Verifying abilities for admin panel access instead of relying on user role.

pages/admin/actors/+onBeforeRender.js

@@ -1,6 +1,13 @@
+import { render } from 'vike/abort'; /* eslint-disable-line import/extensions */
+
 import { fetchActors } from '#/src/actors.js';
+import verifyAbility from '#/utils/verify-ability.js';
 
 export default async function onBeforeRender(pageContext) {
+	if (!pageContext.user || !verifyAbility(pageContext.user, 'actor', 'merge')) {
+		throw render(404);
+	}
+
 	const { actors } = await fetchActors({
 		query: pageContext.urlParsed.search.q,
 	}, {

pages/admin/revisions/actors/+onBeforeRender.js

@@ -1,8 +1,10 @@
 import { render } from 'vike/abort'; /* eslint-disable-line import/extensions */
+
 import { fetchActorRevisions } from '#/src/actors.js';
+import verifyAbility from '#/utils/verify-ability.js';
 
 export async function onBeforeRender(pageContext) {
-	if (!pageContext.user || pageContext.user.role === 'user') {
+	if (!pageContext.user || !verifyAbility(pageContext.user, 'actor', 'update')) {
 		throw render(404);
 	}
 

pages/admin/revisions/scenes/+onBeforeRender.js

@@ -1,8 +1,10 @@
 import { render } from 'vike/abort'; /* eslint-disable-line import/extensions */
+
 import { fetchSceneRevisions } from '#/src/scenes.js';
+import verifyAbility from '#/utils/verify-ability.js';
 
 export async function onBeforeRender(pageContext) {
-	if (!pageContext.user || pageContext.user.role === 'user') {
+	if (!pageContext.user || !verifyAbility(pageContext.user, 'scene', 'update')) {
 		throw render(404);
 	}
 

src/actors.js

@@ -447,8 +447,6 @@ async function queryManticoreSql(filters, options, _reqUser) {
 					builder.where('has_avatar', 1);
 				}
 
-				console.log('ACTOR OPTIONS', options);
-
 				if (options.order?.[0] === 'name') {
 					builder.orderBy([
 						{ column: 'actors.slug', order: options.order[1] },