feat: admins can manage all lists

src/routes/lists/[id]/+page.server.ts

@@ -1,6 +1,7 @@
 import { error, redirect } from "@sveltejs/kit";
 import type { PageServerLoad } from "./$types";
 import { getConfig } from "$lib/server/config";
+import { Role } from "$lib/schema";
 import { getFormatter } from "$lib/server/i18n";
 import { getById, getItems, type GetItemsOptions } from "$lib/server/list";
 import { getActiveMembership } from "$lib/server/group-membership";
@@ -60,14 +61,17 @@ export const load = (async ({ params, url, locals, depends, cookies }) => {
                 activeGroupId: list.groupId
             },
             isManager: list.managers.find(({ userId }) => userId === locals.user?.id) !== undefined,
+            // Expose whether the current user is a site admin so the UI can show admin-only controls
+            isAdmin: locals.user ? locals.user.roleId === Role.ADMIN : false,
             items
         },
         loggedInUser: locals.user
             ? {
                   id: locals.user.id,
                   username: locals.user.username,
                   name: locals.user.name,
-                  activeGroupId: activeMembership!.groupId
+                  activeGroupId: activeMembership!.groupId,
+                  roleId: locals.user.roleId
               }
             : undefined,
         listMode: config.listMode,

src/routes/lists/[id]/+page.svelte

@@ -248,7 +248,7 @@
         {#if !reordering}
             <ListViewModeChip {isTileView} />
         {/if}
-        {#if data.list.owner.isMe || data.list.isManager}
+        {#if data.list.owner.isMe || data.list.isManager || data.list.isAdmin}
             <ReorderChip onFinalize={handleReorderFinalize} bind:reordering />
             <ManageListChip onclick={() => goto(`${new URL(page.url).pathname}/manage`)} />
         {/if}

src/routes/lists/[id]/manage/+page.server.ts

@@ -3,6 +3,7 @@ import type { Actions, PageServerLoad } from "./$types";
 import { getActiveMembership } from "$lib/server/group-membership";
 import { client } from "$lib/server/prisma";
 import { getFormatter } from "$lib/server/i18n";
+import { Role } from "$lib/schema";
 import { getListPropertiesSchema } from "$lib/server/validations";
 import { trimToNull } from "$lib/util";
 import { deleteList } from "$lib/server/list";
@@ -55,7 +56,10 @@ export const load: PageServerLoad = async ({ params }) => {
         .then((list) => list ?? error(404, $t("errors.list-not-found")));
 
     // Logged in users must be in the correct group, or viewing a public list
-    if (list.owner.id !== user.id && !list.managers.find(({ user: manager }) => manager.id === user.id)) {
+    const isManager = !!list.managers.find(({ user: manager }) => manager.id === user.id);
+    const isAdmin = user.roleId === Role.ADMIN;
+    const isGroupManager = activeMembership.roleId === Role.GROUP_MANAGER;
+    if (list.owner.id !== user.id && !isManager && !isAdmin && !isGroupManager) {
         error(401, $t("errors.not-authorized"));
     }
     if (list.groupId !== activeMembership.groupId) {
@@ -169,7 +173,9 @@ export const actions: Actions = {
                 groupId: activeMembership.groupId
             }
         });
-        if (user.id !== listOwner?.ownerId) {
+        const isAdmin = user.roleId === Role.ADMIN;
+        const isGroupManager = activeMembership.roleId === Role.GROUP_MANAGER;
+        if (user.id !== listOwner?.ownerId && !isAdmin && !isGroupManager) {
             error(401, $t("errors.not-authorized"));
         }
 
@@ -204,7 +210,17 @@ async function canManage(id: string, user: LocalUser, groupId: string) {
     if (!list) {
         error(404, $t("errors.list-not-found"));
     }
-    if (user.id !== list.ownerId && !list.managers.find(({ userId }) => userId === user.id)) {
-        error(401, $t("errors.not-authorized"));
-    }
+    if (user.id === list.ownerId) return;
+    if (list.managers.find(({ userId }) => userId === user.id)) return;
+    if (user.roleId === Role.ADMIN) return;
+
+    const membership = await client.userGroupMembership.findFirst({
+        where: {
+            userId: user.id,
+            groupId
+        }
+    });
+    if (membership?.roleId === Role.GROUP_MANAGER) return;
+
+    error(401, $t("errors.not-authorized"));
 }