
-              <div class="input-group-text bg-transparent">
-                <span class="oi oi-magnifying-glass" aria-hidden="true"></span>
-              </div>
+              <select name="filter" class="text-truncate custom-select dropdown-toggle border-right-0" style="border-radius:0.25rem 0 0 0.25rem;">
+                <option value="" selected>All users</option>
+                <option value="realmAdmins" {{selectedIf (eq .filter "realmAdmins")}}>Realm admins</option>
+                <option value="systemAdmins" {{selectedIf (eq .filter "systemAdmins")}}>System admins</option>
+              </select>
             </span>
             <input type="search" name="q" id="search" value="{{.query}}" placeholder="Search"
               autocomplete="off" class="form-control" />
           </div>
-          <div class="form-check form-check-inline">
-            <input class="form-check-input" type="radio" name="usertype" id="all" value="" {{if eq .usertype ""}}checked{{end}}>
-            <label class="form-check-label" for="all">All users</label>
-          </div>
-          <div class="form-check form-check-inline">
-            <input class="form-check-input" type="radio" name="usertype" id="sysadmin" value="sysadmin" {{if eq .usertype "sysadmin"}}checked{{end}}>
-            <label class="form-check-label" for="sysadmin">System admins</label>
-          </div>
         </form>
       </div>
-      <div class="card-body">
-        <div class="clearfix mb-3">
-          <a class="btn btn-outline-secondary btn-sm float-right" href="/admin/users/systemadmin/new">
-            <span class="oi oi-plus" aria-hidden="true"></span>
-            New system admin
-          </a>
-        </div>
-        <div class="table-responsive">
-          <table class="table table-bordered table-striped mb-0">
-            <thead>
-              <tr>
-                <th scope="col">Name</th>
-                <th scope="col" width="300">Email</th>
-                <th scope="col" width="40"></th>
-              </tr>
-            </thead>
-            <tbody>
-            {{range $users}}
-              <tr>
-                <td>
-                  {{.Name}}
-                  {{if .SystemAdmin}}
-                  <span class="ml-1 badge badge-pill badge-primary">System admin</span>
-                  {{end}}
-                  {{if .IsRealmAdmin}}
-                  <span class="ml-1 badge badge-pill badge-secondary">Realm admin</span>
-                  {{end}}
-                </td>
-                <td>{{.Email}}</td>
-                <td class="text-center">
-                  {{- /* cannot delete yourself */ -}}
-                  {{if not (eq .ID $currentUser.ID)}}
-                  {{if .SystemAdmin}}
-                  <a href="/admin/users/systemadmin/{{.ID}}"
-                    class="d-block text-danger"
-                    data-method="DELETE"
-                    data-confirm="Are you sure you want to remove system admin privileges?"
-                    data-toggle="tooltip"
-                    title="Remove system admin privileges">
-                    <span class="oi oi-account-logout" aria-hidden="true"></span>
-                  </a>
-                  {{else}}
-                  <a href="/admin/users/{{.ID}}"
-                    class="d-block text-danger"
-                    data-method="DELETE"
-                    data-confirm="Are you sure you want to delete this user? This will prevent access to all realms system-wide."
-                    data-toggle="tooltip"
-                    title="Delete this user">
-                    <span class="oi oi-trash" aria-hidden="true"></span>
-                  </a>
-                  {{end}}
-                  {{end}}
-                </td>
-              </tr>
-            {{end}}
-            </tbody>
-          </table>
-        </div>
-      </div>
+
+      {{if $users}}
+        <table class="table table-bordered table-striped table-fixed table-inner-border-only border-top mb-0">
+          <thead>
+            <tr>
+              <th scope="col" width="40"></th>
+              <th scope="col">Name</th>
+              <th scope="col">Email</th>
+              <th scope="col" width="40"></th>
+            </tr>
+          </thead>
+          <tbody>
+          {{range $users}}
+            <tr>
+              <td class="text-center">
+                {{if .SystemAdmin}}
+                <span class="oi oi-wrench" aria-hidden="true"
+                  data-toggle="tooltip" title="System admin"></span>
+                {{end}}
+              </td>
+              <td class="text-truncate">
+                {{.Name}}
+                {{if .IsRealmAdmin}}
+                <span class="oi oi-badge ml-2" aria-hidden="true"
+                  data-toggle="tooltip" title="Realm admin"></span>
+                {{end}}
+              </td>
+              <td class="text-truncate">{{.Email}}</td>
+              <td class="text-center">
+                {{- /* cannot delete yourself */ -}}
+                {{if not (eq .ID $currentUser.ID)}}
+                {{if .SystemAdmin}}
+                <a href="/admin/users/{{.ID}}/revoke"
+                  class="d-block text-danger"
+                  data-method="DELETE"
+                  data-confirm="Are you sure you want to remove system admin privileges?"
+                  data-toggle="tooltip"
+                  title="Remove system admin privileges">
+                  <span class="oi oi-account-logout" aria-hidden="true"></span>
+                </a>
+                {{else}}
+                <a href="/admin/users/{{.ID}}"
+                  class="d-block text-danger"
+                  data-method="DELETE"
+                  data-confirm="Are you sure you want to delete this user? This will prevent access to all realms system-wide."
+                  data-toggle="tooltip"
+                  title="Delete this user">
+                  <span class="oi oi-trash" aria-hidden="true"></span>
+                </a>
+                {{end}}
+                {{end}}
+              </td>
+            </tr>
+          {{end}}
+          </tbody>
+        </table>
+      {{else}}
+        <p class="card-body text-center mb-0">
+          <em>There are no users{{if .query}} that match the query{{end}}.</em>
+        </p>
+      {{end}}
     </div>
 
