Multi-role members, round detail UI overhaul, dashboard jury progress, and submit bug fix

- Add roles UserRole[] to User model with migration + backfill from existing role column - Update auth JWT/session to propagate roles array with [role] fallback for stale tokens - Update tRPC hasRole() middleware and add userHasRole() helper for inline role checks - Update ~15 router inline checks and ~13 DB queries to use roles array - Add updateRoles admin mutation with SUPER_ADMIN guard and priority-based primary role - Add role switcher UI in admin sidebar and role-nav for multi-role users - Remove redundant stats cards from round detail, add window dates to header banner - Merge Members section into JuryProgressTable with inline cap editor and remove buttons - Reorder round detail assignments tab: Progress > Score Dist > Assignments > Coverage > Jury Group - Make score distribution fill full vertical height, reassignment history always open - Add per-juror progress bars to admin dashboard ActiveRoundPanel for EVALUATION rounds - Fix evaluation submit bug: use isSubmitting state instead of startMutation.isPending Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 17:44:55 +01:00
parent 230347005c
commit f3fd9eebee
25 changed files with 963 additions and 714 deletions
--- a/src/server/routers/analytics.ts
+++ b/src/server/routers/analytics.ts
@@ -743,7 +743,7 @@ export const analyticsRouter = router({
              select: { userId: true },
              distinct: ['userId'],
            }).then((rows) => rows.length)
-          : ctx.prisma.user.count({ where: { role: 'JURY_MEMBER', status: 'ACTIVE' } }),
+          : ctx.prisma.user.count({ where: { roles: { has: 'JURY_MEMBER' }, status: 'ACTIVE' } }),
        ctx.prisma.evaluation.count({ where: evalFilter }),
        ctx.prisma.assignment.count({ where: assignmentFilter }),
        ctx.prisma.evaluation.findMany({
--- a/src/server/routers/assignment.ts
+++ b/src/server/routers/assignment.ts
@@ -1,6 +1,6 @@
 import { z } from 'zod'
 import { TRPCError } from '@trpc/server'
-import { router, protectedProcedure, adminProcedure } from '../trpc'
+import { router, protectedProcedure, adminProcedure, userHasRole } from '../trpc'
 import { getUserAvatarUrl } from '../utils/avatar-url'
 import {
  generateAIAssignments,
@@ -114,7 +114,7 @@ export async function reassignAfterCOI(params: {
      ? await prisma.user.findMany({
          where: {
            id: { in: activeRoundJurorIds },
-            role: 'JURY_MEMBER',
+            roles: { has: 'JURY_MEMBER' },
            status: 'ACTIVE',
          },
          select: { id: true, name: true, email: true, maxAssignments: true },
@@ -340,7 +340,7 @@ async function reassignDroppedJurorAssignments(params: {
      ? await prisma.user.findMany({
          where: {
            id: { in: activeRoundJurorIds },
-            role: 'JURY_MEMBER',
+            roles: { has: 'JURY_MEMBER' },
            status: 'ACTIVE',
          },
          select: { id: true, name: true, email: true, maxAssignments: true },
@@ -627,7 +627,7 @@ async function runAIAssignmentJob(jobId: string, roundId: string, userId: string

    const jurors = await prisma.user.findMany({
      where: {
-        role: 'JURY_MEMBER',
+        roles: { has: 'JURY_MEMBER' },
        status: 'ACTIVE',
        ...(scopedJurorIds ? { id: { in: scopedJurorIds } } : {}),
      },
@@ -899,7 +899,7 @@ export const assignmentRouter = router({

      // Verify access
      if (
-        ctx.user.role === 'JURY_MEMBER' &&
+        userHasRole(ctx.user, 'JURY_MEMBER') &&
        assignment.userId !== ctx.user.id
      ) {
        throw new TRPCError({
@@ -1322,7 +1322,7 @@ export const assignmentRouter = router({

