From b80b9eba189fae7a960629903117b98c28a61fc3 Mon Sep 17 00:00:00 2001
From: Niko Strijbol <strijbol.niko@gmail.com>
Date: Tue, 23 Dec 2025 19:37:14 +0100
Subject: [PATCH 1/5] Support Zauth roles

---
 lib/zout/accounts/accounts.ex           | 7 +++++--
 lib/zout_web/auth/oauth_strategy.ex     | 5 ++++-
 lib/zout_web/auth/ueberauth_strategy.ex | 5 +++--
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/lib/zout/accounts/accounts.ex b/lib/zout/accounts/accounts.ex
index ee69b6a..9395c52 100644
--- a/lib/zout/accounts/accounts.ex
+++ b/lib/zout/accounts/accounts.ex
@@ -9,15 +9,18 @@ defmodule Zout.Accounts do
   def update_or_create!(%Ueberauth.Auth{
         uid: id,
         info: info,
-        extra: %Ueberauth.Auth.Extra{raw_info: %{admin: admin}}
+        extra: %Ueberauth.Auth.Extra{raw_info: %{admin: admin, roles: roles}}
       }) do
+
+    is_zout_admin = admin || Enum.member?(roles, "bestuur")
+
     case Repo.get(User, id) do
       nil -> %User{id: id}
       user -> user
     end
     |> User.changeset(%{
       nickname: info.nickname,
-      admin: admin
+      admin: is_zout_admin
     })
     |> Repo.insert_or_update!()
   end
diff --git a/lib/zout_web/auth/oauth_strategy.ex b/lib/zout_web/auth/oauth_strategy.ex
index 4640df8..da1efc5 100644
--- a/lib/zout_web/auth/oauth_strategy.ex
+++ b/lib/zout_web/auth/oauth_strategy.ex
@@ -52,7 +52,10 @@ defmodule ZoutWeb.Auth.OAuthStrategy do
   end
 
   def authorize_url!() do
-    OAuth2.Client.authorize_url!(client())
+    OAuth2.Client.authorize_url!(
+      client(),
+      scope: "roles"
+    )
   end
 
   def get_token!(params \\ []) do
diff --git a/lib/zout_web/auth/ueberauth_strategy.ex b/lib/zout_web/auth/ueberauth_strategy.ex
index ee6a836..46bdc34 100644
--- a/lib/zout_web/auth/ueberauth_strategy.ex
+++ b/lib/zout_web/auth/ueberauth_strategy.ex
@@ -78,7 +78,8 @@ defmodule ZoutWeb.Auth.UeberauthStrategy do
       raw_info: %{
         token: conn.private.zeus_token,
         user: conn.private.zeus_user,
-        admin: conn.private.zeus_user["admin"]
+        admin: conn.private.zeus_user["admin"],
+        roles: conn.private.zeus_user["roles"]
       }
     }
   end
@@ -99,7 +100,7 @@ defmodule ZoutWeb.Auth.UeberauthStrategy do
         set_errors!(conn, [error("OAuth2", reason)])
 
       {:error, _} ->
-        set_errors!(conn, [error("OAuth2", "uknown error")])
+        set_errors!(conn, [error("OAuth2", "unknown error")])
     end
   end
 end

From b6a2337a2fec40cde5d3f532ac4fb394af041980 Mon Sep 17 00:00:00 2001
From: Niko Strijbol <strijbol.niko@gmail.com>
Date: Tue, 23 Dec 2025 19:39:59 +0100
Subject: [PATCH 2/5] Format

Maybe I should add git hooks
---
 lib/zout/accounts/accounts.ex | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/zout/accounts/accounts.ex b/lib/zout/accounts/accounts.ex
index 9395c52..84a0855 100644
--- a/lib/zout/accounts/accounts.ex
+++ b/lib/zout/accounts/accounts.ex
@@ -11,7 +11,6 @@ defmodule Zout.Accounts do
         info: info,
         extra: %Ueberauth.Auth.Extra{raw_info: %{admin: admin, roles: roles}}
       }) do
-
     is_zout_admin = admin || Enum.member?(roles, "bestuur")
 
     case Repo.get(User, id) do

From ba709128dd9cbac3de1f0b8f7c74bb063a4c69ef Mon Sep 17 00:00:00 2001
From: Niko Strijbol <strijbol.niko@gmail.com>
Date: Fri, 26 Dec 2025 10:32:09 +0100
Subject: [PATCH 3/5] Improve role handling