-  {{template "shared/pagination" .}}
+    {{template "shared/pagination" .}}
   </main>
-
-  <script type="text/javascript">
-    $(function() {
-      let $sysAdmin = $('#sysadmin');
-      let $all= $('#all');
-      let $search = $('#search-form');
-
-      $sysAdmin.on('change', function() {
-        $search.submit();
-      });
-
-      $all.on('change', function() {
-        $search.submit();
-      });
-    });
-  </script>
 </body>
 </html>
 {{end}}
diff --git a/cmd/server/assets/admin/users/new.html b/cmd/server/assets/admin/users/new.html
index 677bce353..e474a8ac4 100644
--- a/cmd/server/assets/admin/users/new.html
+++ b/cmd/server/assets/admin/users/new.html
@@ -1,4 +1,4 @@
-{{define "admin/systemadmin/new"}}
+{{define "admin/users/new"}}
 
 {{$user := .user}}
 
@@ -23,7 +23,7 @@ <h1>New system admin</h1>
     <div class="card mb-3 shadow-sm">
       <div class="card-header">System admin details</div>
       <div class="card-body">
-        <form method="POST" action="/admin/users/systemadmin">
+        <form method="POST" action="/admin/users">
           {{ .csrfField }}
 
           <div class="form-label-group">
diff --git a/internal/routes/server.go b/internal/routes/server.go
index 47d65b0b2..6cb343fb2 100644
--- a/internal/routes/server.go
+++ b/internal/routes/server.go
@@ -339,7 +339,7 @@ func Server(
 		adminSub.Use(requireSystemAdmin)
 		adminSub.Use(rateLimit)
 
-		adminController := admin.New(ctx, cfg, cacher, db, authProvider, h)
+		adminController := admin.New(ctx, cfg, cacher, db, authProvider, limiterStore, h)
 		adminSub.Handle("", http.RedirectHandler("/admin/realms", http.StatusSeeOther)).Methods("GET")
 		adminSub.Handle("/realms", adminController.HandleRealmsIndex()).Methods("GET")
 		adminSub.Handle("/realms", adminController.HandleRealmsCreate()).Methods("POST")
@@ -351,9 +351,9 @@ func Server(
 
