fix: viewer role UI restrictions and route ordering

- Fix /api/upload/ecs-fields endpoint routing (move before parameterized routes)
- Block viewers from creating/updating/deleting patterns (require user or admin)
- Hide API Keys button for viewers in frontend
- Hide delete index icon in History for viewers

Author: TerrifiedBug

backend/app/routers/patterns.py

@@ -7,7 +7,7 @@
 from fastapi import APIRouter, Depends, HTTPException
 from pydantic import BaseModel, Field
 
-from app.routers.auth import require_auth
+from app.routers.auth import require_auth, require_user_or_admin
 from app.services import database
 from app.services.grok_patterns import (
     list_builtin_patterns,
@@ -136,9 +136,9 @@ async def list_patterns(
 @router.post("", status_code=201)
 async def create_pattern(
     data: PatternCreate,
-    user: dict = Depends(require_auth),
+    user: dict = Depends(require_user_or_admin),
 ) -> PatternResponse:
-    """Create a new custom pattern."""
+    """Create a new custom pattern. Requires user or admin role."""
     # Validate the pattern
     if data.type == "grok":
         is_valid, error = validate_grok_pattern(data.pattern)
@@ -246,9 +246,9 @@ async def list_grok_patterns(
 @router.post("/grok", status_code=201)
 async def create_grok_pattern(
     data: GrokPatternCreate,
-    user: dict = Depends(require_auth),
+    user: dict = Depends(require_user_or_admin),
 ) -> GrokPatternResponse:
-    """Create a new custom grok pattern component."""
+    """Create a new custom grok pattern component. Requires user or admin role."""
     # Check if name conflicts with built-in
     builtins = {p["name"] for p in list_builtin_patterns()}
     if data.name in builtins:
@@ -286,9 +286,9 @@ async def create_grok_pattern(
 @router.post("/grok/import", response_model=GrokImportResult)
 async def import_grok_patterns(
     request: GrokImportRequest,
-    user: dict = Depends(require_auth),
+    user: dict = Depends(require_user_or_admin),
 ) -> GrokImportResult:
-    """Import multiple grok patterns from file content.
+    """Import multiple grok patterns from file content. Requires user or admin role.
 
     Parses grok pattern file format (PATTERN_NAME<whitespace>pattern_expression).
     Lines starting with # are comments, blank lines are skipped.
@@ -368,9 +368,9 @@ async def get_grok_pattern(
 async def update_grok_pattern(
     pattern_id: str,
     data: GrokPatternUpdate,
-    user: dict = Depends(require_auth),
+    user: dict = Depends(require_user_or_admin),
 ) -> GrokPatternResponse:
-    """Update a custom grok pattern component."""
+    """Update a custom grok pattern component. Requires user or admin role."""
     existing = database.get_grok_pattern(pattern_id)
     if not existing:
         raise HTTPException(status_code=404, detail="Grok pattern not found")
@@ -396,9 +396,9 @@ async def update_grok_pattern(
 @router.delete("/grok/{pattern_id}", status_code=204)
 async def delete_grok_pattern(
     pattern_id: str,
-    user: dict = Depends(require_auth),
+    user: dict = Depends(require_user_or_admin),
 ) -> None:
-    """Delete a custom grok pattern component."""
+    """Delete a custom grok pattern component. Requires user or admin role."""
     existing = database.get_grok_pattern(pattern_id)
     if not existing:
         raise HTTPException(status_code=404, detail="Grok pattern not found")
@@ -428,9 +428,9 @@ async def get_pattern(
 async def update_pattern(
     pattern_id: str,
     data: PatternUpdate,
-    user: dict = Depends(require_auth),
+    user: dict = Depends(require_user_or_admin),
 ) -> PatternResponse:
-    """Update a custom pattern."""
+    """Update a custom pattern. Requires user or admin role."""
     existing = database.get_pattern(pattern_id)
     if not existing:
         raise HTTPException(status_code=404, detail="Pattern not found")
@@ -466,9 +466,9 @@ async def update_pattern(
 @router.delete("/{pattern_id}", status_code=204)
 async def delete_pattern(
     pattern_id: str,
-    user: dict = Depends(require_auth),
+    user: dict = Depends(require_user_or_admin),
 ) -> None:
-    """Delete a custom pattern."""
+    """Delete a custom pattern. Requires user or admin role."""
     existing = database.get_pattern(pattern_id)
     if not existing:
         raise HTTPException(status_code=404, detail="Pattern not found")

backend/app/routers/upload.py

@@ -248,6 +248,12 @@ async def upload_files(
     )
 
