fix: permissions not restricted for certain management pages / actions (#1219)

* fix: restrict parts of manage navigation to admins

* fix: restrict stats cards on manage home page

* fix: restrict access to amount of certain stats for manage home

* fix: restrict visibility of board create button

* fix: restrict access to integration pages

* fix: restrict access to tools pages for admins

* fix: restrict access to user and group pages

* test: adjust tests to match permission changes for routes

* fix: remove certain pages from spotlight without admin

* fix: app management not restricted

apps/nextjs/src/app/[locale]/manage/tools/api/page.tsx

@@ -1,8 +1,10 @@
 import { headers } from "next/headers";
+import { notFound } from "next/navigation";
 import { Stack, Tabs, TabsList, TabsPanel, TabsTab } from "@mantine/core";
 
 import { openApiDocument } from "@homarr/api";
 import { api } from "@homarr/api/server";
+import { auth } from "@homarr/auth/next";
 import { extractBaseUrlFromHeaders } from "@homarr/common";
 import { getScopedI18n } from "@homarr/translation/server";
 
@@ -11,6 +13,11 @@ import { createMetaTitle } from "~/metadata";
 import { ApiKeysManagement } from "./components/api-keys";
 
 export async function generateMetadata() {
+  const session = await auth();
+  if (!session?.user || !session.user.permissions.includes("admin")) {
+    return {};
+  }
+
   const t = await getScopedI18n("management");
 
   return {
@@ -19,6 +26,10 @@ export async function generateMetadata() {
 }
 
 export default async function ApiPage() {
+  const session = await auth();
+  if (!session?.user || !session.user.permissions.includes("admin")) {
+    notFound();
+  }
   const document = openApiDocument(extractBaseUrlFromHeaders(headers()));
   const apiKeys = await api.apiKeys.getAll();
   const t = await getScopedI18n("management.page.tool.api.tab");

apps/nextjs/src/app/[locale]/manage/tools/logs/page.tsx

@@ -4,12 +4,20 @@ import { getScopedI18n } from "@homarr/translation/server";
 
 import "@xterm/xterm/css/xterm.css";
 
+import { notFound } from "next/navigation";
+
+import { auth } from "@homarr/auth/next";
+
 import { DynamicBreadcrumb } from "~/components/navigation/dynamic-breadcrumb";
 import { fullHeightWithoutHeaderAndFooter } from "~/constants";
 import { createMetaTitle } from "~/metadata";
 import { ClientSideTerminalComponent } from "./client";
 
 export async function generateMetadata() {
+  const session = await auth();
+  if (!session?.user || !session.user.permissions.includes("admin")) {
+    return {};
+  }
   const t = await getScopedI18n("management");
 
   return {
@@ -17,7 +25,12 @@ export async function generateMetadata() {
   };
 }
 
-export default function LogsManagementPage() {
+export default async function LogsManagementPage() {
+  const session = await auth();
+  if (!session?.user || !session.user.permissions.includes("admin")) {
+    notFound();
+  }
+
   return (
     <>
       <DynamicBreadcrumb />

apps/nextjs/src/app/[locale]/manage/tools/tasks/page.tsx

@@ -1,12 +1,18 @@
+import { notFound } from "next/navigation";
 import { Box, Title } from "@mantine/core";
 
 import { api } from "@homarr/api/server";
+import { auth } from "@homarr/auth/next";
 import { getScopedI18n } from "@homarr/translation/server";
 
 import { createMetaTitle } from "~/metadata";
 import { JobsList } from "./_components/jobs-list";
 
 export async function generateMetadata() {
+  const session = await auth();
+  if (!session?.user.permissions.includes("admin")) {
+    return {};
+  }
   const t = await getScopedI18n("management");
 
   return {
@@ -15,6 +21,11 @@ export async function generateMetadata() {
 }
 
 export default async function TasksPage() {
+  const session = await auth();
+  if (!session?.user.permissions.includes("admin")) {
+    notFound();
+  }
+
   const jobs = await api.cronJobs.getJobs();
   return (
     <Box>