Formatting and adding routing checks to push the user out of admin menus when they are not an admin.

packages/builder/src/pages/builder/portal/manage/auth/_layout.svelte

@@ -1,5 +1,12 @@
 <script>
+  import { redirect } from "@roxi/routify"
   import { Page } from "@budibase/bbui"
+  import { auth } from "../../../../../stores/portal"
+
+  // only admins allowed here
+  if (!$auth.isAdmin) {
+    $redirect("../../../portal")
+  }
 </script>
 
 <Page>

packages/builder/src/pages/builder/portal/manage/email/_layout.svelte

@@ -1,5 +1,12 @@
 <script>
-  import { email } from "stores/portal"
+  import { redirect } from "@roxi/routify"
+  import { auth, email } from "stores/portal"
+
+  // only admins allowed here
+  if (!$auth.isAdmin) {
+    $redirect("../../../portal")
+  }
+
   email.templates.fetch()
 </script>
 

packages/builder/src/pages/builder/portal/manage/users/_layout.svelte

@@ -1,5 +1,12 @@
 <script>
   import { Page } from "@budibase/bbui"
+  import { auth } from "../../../../../stores/portal"
+  import { redirect } from "@roxi/routify"
+
+  // only admins allowed here
+  if (!$auth.isAdmin) {
+    $redirect("../../../portal")
+  }
 </script>
 
 <Page>

packages/builder/src/pages/builder/portal/settings/index.svelte

@@ -1,4 +1,4 @@
 <script>
   import { goto } from "@roxi/routify"
-  $goto("./general")
+  $goto("./organisation")
 </script>

packages/builder/src/pages/builder/portal/settings/organisation.svelte

@@ -11,10 +11,16 @@
     Dropzone,
     notifications,
   } from "@budibase/bbui"
-  import { organisation } from "stores/portal"
+  import { auth, organisation } from "stores/portal"
   import { post } from "builderStore/api"
   import analytics from "analytics"
   import { writable } from "svelte/store"
+  import { redirect } from "@roxi/routify"
+
+  // only admins allowed here
+  if (!$auth.isAdmin) {
+    $redirect("../../portal")
+  }
 
   const values = writable({
     analytics: !analytics.disabled(),

packages/builder/src/stores/portal/auth.js

@@ -5,19 +5,27 @@ export function createAuthStore() {
   const user = writable(null)
   const store = derived(user, $user => {
     let initials = null
+    let isAdmin = false
+    let isBuilder = false
     if ($user) {
       if ($user.firstName) {
         initials = $user.firstName[0]
         if ($user.lastName) {
           initials += $user.lastName[0]
         }
-      } else {
+      } else if ($user.email) {
         initials = $user.email[0]
+      } else {
+        initials = "Unknown"
       }
+      isAdmin = !!$user.admin?.global
+      isBuilder = !!$user.builder?.global
     }
     return {
       user: $user,
       initials,
+      isAdmin,
+      isBuilder,
     }
   })
 
@@ -29,6 +37,7 @@ export function createAuthStore() {
         user.set(null)
       } else {
         const json = await response.json()
+        console.log(json)
         user.set(json)
       }
     },

packages/worker/src/api/routes/admin/users.js

@@ -56,7 +56,6 @@ router
   )
   .get("/api/admin/users", adminOnly, controller.fetch)
   .delete("/api/admin/users/:id", adminOnly, controller.destroy)
-  .get("/api/admin/users/:id", adminOnly, controller.find)
   .get("/api/admin/roles/:appId")
   .post(
     "/api/admin/users/invite",
@@ -77,5 +76,7 @@ router
   )
   .post("/api/admin/users/init", controller.adminUser)
   .get("/api/admin/users/self", controller.getSelf)
+  // admin endpoint but needs to come at end (blocks other endpoints otherwise)
+  .get("/api/admin/users/:id", adminOnly, controller.find)
 
 module.exports = router

packages/worker/src/middleware/adminOnly.js

@@ -1,5 +1,8 @@
 module.exports = async (ctx, next) => {
-  if (!ctx.internal && (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)) {
+  if (
+    !ctx.internal &&
+    (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)
+  ) {
     ctx.throw(403, "Admin user only endpoint.")
   }
   return next()