Add moderator role model and resource sharing access controls

Author: wilhel1812

db/migrations/2026-03-12_roles_and_visibility.sql

@@ -0,0 +1,9 @@
+PRAGMA foreign_keys = OFF;
+
+ALTER TABLE users ADD COLUMN is_moderator INTEGER NOT NULL DEFAULT 0;
+
+-- Legacy visibility default for existing resources: treat as shared.
+UPDATE sites SET visibility = 'public_write' WHERE visibility = 'private';
+UPDATE simulations SET visibility = 'public_write' WHERE visibility = 'private';
+
+PRAGMA foreign_keys = ON;

db/schema.sql

@@ -16,6 +16,7 @@ CREATE TABLE IF NOT EXISTS users (
   avatar_bytes INTEGER,
   avatar_content_type TEXT,
   is_admin INTEGER NOT NULL DEFAULT 0,
+  is_moderator INTEGER NOT NULL DEFAULT 0,
   is_approved INTEGER NOT NULL DEFAULT 0,
   approved_at TEXT,
   approved_by_user_id TEXT,

docs/BACKLOG.md

@@ -24,7 +24,7 @@ State: stabilization pass (no net-new product features unless explicitly approve
 - [x] What does the reject button currently do?
 - [x] Show profile pictures to other users when you click open the user popover. Also show a small one next to any user name in the UI
 - [x] User should be able to select if e-mail should be visible to everyone or only admins
-- [ ] access rights on sites and simulations. public, public-read only, private
+- [x] access rights on sites and simulations. private, public, shared (+ collaborator edit grants)
 - [ ] explore if the route option actually makes sense anymore
 - [ ] explore if we can take buildings into account
 
@@ -58,6 +58,8 @@ State: stabilization pass (no net-new product features unless explicitly approve
 - Progress: added in-app metadata repair utility for created/last-edited backfill from ownership/change history.
 - Progress: added admin ownership operations endpoint/UI (single + bulk reassign) with in-app audit view.
 - [x] Add user moderation actions and review queue ergonomics
+- Progress: role model expanded to `Admin/Moderator/User/Pending`; user role changes now use dropdown role assignment (with moderator constraints).
+- Progress: pending approvals/notifications now target moderator/admin reviewers.
 - [x] Add simulation/site ownership repair tools in UI
 - Progress: ownership-related display gaps now repaired via metadata repair + fallback mapping; explicit owner reassignment UI now available for admins.
 - [x] Add admin-safe bulk operations with confirmations and logs

functions/_lib/access.test.ts

@@ -1,16 +1,18 @@
 import { describe, expect, it } from "vitest";
 import {
+  canAssignRole,
   canDeleteUserAccount,
   canListUsers,
-  canUpdateUserApproval,
-  canUpdateUserRole,
+  canSetPendingOrUser,
   deriveAccountState,
+  deriveUserRole,
   type AccessUserLike,
 } from "./access";
 
 const makeUser = (patch: Partial<AccessUserLike>): AccessUserLike => ({
   id: patch.id ?? "u1",
   isAdmin: patch.isAdmin ?? false,
+  isModerator: patch.isModerator ?? false,
   isApproved: patch.isApproved ?? false,
   approvedAt: patch.approvedAt ?? null,
   approvedByUserId: patch.approvedByUserId ?? null,
@@ -21,29 +23,40 @@ describe("access matrix", () => {
     expect(deriveAccountState(makeUser({ isApproved: false, approvedAt: null }))).toBe("pending");
     expect(deriveAccountState(makeUser({ isApproved: true }))).toBe("approved");
     expect(deriveAccountState(makeUser({ isAdmin: true, isApproved: false }))).toBe("approved");
+    expect(deriveAccountState(makeUser({ isModerator: true, isApproved: false }))).toBe("approved");
     expect(deriveAccountState(makeUser({ isApproved: false, approvedAt: "2026-01-01T00:00:00Z" }))).toBe(
       "revoked",
     );
   });
 
-  it("enforces admin-only list and disallows self-moderation", () => {
+  it("enforces admin/moderator list and role assignment limits", () => {
     const admin = makeUser({ id: "admin", isAdmin: true, isApproved: true });
+    const moderator = makeUser({ id: "mod", isModerator: true, isApproved: true });
     const normal = makeUser({ id: "user", isAdmin: false, isApproved: true });
+    const pending = makeUser({ id: "pending", isApproved: false });
 
     expect(canListUsers(admin)).toBe(true);
+    expect(canListUsers(moderator)).toBe(true);
     expect(canListUsers(normal)).toBe(false);
 
-    expect(canUpdateUserRole(admin, "user")).toBe(true);
-    expect(canUpdateUserRole(admin, "admin")).toBe(false);
-    expect(canUpdateUserRole(normal, "admin")).toBe(false);
+    expect(deriveUserRole(admin)).toBe("admin");
+    expect(deriveUserRole(moderator)).toBe("moderator");
+    expect(deriveUserRole(normal)).toBe("user");
+    expect(deriveUserRole(pending)).toBe("pending");
 