 
+@router.get("/upload/ecs-fields")
+async def list_ecs_fields(user: dict = Depends(require_auth)):
+    """List all available ECS fields for manual selection."""
+    return {"fields": get_all_ecs_fields()}
+
+
 @router.get("/upload/{upload_id}", response_model=UploadResponse)
 async def get_upload(
     upload_id: str,
@@ -418,12 +424,6 @@ async def suggest_ecs_fields(upload_id: str):
     }
 
 
-@router.get("/upload/ecs-fields")
-async def list_ecs_fields(user: dict = Depends(require_auth)):
-    """List all available ECS fields for manual selection."""
-    return {"fields": get_all_ecs_fields()}
-
-
 @router.post("/upload/{upload_id}/reparse")
 async def reparse_upload(
     upload_id: str,

frontend/src/App.tsx

@@ -286,12 +286,14 @@ function App() {
               >
                 Patterns
               </button>
-              <button
-                onClick={() => setShowApiKeys(true)}
-                className="px-4 py-2 text-sm font-medium text-gray-700 dark:text-gray-200 bg-gray-100 dark:bg-gray-700 rounded-md hover:bg-gray-200 dark:hover:bg-gray-600"
-              >
-                API Keys
-              </button>
+              {user?.role !== 'viewer' && (
+                <button
+                  onClick={() => setShowApiKeys(true)}
+                  className="px-4 py-2 text-sm font-medium text-gray-700 dark:text-gray-200 bg-gray-100 dark:bg-gray-700 rounded-md hover:bg-gray-200 dark:hover:bg-gray-600"
+                >
+                  API Keys
+                </button>
+              )}
               <button
                 onClick={() => setShowHistory(true)}
                 className="px-4 py-2 text-sm font-medium text-gray-700 dark:text-gray-200 bg-gray-100 dark:bg-gray-700 rounded-md hover:bg-gray-200 dark:hover:bg-gray-600"

frontend/src/components/History.tsx

@@ -1,5 +1,6 @@
 import React, { useEffect, useState } from 'react';
 import { deleteIndex, downloadFailures, getFailuresDownloadUrl, getAppSettings, getHistory, UploadRecord } from '../api/client';
+import { useAuth } from '../contexts/AuthContext';
 
 interface HistoryProps {
   onClose: () => void;
@@ -41,6 +42,7 @@ function StatusBadge({ status }: { status: UploadRecord['status'] }) {
 }
 
 export function History({ onClose }: HistoryProps) {
+  const { user } = useAuth();
   const [uploads, setUploads] = useState<UploadRecord[]>([]);
   const [loading, setLoading] = useState(true);
   const [error, setError] = useState<string | null>(null);
@@ -52,6 +54,8 @@ export function History({ onClose }: HistoryProps) {
   const [toast, setToast] = useState<{ message: string; type: 'success' | 'error' } | null>(null);
   const [retentionDays, setRetentionDays] = useState<number>(0);
 
+  const canDelete = user?.role !== 'viewer';
+
   const toggleExpand = (id: string) => {
     setExpandedId(expandedId === id ? null : id);
   };
@@ -297,7 +301,7 @@ export function History({ onClose }: HistoryProps) {
                               </svg>
                             </button>
                           )}
-                          {upload.status === 'completed' && upload.index_name && !upload.index_deleted && upload.index_exists !== false && (
+                          {canDelete && upload.status === 'completed' && upload.index_name && !upload.index_deleted && upload.index_exists !== false && (
                             <button
                               onClick={(e) => {
                                 e.stopPropagation();