      const jurors = await ctx.prisma.user.findMany({
        where: {
-          role: 'JURY_MEMBER',
+          roles: { has: 'JURY_MEMBER' },
          status: 'ACTIVE',
          ...(scopedJurorIds ? { id: { in: scopedJurorIds } } : {}),
        },
@@ -2199,7 +2199,7 @@ export const assignmentRouter = router({
        const ids = roundJurorIds.map((a) => a.userId).filter((id) => id !== input.jurorId)
        candidateJurors = ids.length > 0
          ? await ctx.prisma.user.findMany({
-              where: { id: { in: ids }, role: 'JURY_MEMBER', status: 'ACTIVE' },
+              where: { id: { in: ids }, roles: { has: 'JURY_MEMBER' }, status: 'ACTIVE' },
              select: { id: true, name: true, email: true, maxAssignments: true },
            })
          : []
@@ -2427,7 +2427,7 @@ export const assignmentRouter = router({
          ? await ctx.prisma.user.findMany({
              where: {
                id: { in: activeRoundJurorIds },
-                role: 'JURY_MEMBER',
+                roles: { has: 'JURY_MEMBER' },
                status: 'ACTIVE',
              },
              select: { id: true, name: true, email: true, maxAssignments: true },
@@ -2890,7 +2890,7 @@ export const assignmentRouter = router({
          ? await ctx.prisma.user.findMany({
              where: {
                id: { in: activeRoundJurorIds },
-                role: 'JURY_MEMBER',
+                roles: { has: 'JURY_MEMBER' },
                status: 'ACTIVE',
              },
              select: { id: true, name: true, email: true, maxAssignments: true },
--- a/src/server/routers/dashboard.ts
+++ b/src/server/routers/dashboard.ts
@@ -185,7 +185,7 @@ export const dashboardRouter = router({
        // 9. Total jurors
        ctx.prisma.user.count({
          where: {
-            role: 'JURY_MEMBER',
+            roles: { has: 'JURY_MEMBER' },
            status: { in: ['ACTIVE', 'INVITED', 'NONE'] },
            assignments: { some: { round: { competition: { programId: editionId } } } },
          },
@@ -194,7 +194,7 @@ export const dashboardRouter = router({
        // 10. Active jurors
        ctx.prisma.user.count({
          where: {
-            role: 'JURY_MEMBER',
+            roles: { has: 'JURY_MEMBER' },
            status: 'ACTIVE',
            assignments: { some: { round: { competition: { programId: editionId } } } },
          },
--- a/src/server/routers/evaluation.ts
+++ b/src/server/routers/evaluation.ts
@@ -1,6 +1,6 @@
 import { z } from 'zod'
 import { TRPCError } from '@trpc/server'
-import { router, protectedProcedure, adminProcedure, juryProcedure } from '../trpc'
+import { router, protectedProcedure, adminProcedure, juryProcedure, userHasRole } from '../trpc'
 import { logAudit } from '@/server/utils/audit'
 import { notifyAdmins, NotificationTypes } from '../services/in-app-notification'
 import { reassignAfterCOI } from './assignment'
@@ -20,7 +20,7 @@ export const evaluationRouter = router({
      })

      if (
-        ctx.user.role === 'JURY_MEMBER' &&
+        userHasRole(ctx.user, 'JURY_MEMBER') &&
        assignment.userId !== ctx.user.id
      ) {
        throw new TRPCError({ code: 'FORBIDDEN' })
--- a/src/server/routers/project.ts
+++ b/src/server/routers/project.ts
@@ -2,7 +2,7 @@ import crypto from 'crypto'
 import { z } from 'zod'
 import { TRPCError } from '@trpc/server'
 import { Prisma } from '@prisma/client'
-import { router, protectedProcedure, adminProcedure } from '../trpc'
+import { router, protectedProcedure, adminProcedure, userHasRole } from '../trpc'
 import { getUserAvatarUrl } from '../utils/avatar-url'
 import {
  notifyProjectTeam,
@@ -133,7 +133,7 @@ export const projectRouter = router({
      }

      // Jury members can only see assigned projects
-      if (ctx.user.role === 'JURY_MEMBER') {
+      if (userHasRole(ctx.user, 'JURY_MEMBER')) {
        where.assignments = {
          ...((where.assignments as Record<string, unknown>) || {}),
          some: { userId: ctx.user.id },
@@ -428,7 +428,7 @@ export const projectRouter = router({
      }