 		adminSub.Handle("/users", adminController.HandleUsersIndex()).Methods("GET")
 		adminSub.Handle("/users/{id:[0-9]+}", adminController.HandleUserDelete()).Methods("DELETE")
-		adminSub.Handle("/users/systemadmin", adminController.HandleSystemAdminCreate()).Methods("POST")
-		adminSub.Handle("/users/systemadmin/new", adminController.HandleSystemAdminCreate()).Methods("GET")
-		adminSub.Handle("/users/systemadmin/{id:[0-9]+}", adminController.HandleSystemAdminRevoke()).Methods("DELETE")
+		adminSub.Handle("/users", adminController.HandleSystemAdminCreate()).Methods("POST")
+		adminSub.Handle("/users/new", adminController.HandleSystemAdminCreate()).Methods("GET")
+		adminSub.Handle("/users/{id:[0-9]+}/revoke", adminController.HandleSystemAdminRevoke()).Methods("DELETE")
 
 		adminSub.Handle("/mobileapps", adminController.HandleMobileAppsShow()).Methods("GET")
 		adminSub.Handle("/sms", adminController.HandleSMSUpdate()).Methods("GET", "POST")
diff --git a/pkg/controller/admin/admin.go b/pkg/controller/admin/admin.go
index 6e7a54d89..849700780 100644
--- a/pkg/controller/admin/admin.go
+++ b/pkg/controller/admin/admin.go
@@ -23,6 +23,7 @@ import (
 	"github.com/google/exposure-notifications-verification-server/pkg/config"
 	"github.com/google/exposure-notifications-verification-server/pkg/database"
 	"github.com/google/exposure-notifications-verification-server/pkg/render"
+	"github.com/sethvargo/go-limiter"
 
 	"github.com/google/exposure-notifications-server/pkg/logging"
 
@@ -35,6 +36,7 @@ type Controller struct {
 	db           *database.Database
 	authProvider auth.Provider
 	h            *render.Renderer
+	limiter      limiter.Store
 	logger       *zap.SugaredLogger
 }
 
@@ -44,6 +46,7 @@ func New(
 	cacher cache.Cacher,
 	db *database.Database,
 	authProvider auth.Provider,
+	limiter limiter.Store,
 	h *render.Renderer,
 ) *Controller {
 	logger := logging.FromContext(ctx).Named("admin")
@@ -54,6 +57,7 @@ func New(
 		db:           db,
 		authProvider: authProvider,
 		h:            h,
+		limiter:      limiter,
 		logger:       logger,
 	}
 }
diff --git a/pkg/controller/admin/mobile_apps.go b/pkg/controller/admin/mobile_apps.go
index 801603b01..4ec87f159 100644
--- a/pkg/controller/admin/mobile_apps.go
+++ b/pkg/controller/admin/mobile_apps.go
@@ -57,5 +57,5 @@ func (c *Controller) renderShowMobileApps(ctx context.Context, w http.ResponseWr
 	m["apps"] = apps
 	m["paginator"] = paginator
 	m["query"] = q
-	c.h.RenderHTML(w, "admin/mobileapps/show", m)
+	c.h.RenderHTML(w, "admin/mobileapps/index", m)
 }
diff --git a/pkg/controller/admin/realms.go b/pkg/controller/admin/realms.go
index a9d0f7e21..1c8c87a6a 100644
--- a/pkg/controller/admin/realms.go
+++ b/pkg/controller/admin/realms.go
@@ -167,23 +167,38 @@ func (c *Controller) HandleRealmsUpdate() http.Handler {
 			return
 		}
 
+		var quotaLimit, quotaRemaining uint64
+		if realm.AbusePreventionEnabled {
+			key, err := realm.QuotaKey(c.config.RateLimit.HMACKey)
+			if err != nil {
+				controller.InternalError(w, r, c.h, err)
+				return
+			}
+
+			quotaLimit, quotaRemaining, err = c.limiter.Get(ctx, key)
+			if err != nil {
+				controller.InternalError(w, r, c.h, err)
+				return
+			}
+		}
+
 		// Requested form, stop processing.
 		if r.Method == http.MethodGet {
-			c.renderEditRealm(ctx, w, realm, smsConfig)
+			c.renderEditRealm(ctx, w, realm, smsConfig, quotaLimit, quotaRemaining)
 			return
 		}
 
 		var form FormData
 		if err := controller.BindForm(w, r, &form); err != nil {
 			flash.Error("Failed to process form: %v", err)
-			c.renderEditRealm(ctx, w, realm, smsConfig)
+			c.renderEditRealm(ctx, w, realm, smsConfig, quotaLimit, quotaRemaining)
 			return
 		}
 
 		realm.CanUseSystemSMSConfig = form.CanUseSystemSMSConfig
 		if err := c.db.SaveRealm(realm, currentUser); err != nil {
 			flash.Error("Failed to create realm: %v", err)
-			c.renderEditRealm(ctx, w, realm, smsConfig)
+			c.renderEditRealm(ctx, w, realm, smsConfig, quotaLimit, quotaRemaining)
 			return
 		}
 
