working on permissions and messages

frontend/src/routes/user/Edit.svelte

@@ -13,6 +13,7 @@
     let options = $state([]);
     let sent = $state(false);
     let caption = $state(t('user.save_user'));
+    let message = $state(t('user.loading_data'));
 
     onMount(async () => {
         let url = `${location.protocol}//${location.host.replace('5173','8080')}/themes.json`;
@@ -28,7 +29,12 @@
 
         url = `${location.protocol}//${location.host.replace('5173','8080')}/api/user/${user_id}`;
         resp = await fetch(url,{credentials:'include'});
-        if (resp.ok) editUser = await resp.json();
+        if (resp.ok) {
+            editUser = await resp.json();
+        } else {
+            message = await resp.text();
+            if (message == "") message = t(resp);
+        }
    });
 
     async function save(elem){
@@ -97,6 +103,6 @@
     </table>
     <button onclick={save} disabled={sent}>{caption}</button>
     {:else}
-    {t('user.loading_data')}
+    {message}
     {/if}
 </fieldset>

frontend/src/translations.svelte.js

@@ -8,6 +8,7 @@ export async function loadTranslation(lang){
 }
 
 export function t(key,...args){
+    if (key instanceof Response) key = 'status.'+key.status;
     let set = translations.values;
     let keys = key.split('.');
     for (let token of keys){

translations/src/main/resources/de.json

@@ -17,6 +17,9 @@
     "users": "Benutzer",
     "tutorial": "Tutorial"
   },
+  "status" : {
+    "403": "Zugriff verweigert"
+  },
   "user" : {
     "actions": "Aktionen",
     "abort": "abbrechen",

user/src/main/java/de/srsoftware/umbrella/user/UserModule.java

@@ -86,10 +86,10 @@ public class UserModule extends PathHandler {
 		};
 		try {
 			long userId = Long.parseLong(head);
-			if (userId == user.id() || (user instanceof DbUser dbUser && dbUser.permissions().contains(LIST_USERS))) {
+			if (!(user instanceof DbUser dbUser && (user.id() == userId || dbUser.permissions().contains(LIST_USERS)))) {
-				var requestedUser = users.load(userId);
+				return sendEmptyResponse(HTTP_FORBIDDEN,ex);
-				return sendContent(ex,requestedUser);
 			}
+			return sendContent(ex,users.load(userId));
 		} catch (UmbrellaException e) {
 			return sendContent(ex,e.statusCode(),e.getMessage());
 		} catch (NumberFormatException ignored) {}
@@ -224,9 +224,7 @@ public class UserModule extends PathHandler {
 			if (!(requestingUser instanceof DbUser dbUser && dbUser.permissions().contains(PERMISSION.IMPERSONATE))) return sendEmptyResponse(HTTP_FORBIDDEN,ex);
 			if (targetId == null) return sendContent(ex,HTTP_UNPROCESSABLE,"user id missing");
 			var targetUser = users.load(targetId);
-			users.getSession(targetUser)
+			users.getSession(targetUser).cookie().addTo(ex);
-					.cookie()
-					.addTo(ex.getResponseHeaders());
 			return sendContent(ex,targetUser.toMap());
 		} catch (UmbrellaException e) {
 			return sendContent(ex,e.statusCode(),e.getMessage());
@@ -278,9 +276,7 @@ public class UserModule extends PathHandler {
 		var hashedPass = Password.of(BAD_HASHER.hash(password,null));
 		try {
 			var user = users.load(username, hashedPass);
-			users.getSession(user)
+			users.getSession(user).cookie().addTo(ex);
-					.cookie()
-					.addTo(ex.getResponseHeaders());
 			return sendContent(ex,user);
 		} catch (UmbrellaException ue){
 			return sendContent(ex,ue.statusCode(),ue.getMessage());