# Superadmin CRUD Implementation Plan **Objective:** Implement a superadmin role to manage courses and tutors, ensuring only authorized users can perform system-wide administrative actions. This feature will be developed in an isolated git worktree. ## Key Context & Decisions - **Role Strategy:** A new `is_superadmin` boolean column will be added to the `tutors` database table. - **UI Structure:** A dedicated `/admin/tutors` page will handle tutor management. Course management will remain on `/admin/courses` but will be enhanced with superadmin-only actions (e.g., assigning tutors to courses). - **Workspace:** Development will be done in `.worktrees/feature-superadmin-crud`. ## Implementation Steps ### 1. Workspace Isolation via Git Worktree - Create a new git worktree: `git worktree add .worktrees/feature-superadmin-crud -b feature-superadmin-crud` - All subsequent steps will be performed inside this isolated workspace. ### 2. Database & Models - Create migration `backend/migrations/002_add_superadmin.sql` to add `is_superadmin BOOLEAN NOT NULL DEFAULT 0` to the `tutors` table. - Update `backend/demo/demo_seed.sql` to set the default `admin@tutortool.com` as a superadmin (`is_superadmin = 1`). - Update `backend/src/models.rs` to include `is_superadmin: bool` in the `Tutor` struct. - Add `CreateTutor` and `TutorResponse` structs to `backend/src/models.rs`. ### 3. Auth & Core Backend - Modify `backend/src/auth.rs` to include `is_superadmin: bool` in `TutorClaims`. This allows auth guards to check permissions efficiently. - Update `backend/src/routes/auth_routes.rs` login handler to fetch `is_superadmin` and encode it in the JWT. - Add a helper function to verify superadmin access to reject unauthorized requests. ### 4. Tutors API - Create `backend/src/routes/tutors.rs` with endpoints: - `GET /api/admin/tutors` (list all tutors) - `POST /api/admin/tutors` (create a tutor, hashing their password) - `DELETE /api/admin/tutors/:id` (delete a tutor) - Merge these routes in `backend/src/routes/mod.rs`. ### 5. Course Assignments API - Modify `backend/src/routes/courses.rs`: - Enhance `GET /api/admin/courses` to return ALL courses if `claims.is_superadmin` is true, otherwise only return assigned courses. - Restrict `POST /api/admin/courses` to superadmins only. - Add `POST /api/admin/courses/:id/tutors` to assign a tutor to a course (superadmin only). - Add `DELETE /api/admin/courses/:id/tutors/:tutor_id` to remove a tutor from a course (superadmin only). - Add `GET /api/admin/courses/:id/tutors` to list tutors assigned to a course. ### 6. Frontend Auth & API Client - Update `frontend/src/lib/types.ts` to include `Tutor` and the new `is_superadmin` flag in token payload or state. - Add the new endpoints to `frontend/src/lib/api.ts` under `api.admin.tutors` and enhance `api.admin.courses`. ### 7. Frontend UI: Tutors Management - Update `frontend/src/lib/components/TutorShell.svelte` to conditionally render a "Tutor:innen" link in the sidebar if the user is a superadmin. - Create `frontend/src/routes/admin/tutors/+page.svelte` following the paper-bg design system. Include a list of tutors and a form to add a new tutor. ### 8. Frontend UI: Courses Enhancements - Modify `frontend/src/routes/admin/courses/+page.svelte` to show a "Tutor:innen zuweisen" (Assign Tutors) section for each course if the logged-in user is a superadmin. - Restrict the course creation form to superadmins only. ## Verification & Testing - Run `cargo test` in the backend to ensure existing tests pass and new route isolation works. - Perform a manual end-to-end test using the `make dev` script in the new worktree to verify the UI.