@@ -192,11 +207,14 @@ func (c *Controller) HandleRealmsUpdate() http.Handler {
 	})
 }
 
-func (c *Controller) renderEditRealm(ctx context.Context, w http.ResponseWriter, realm *database.Realm, smsConfig *database.SMSConfig) {
+func (c *Controller) renderEditRealm(ctx context.Context, w http.ResponseWriter,
+	realm *database.Realm, smsConfig *database.SMSConfig, quotaLimit, quotaRemaining uint64) {
 	m := controller.TemplateMapFromContext(ctx)
 	m["realm"] = realm
 	m["systemSMSConfig"] = smsConfig
 	m["supportsPerRealmSigning"] = c.db.SupportsPerRealmSigning()
+	m["quotaLimit"] = quotaLimit
+	m["quotaRemaining"] = quotaRemaining
 	c.h.RenderHTML(w, "admin/realms/edit", m)
 }
 
diff --git a/pkg/controller/admin/users_list.go b/pkg/controller/admin/users_list.go
index a86564543..80da2acb2 100644
--- a/pkg/controller/admin/users_list.go
+++ b/pkg/controller/admin/users_list.go
@@ -16,6 +16,7 @@ package admin
 
 import (
 	"net/http"
+	"strings"
 
 	"github.com/google/exposure-notifications-verification-server/pkg/controller"
 	"github.com/google/exposure-notifications-verification-server/pkg/database"
@@ -23,11 +24,6 @@ import (
 	"github.com/gorilla/mux"
 )
 
-const (
-	userType    = "usertype"
-	systemAdmin = "sysadmin"
-)
-
 // HandleUsersIndex renders the list of all non-system-admin users.
 func (c *Controller) HandleUsersIndex() http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -39,9 +35,20 @@ func (c *Controller) HandleUsersIndex() http.Handler {
 			return
 		}
 
-		typeFilter := r.FormValue(userType)
+		var scopes []database.Scope
+		filter := strings.TrimSpace(r.FormValue("filter"))
+		switch filter {
+		case "realmAdmins":
+			scopes = append(scopes, database.OnlyRealmAdmins())
+		case "systemAdmins":
+			scopes = append(scopes, database.OnlySystemAdmins())
+		default:
+		}
+
 		q := r.FormValue(QueryKeySearch)
-		users, paginator, err := c.db.ListUsers(pageParams, q, typeFilter == systemAdmin)
+		scopes = append(scopes, database.WithUserSearch(q))
+
+		users, paginator, err := c.db.ListUsers(pageParams, scopes...)
 		if err != nil {
 			controller.InternalError(w, r, c.h, err)
 			return
@@ -50,7 +57,7 @@ func (c *Controller) HandleUsersIndex() http.Handler {
 		m := controller.TemplateMapFromContext(ctx)
 		m["users"] = users
 		m["query"] = q
-		m[userType] = typeFilter
+		m["filter"] = filter
 		m["paginator"] = paginator
 		c.h.RenderHTML(w, "admin/users/index", m)
 	})
diff --git a/pkg/controller/admin/users_operations.go b/pkg/controller/admin/users_operations.go
index 362f69062..6c1e0a544 100644
--- a/pkg/controller/admin/users_operations.go
+++ b/pkg/controller/admin/users_operations.go
@@ -109,7 +109,7 @@ func (c *Controller) HandleSystemAdminCreate() http.Handler {
 func (c *Controller) renderNewUser(ctx context.Context, w http.ResponseWriter, user *database.User) {
 	m := controller.TemplateMapFromContext(ctx)
 	m["user"] = user
-	c.h.RenderHTML(w, "admin/systemadmin/new", m)
+	c.h.RenderHTML(w, "admin/users/new", m)
 }
 