---
 lib/zout/accounts/accounts.ex | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/zout/accounts/accounts.ex b/lib/zout/accounts/accounts.ex
index 84a0855..b459583 100644
--- a/lib/zout/accounts/accounts.ex
+++ b/lib/zout/accounts/accounts.ex
@@ -9,9 +9,12 @@ defmodule Zout.Accounts do
   def update_or_create!(%Ueberauth.Auth{
         uid: id,
         info: info,
-        extra: %Ueberauth.Auth.Extra{raw_info: %{admin: admin, roles: roles}}
+        extra: %Ueberauth.Auth.Extra{raw_info: %{admin: zauth_admin, roles: roles}}
       }) do
-    is_zout_admin = admin || Enum.member?(roles, "bestuur")
+    user_roles = MapSet.new(roles)
+    has_admin_role = MapSet.intersection(admin_roles(), user_roles) |> Enum.empty?()
+
+    is_zout_admin = zauth_admin || has_admin_role
 
     case Repo.get(User, id) do
       nil -> %User{id: id}
@@ -28,4 +31,6 @@ defmodule Zout.Accounts do
   Get the user with the given ID.
   """
   def get_user(id), do: Repo.get(User, id)
+
+  defp admin_roles(), do: MapSet.new(["bestuur", "zout_admin"])
 end

From 1e3f7600fe6108e4be45dfe91b8d1de0a508fd0f Mon Sep 17 00:00:00 2001
From: Niko Strijbol <strijbol.niko@gmail.com>
Date: Fri, 26 Dec 2025 10:48:39 +0100
Subject: [PATCH 4/5] Fix test and bug

---
 lib/zout/accounts/accounts.ex |  4 +++-
 test/zout/users_test.exs      | 21 +++++++++++++++++++--
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/lib/zout/accounts/accounts.ex b/lib/zout/accounts/accounts.ex
index b459583..f0cb279 100644
--- a/lib/zout/accounts/accounts.ex
+++ b/lib/zout/accounts/accounts.ex
@@ -12,7 +12,9 @@ defmodule Zout.Accounts do
         extra: %Ueberauth.Auth.Extra{raw_info: %{admin: zauth_admin, roles: roles}}
       }) do
     user_roles = MapSet.new(roles)
-    has_admin_role = MapSet.intersection(admin_roles(), user_roles) |> Enum.empty?()
+
+    has_admin_role =
+      MapSet.intersection(admin_roles(), user_roles) |> Enum.empty?() |> Kernel.not()
 
     is_zout_admin = zauth_admin || has_admin_role
 
diff --git a/test/zout/users_test.exs b/test/zout/users_test.exs
index c455957..9842be5 100644
--- a/test/zout/users_test.exs
+++ b/test/zout/users_test.exs
@@ -26,7 +26,7 @@ defmodule Zout.AccountsTest do
         info: %Ueberauth.Auth.Info{
           nickname: "new-user"
         },
-        extra: %Ueberauth.Auth.Extra{raw_info: %{admin: true}}
+        extra: %Ueberauth.Auth.Extra{raw_info: %{admin: true, roles: []}}
       }
 
       user_count_before = Repo.aggregate(User, :count, :id)
@@ -39,6 +39,23 @@ defmodule Zout.AccountsTest do
       assert_in_delta user_count_after, user_count_before, 1
     end
 
+    test "creates admin for zout admin role" do
+      new_user = %Ueberauth.Auth{
+        uid: 694,
+        info: %Ueberauth.Auth.Info{
+          nickname: "new-user-2"
+        },
+        extra: %Ueberauth.Auth.Extra{raw_info: %{admin: false, roles: ["zout_admin"]}}
+      }
+
+      user_count_before = Repo.aggregate(User, :count, :id)
+      inserted_user = Accounts.update_or_create!(new_user)
+      user_count_after = Repo.aggregate(User, :count, :id)
+
+      assert inserted_user.admin
+      assert_in_delta user_count_after, user_count_before, 1
+    end
+
     test "updates existing user" do
       existing_user = insert(:user, nickname: "before", admin: false)
 
@@ -47,7 +64,7 @@ defmodule Zout.AccountsTest do
         info: %Ueberauth.Auth.Info{
           nickname: "after"
         },
-        extra: %Ueberauth.Auth.Extra{raw_info: %{admin: true}}
+        extra: %Ueberauth.Auth.Extra{raw_info: %{admin: true, roles: []}}
       }
 
       user_count_before = Repo.aggregate(User, :count, :id)

From 8745add7cf9fb7e9a09307161a2fc0f0dd5d7593 Mon Sep 17 00:00:00 2001
From: Niko Strijbol <strijbol.niko@gmail.com>
Date: Fri, 26 Dec 2025 10:49:10 +0100
Subject: [PATCH 5/5] Fix deprecation warning

---
 config/test.exs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/test.exs b/config/test.exs
index 949dce3..2aa4601 100644
--- a/config/test.exs
+++ b/config/test.exs
@@ -24,7 +24,7 @@ config :zout, ZoutWeb.Endpoint,
 config :zout, Zout.Mailer, adapter: Swoosh.Adapters.Test
 
 # Print only warnings and errors during test
-config :logger, level: :warn
+config :logger, level: :warning
 
 # Initialize plugs at runtime for faster test compilation
 config :phoenix, :plug_init_mode, :runtime