3 files changed, 15 insertions, 13 deletions

diff --git a/server/src/routes/ui/admin/user.rs b/server/src/routes/ui/admin/user.rs
index e61ec45..42bcfa7 100644
--- a/server/src/routes/ui/admin/user.rs
+++ b/server/src/routes/ui/admin/user.rs
@@ -66,15 +66,15 @@ fn manage_single_user<'a>(
     Ok(LayoutPage {
         title: "User management".to_string(),
         content: markup::new! {
-            h1 { "Manage User" }
+            h1 { @format!("{:?}", user.display_name) " (" @user.name ")" }
+            a[href=uri!(r_admin_users())] "Back to the User List"
             @FlashDisplay { flash: flash.clone() }
-            h2 { @format!("{:?}", user.display_name) " (" @user.name ")" }
             form[method="POST", action=uri!(r_admin_remove_user())] {
                 input[type="text", name="name", value=&user.name, hidden];
-                input[type="submit", value="Remove(!)"];
+                input[type="submit", value="Remove user(!)"];
             }
 
-            h3 { "Permissions" }
+            h2 { "Permissions" }
             @PermissionDisplay { perms: &user.permissions }
 
             form[method="POST", action=uri!(r_admin_user_permission())] {
@@ -90,9 +90,9 @@ fn manage_single_user<'a>(
                 }
                 fieldset.perms {
                     legend { "Permission" }
-                    label { input[type="radio", name="action", value="unset"]; "Unset" }
-                    label { input[type="radio", name="action", value="grant"]; "Grant" }
-                    label { input[type="radio", name="action", value="revoke"]; "Revoke" }
+                    label { input[type="radio", name="action", value="unset"]; "Unset" } br;
+                    label { input[type="radio", name="action", value="grant"]; "Grant" } br;
+                    label { input[type="radio", name="action", value="revoke"]; "Revoke" } br;
                 }
                 input[type="submit", value="Update"];
             }
@@ -132,7 +132,7 @@ pub enum GrantState {
     Unset,
 }
 
-#[post("/admin/update_user_permission", data = "<form>")]
+#[post("/admin/q", data = "<form>")]
 pub fn r_admin_user_permission(
     session: AdminSession,
     database: &State<Database>,
diff --git a/server/src/routes/ui/assets.rs b/server/src/routes/ui/assets.rs
index f88faa4..5789685 100644
--- a/server/src/routes/ui/assets.rs
+++ b/server/src/routes/ui/assets.rs
@@ -8,7 +8,7 @@ use crate::{
     routes::ui::{account::session::Session, error::MyError, CacheControlFile},
 };
 use anyhow::{anyhow, Context};
-use jellybase::AssetLocationExt;
+use jellybase::{AssetLocationExt, permission::NodePermissionExt};
 use jellycommon::AssetLocation;
 use log::info;
 use rocket::{get, http::ContentType, FromFormField, State, UriDisplayQuery};
@@ -25,7 +25,7 @@ pub enum AssetRole {
 
 #[get("/n/<id>/asset?<role>&<width>")]
 pub async fn r_item_assets(
-    _sess: Session,
+    session: Session,
     db: &State<Database>,
     id: &str,
     role: AssetRole,
@@ -34,13 +34,14 @@ pub async fn r_item_assets(
     let node = db
         .node
         .get(&id.to_string())?
+        .only_if_permitted(&session.user.permissions)
         .ok_or(anyhow!("node does not exist"))?;
     let mut asset = match role {
         AssetRole::Backdrop => node.private.backdrop,
         AssetRole::Poster => node.private.poster,
     };
     if let None = asset {
-        if let Some(parent) = &node.public.parent {
+        if let Some(parent) = &node.public.path.last() {
             let parent = db.node.get(parent)?.ok_or(anyhow!("node does not exist"))?;
             asset = match role {
                 AssetRole::Backdrop => parent.private.backdrop,
diff --git a/server/src/routes/ui/node.rs b/server/src/routes/ui/node.rs
index 1a906f1..b72ec11 100644
--- a/server/src/routes/ui/node.rs
+++ b/server/src/routes/ui/node.rs
@@ -22,6 +22,7 @@ use crate::{
     uri,
 };
 use anyhow::{anyhow, Context};
+use jellybase::permission::NodePermissionExt;
 use jellycommon::{MediaInfo, NodeKind, NodePublic, Rating, SourceTrackKind};
 use rocket::{get, serde::json::Json, Either, State};
 
@@ -39,11 +40,11 @@ pub async fn r_library_node_filter<'a>(
     aj: AcceptJson,
     filter: NodeFilterSort,
 ) -> Result<Either<DynLayoutPage<'a>, Json<NodePublic>>, MyError> {
-    drop(session);
     let node = db
         .node
         .get(&id.to_string())
         .context("retrieving library node")?
+        .only_if_permitted(&session.user.permissions)
         .ok_or(anyhow!("node does not exist"))?
         .public;
 
@@ -124,7 +125,7 @@ markup::define! {
             }
             @if matches!(node.kind, NodeKind::Collection | NodeKind::Channel) {
                 @if matches!(node.kind, NodeKind::Collection) {
-                    @if let Some(parent) = &node.parent {
+                    @if let Some(parent) = &node.path.last().cloned() {
                         a.dirup[href=uri!(r_library_node(parent))] { "Go up" }
                     }
                 }