 // HandleSystemAdminRevoke removes admin from a system admin.
diff --git a/pkg/database/scopes.go b/pkg/database/scopes.go
new file mode 100644
index 000000000..9884a11b0
--- /dev/null
+++ b/pkg/database/scopes.go
@@ -0,0 +1,54 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package database
+
+import (
+	"github.com/google/exposure-notifications-verification-server/internal/project"
+	"github.com/jinzhu/gorm"
+)
+
+// Scope is a type alias to a gorm scope. It exists to reduce duplicate and
+// function length. Note this is an ALIAS. It is NOT a new type.
+type Scope = func(db *gorm.DB) *gorm.DB
+
+// OnlySystemAdmins returns a scope that restricts the query to system admins.
+// It's only applicable to functions that query User.
+func OnlySystemAdmins() Scope {
+	return func(db *gorm.DB) *gorm.DB {
+		return db.Where(&User{SystemAdmin: true})
+	}
+}
+
+// OnlyRealmAdmins returns a scope that restricts the query to users that are
+// administrators of 1 or more realms. It's only applicable to functions that
+// query User.
+func OnlyRealmAdmins() Scope {
+	return func(db *gorm.DB) *gorm.DB {
+		return db.Joins("INNER JOIN (SELECT DISTINCT user_id FROM admin_realms) ar ON users.id = ar.user_id")
+	}
+}
+
+// WithUserSearch returns a scope that adds querying for users by email and
+// name, case-insensitive. It's only applicable to functions that query User.
+func WithUserSearch(q string) Scope {
+	return func(db *gorm.DB) *gorm.DB {
+		q = project.TrimSpace(q)
+		if q != "" {
+			q = `%` + q + `%`
+			return db.Where("users.email ILIKE ? OR users.name ILIKE ?", q, q)
+		}
+		return db
+	}
+}
diff --git a/pkg/database/user.go b/pkg/database/user.go
index cd0c3500c..a3bef5b4a 100644
--- a/pkg/database/user.go
+++ b/pkg/database/user.go
@@ -231,21 +231,12 @@ func (u *User) Stats(db *Database, realmID uint, start, stop time.Time) ([]*User
 
 // ListUsers returns a list of all users sorted by name.
 // Warning: This list may be large. Use Realm.ListUsers() to get users scoped to a realm.
-func (db *Database) ListUsers(p *pagination.PageParams, q string, systemAdminOnly bool) ([]*User, *pagination.Paginator, error) {
+func (db *Database) ListUsers(p *pagination.PageParams, scopes ...Scope) ([]*User, *pagination.Paginator, error) {
 	var users []*User
 	query := db.db.Model(&User{}).
+		Scopes(scopes...).
 		Order("LOWER(name) ASC")
 
-	if systemAdminOnly {
-		query = query.Where("system_admin IS TRUE")
-	}
-
-	q = project.TrimSpace(q)
-	if q != "" {
-		q = `%` + q + `%`
-		query = query.Where("(users.email ILIKE ? OR users.name ILIKE ?)", q, q)
-	}
-
 	if p == nil {
 		p = new(pagination.PageParams)
 	}
diff --git a/pkg/render/render.go b/pkg/render/render.go
index 4c485e973..6b2ff3364 100644
--- a/pkg/render/render.go
+++ b/pkg/render/render.go
@@ -143,6 +143,13 @@ func safeHTML(s string) htmltemplate.HTML {
 	return htmltemplate.HTML(s)
 }
 
+func selectedIf(v bool) htmltemplate.HTML {
+	if v {
+		return htmltemplate.HTML("selected")
+	}
+	return ""
+}
+
 func templateFuncs() htmltemplate.FuncMap {
 	return map[string]interface{}{
 		"joinStrings":    strings.Join,
@@ -151,6 +158,7 @@ func templateFuncs() htmltemplate.FuncMap {
 		"toLower":        strings.ToLower,
 		"toUpper":        strings.ToUpper,
 		"safeHTML":       safeHTML,
+		"selectedIf":     selectedIf,
 	}
 }