-    expect(canUpdateUserApproval(admin, "user")).toBe(true);
-    expect(canUpdateUserApproval(admin, "admin")).toBe(false);
-    expect(canUpdateUserApproval(normal, "admin")).toBe(false);
+    expect(canAssignRole(admin, normal, "moderator")).toBe(true);
+    expect(canAssignRole(admin, admin, "user")).toBe(false);
+    expect(canAssignRole(moderator, normal, "pending")).toBe(true);
+    expect(canAssignRole(moderator, normal, "admin")).toBe(false);
+    expect(canAssignRole(moderator, admin, "pending")).toBe(false);
+    expect(canAssignRole(normal, pending, "user")).toBe(false);
+
+    expect(canSetPendingOrUser(admin, normal)).toBe(true);
+    expect(canSetPendingOrUser(moderator, normal)).toBe(true);
+    expect(canSetPendingOrUser(moderator, admin)).toBe(false);
 
     expect(canDeleteUserAccount(admin, "user")).toBe(true);
     expect(canDeleteUserAccount(admin, "admin")).toBe(false);
     expect(canDeleteUserAccount(normal, "admin")).toBe(false);
   });
 });
-

functions/_lib/access.ts

@@ -1,27 +1,58 @@
 export type AccessUserLike = {
   id: string;
   isAdmin: boolean;
+  isModerator?: boolean;
   isApproved: boolean;
   approvedAt?: string | null;
   approvedByUserId?: string | null;
 };
 
 export type AccountState = "pending" | "approved" | "revoked";
+export type UserRole = "admin" | "moderator" | "user" | "pending";
 
 export const deriveAccountState = (user: AccessUserLike): AccountState => {
-  if (user.isAdmin || user.isApproved) return "approved";
+  if (user.isAdmin || user.isModerator || user.isApproved) return "approved";
   if (user.approvedAt || user.approvedByUserId) return "revoked";
   return "pending";
 };
 
-export const canListUsers = (user: AccessUserLike): boolean => user.isAdmin;
+export const deriveUserRole = (user: AccessUserLike): UserRole => {
+  if (user.isAdmin) return "admin";
+  if (user.isModerator) return "moderator";
+  if (user.isApproved) return "user";
+  return "pending";
+};
+
+export const canListUsers = (user: AccessUserLike): boolean => user.isAdmin || Boolean(user.isModerator);
+
+const canModeratePendingOrUser = (actor: AccessUserLike, target: AccessUserLike): boolean => {
+  if (actor.id === target.id) return false;
+  if (actor.isAdmin) return true;
+  if (!actor.isModerator) return false;
+  if (target.isAdmin || target.isModerator) return false;
+  return true;
+};
 
 export const canUpdateUserRole = (actor: AccessUserLike, targetUserId: string): boolean =>
   actor.isAdmin && actor.id !== targetUserId;
 
 export const canUpdateUserApproval = (actor: AccessUserLike, targetUserId: string): boolean =>
-  actor.isAdmin && actor.id !== targetUserId;
+  (actor.isAdmin || Boolean(actor.isModerator)) && actor.id !== targetUserId;
+
+export const canAssignRole = (
+  actor: AccessUserLike,
+  target: AccessUserLike,
+  nextRole: UserRole,
+): boolean => {
+  if (actor.id === target.id) return false;
+  if (actor.isAdmin) return true;
+  if (!actor.isModerator) return false;
+  if (target.isAdmin || target.isModerator) return false;
+  return nextRole === "pending" || nextRole === "user";
+};
+
+export const canSetPendingOrUser = (actor: AccessUserLike, target: AccessUserLike): boolean =>
+  canModeratePendingOrUser(actor, target);
 
 export const canDeleteUserAccount = (actor: AccessUserLike, targetUserId: string): boolean =>
   actor.isAdmin && actor.id !== targetUserId;
-

functions/_lib/db.identity.test.ts

@@ -12,7 +12,14 @@ const makeCandidate = (patch: Partial<Candidate>): Candidate => ({
   idp_email: patch.idp_email ?? null,
   idp_email_verified: patch.idp_email_verified ?? 0,
   avatar_url: patch.avatar_url ?? null,
+  email_public: patch.email_public ?? 1,
+  avatar_object_key: patch.avatar_object_key ?? null,
+  avatar_thumb_key: patch.avatar_thumb_key ?? null,
+  avatar_hash: patch.avatar_hash ?? null,
+  avatar_bytes: patch.avatar_bytes ?? null,
+  avatar_content_type: patch.avatar_content_type ?? null,
   is_admin: patch.is_admin ?? 0,
+  is_moderator: patch.is_moderator ?? 0,
   is_approved: patch.is_approved ?? 0,
   approved_at: patch.approved_at ?? null,
   approved_by_user_id: patch.approved_by_user_id ?? null,