      // Check access for jury members
-      if (ctx.user.role === 'JURY_MEMBER') {
+      if (userHasRole(ctx.user, 'JURY_MEMBER')) {
        const assignment = await ctx.prisma.assignment.findFirst({
          where: {
            projectId: input.id,
--- a/src/server/routers/user.ts
+++ b/src/server/routers/user.ts
@@ -2,6 +2,7 @@ import crypto from 'crypto'
 import { z } from 'zod'
 import { TRPCError } from '@trpc/server'
 import type { Prisma } from '@prisma/client'
+import { UserRole } from '@prisma/client'
 import { router, protectedProcedure, adminProcedure, superAdminProcedure, publicProcedure } from '../trpc'
 import { sendInvitationEmail, sendMagicLinkEmail } from '@/lib/email'
 import { hashPassword, validatePassword } from '@/lib/password'
@@ -275,6 +276,7 @@ export const userRouter = router({
            email: true,
            name: true,
            role: true,
+            roles: true,
            status: true,
            expertiseTags: true,
            maxAssignments: true,
@@ -929,7 +931,7 @@ export const userRouter = router({
    )
    .query(async ({ ctx, input }) => {
      const where: Record<string, unknown> = {
-        role: 'JURY_MEMBER',
+        roles: { has: 'JURY_MEMBER' },
        status: 'ACTIVE',
      }

@@ -1525,4 +1527,29 @@ export const userRouter = router({
      globalDigestSections: digestSections?.value ? JSON.parse(digestSections.value) : [],
    }
  }),
+
+  /**
+   * Update a user's roles array (admin only)
+   * Also updates the primary role to the highest privilege role in the array.
+   */
+  updateRoles: adminProcedure
+    .input(z.object({
+      userId: z.string(),
+      roles: z.array(z.nativeEnum(UserRole)).min(1),
+    }))
+    .mutation(async ({ ctx, input }) => {
+      // Guard: only SUPER_ADMIN can grant SUPER_ADMIN
+      if (input.roles.includes('SUPER_ADMIN') && ctx.user.role !== 'SUPER_ADMIN') {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Only super admins can grant super admin role' })
+      }
+
+      // Set primary role to highest privilege role
+      const rolePriority: UserRole[] = ['SUPER_ADMIN', 'PROGRAM_ADMIN', 'JURY_MEMBER', 'MENTOR', 'OBSERVER', 'AWARD_MASTER', 'APPLICANT', 'AUDIENCE']
+      const primaryRole = rolePriority.find(r => input.roles.includes(r)) || input.roles[0]
+
+      return ctx.prisma.user.update({
+        where: { id: input.userId },
+        data: { roles: input.roles, role: primaryRole },
+      })
+    }),
 })
--- a/src/server/services/mentor-matching.ts
+++ b/src/server/services/mentor-matching.ts
@@ -229,7 +229,7 @@ export async function getAIMentorSuggestionsBatch(
    where: {
      OR: [
        { expertiseTags: { isEmpty: false } },
-        { role: 'JURY_MEMBER' },
+        { roles: { has: 'JURY_MEMBER' } },
      ],
      status: 'ACTIVE',
    },
@@ -455,7 +455,7 @@ export async function getRoundRobinMentor(
    where: {
      OR: [
        { expertiseTags: { isEmpty: false } },
-        { role: 'JURY_MEMBER' },
+        { roles: { has: 'JURY_MEMBER' } },
      ],
      status: 'ACTIVE',
      id: { notIn: excludeMentorIds },
--- a/src/server/trpc.ts
+++ b/src/server/trpc.ts
@@ -52,6 +52,15 @@ const isAuthenticated = middleware(async ({ ctx, next }) => {
  })
 })

+/**
+ * Helper to check if a user has any of the specified roles.
+ * Checks the roles array first, falls back to [role] for stale JWT tokens.
+ */
+export function userHasRole(user: { role: UserRole; roles?: UserRole[] }, ...checkRoles: UserRole[]): boolean {
+  const userRoles = user.roles?.length ? user.roles : [user.role]
+  return checkRoles.some(r => userRoles.includes(r))
+}
+
 /**
 * Middleware to require specific role(s)
 */
@@ -64,7 +73,12 @@ const hasRole = (...roles: UserRole[]) =>
      })
    }

-    if (!roles.includes(ctx.session.user.role)) {
+    // Use roles array, fallback to [role] for stale JWT tokens
+    const userRoles = ctx.session.user.roles?.length
+      ? ctx.session.user.roles
+      : [ctx.session.user.role]
+
+    if (!roles.some(r => userRoles.includes(r))) {
      throw new TRPCError({
        code: 'FORBIDDEN',
        message: 'You do not have permission to perform this action',