From 9ff5eeb3673d89c8e745283d1dba2143f7248edf Mon Sep 17 00:00:00 2001
From: zurdi <zurdizurdo25@gmail.com>
Date: Thu, 4 Jul 2024 21:19:20 +0200
Subject: [PATCH 01/12] modified update user endpoint to allow own edition

---
 backend/endpoints/user.py | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/backend/endpoints/user.py b/backend/endpoints/user.py
index 4abfd83df..6a89246ad 100644
--- a/backend/endpoints/user.py
+++ b/backend/endpoints/user.py
@@ -89,7 +89,7 @@ def get_user(request: Request, id: int) -> UserSchema:
     return user
 
 
-@protected_route(router.put, "/users/{id}", ["users.write"])
+@protected_route(router.put, "/users/{id}")
 def update_user(
     request: Request, id: int, form_data: Annotated[UserForm, Depends()]
 ) -> UserSchema:
@@ -108,17 +108,23 @@ def update_user(
         UserSchema: Updated user info
     """
 
-    user = db_user_handler.get_user(id)
-    if not user:
-        raise HTTPException(status_code=404, detail="User not found")
+    db_user = db_user_handler.get_user(id)
+    if not db_user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
+        )
+
+    if not db_user.id == request.user.id:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Forbidden")
 
     cleaned_data = {}
 
-    if form_data.username and form_data.username != user.username:
+    if form_data.username and form_data.username != db_user.username:
         existing_user = db_user_handler.get_user_by_username(form_data.username.lower())
         if existing_user:
             raise HTTPException(
-                status_code=400, detail="Username already in use by another user"
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Username already in use by another user",
             )
 
         cleaned_data["username"] = form_data.username.lower()
@@ -137,7 +143,7 @@ def update_user(
         cleaned_data["enabled"] = form_data.enabled  # type: ignore[assignment]
 
     if form_data.avatar is not None:
-        user_avatar_path = fs_asset_handler.build_avatar_path(user=user)
+        user_avatar_path = fs_asset_handler.build_avatar_path(user=db_user)
         file_location = f"{user_avatar_path}/{form_data.avatar.filename}"
         cleaned_data["avatar_path"] = file_location
         Path(f"{ASSETS_BASE_PATH}/{user_avatar_path}").mkdir(

From ca5210a71631248aac01c38f43f46b96217e83b8 Mon Sep 17 00:00:00 2001
From: zurdi <zurdizurdo25@gmail.com>
Date: Thu, 4 Jul 2024 22:11:32 +0200
Subject: [PATCH 02/12] added new profile option in the settings drawer

---
 .../src/components/common/Navigation/SettingsDrawer.vue     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/frontend/src/components/common/Navigation/SettingsDrawer.vue b/frontend/src/components/common/Navigation/SettingsDrawer.vue
index b0bac4978..067e78e04 100644
--- a/frontend/src/components/common/Navigation/SettingsDrawer.vue
+++ b/frontend/src/components/common/Navigation/SettingsDrawer.vue
@@ -1,4 +1,5 @@
 <script setup lang="ts">
+import type { UserSchema } from "@/__generated__";
 import identityApi from "@/services/api/identity";
 import storeAuth from "@/stores/auth";
 import storeNavigation from "@/stores/navigation";
@@ -60,6 +61,11 @@ async function logout() {
       </v-list-item>
     </v-list>
     <v-list rounded="0" class="pa-0">
+      <v-list-item
+        @click="emitter?.emit('showEditUserDialog', auth.user as UserSchema)"
+        append-icon="mdi-account"
+        >Profile</v-list-item
+      >
       <v-list-item :to="{ name: 'settings' }" append-icon="mdi-palette"
         >UI Settings</v-list-item
       >

From bc99663fe6c97ec876b61f2bf5329b3c1dfa313f Mon Sep 17 00:00:00 2001
From: zurdi <zurdizurdo25@gmail.com>
Date: Thu, 4 Jul 2024 22:26:35 +0200
Subject: [PATCH 03/12] fixed tests

---
 backend/handler/auth/base_handler.py    |  5 +++--
 backend/handler/auth/tests/test_auth.py | 18 +-----------------
 2 files changed, 4 insertions(+), 19 deletions(-)

diff --git a/backend/handler/auth/base_handler.py b/backend/handler/auth/base_handler.py
index 78b9d2ad9..79bb7ae5e 100644
--- a/backend/handler/auth/base_handler.py
+++ b/backend/handler/auth/base_handler.py
@@ -86,14 +86,15 @@ async def get_current_active_user_from_session(self, conn: HTTPConnection):
 
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
-                detail=f"User {user} not found",
+                detail=f"User not found",
             )
 
         if not user.enabled:
             conn.session.clear()
 
             raise HTTPException(
-                status_code=status.HTTP_403_FORBIDDEN, detail=f"Inactive user {user}"
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail=f"Inactive user {user.username}",
             )
 
         return user
diff --git a/backend/handler/auth/tests/test_auth.py b/backend/handler/auth/tests/test_auth.py
index e4dfc872b..9de47ec02 100644
--- a/backend/handler/auth/tests/test_auth.py
+++ b/backend/handler/auth/tests/test_auth.py
@@ -66,23 +66,7 @@ def __init__(self):
         await auth_handler.get_current_active_user_from_session(conn)
     except HTTPException as e:
         assert e.status_code == 403
-        assert e.detail == "Inactive user"
-
-
-def test_create_default_admin_user():
-    auth_handler.create_default_admin_user()
-
-    user = db_user_handler.get_user_by_username("test_admin")
-    assert user.username == "test_admin"
-    assert auth_handler.verify_password("test_admin_password", user.hashed_password)
-
-    users = db_user_handler.get_users()
-    assert len(users) == 1
-
-    auth_handler.create_default_admin_user()
-
-    users = db_user_handler.get_users()
-    assert len(users) == 1
+        assert e.detail == "Inactive user test_editor"
 
 
 async def test_hybrid_auth_backend_session(editor_user: User):

From 46ce99b2e61d906eeffbdf547de57fc2914b0783 Mon Sep 17 00:00:00 2001
From: Zurdi <zurdizurdo25@gmail.com>
Date: Thu, 4 Jul 2024 23:11:07 +0200
Subject: [PATCH 04/12] fixed stats and user handler

---
 backend/handler/database/stats_handler.py |  4 +++-
 backend/handler/database/users_handler.py |  9 ++++++++-
 frontend/src/views/Home.vue               |  2 +-
 frontend/src/views/Setup.vue              | 10 +++++-----
 4 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/backend/handler/database/stats_handler.py b/backend/handler/database/stats_handler.py
index b04e71ead..c526456f1 100644
--- a/backend/handler/database/stats_handler.py
+++ b/backend/handler/database/stats_handler.py
@@ -34,4 +34,6 @@ def get_screenshots_count(self, session: Session = None) -> int:
     @begin_session
     def get_total_filesize(self, session: Session = None) -> int:
         """Get the total filesize of all roms in the database, in bytes."""
-        return session.scalar(select(func.sum(Rom.file_size_bytes)).select_from(Rom))
+        return (
+            session.scalar(select(func.sum(Rom.file_size_bytes)).select_from(Rom)) or 0
+        )
diff --git a/backend/handler/database/users_handler.py b/backend/handler/database/users_handler.py
index f0a6eafa4..bfe58d37f 100644
--- a/backend/handler/database/users_handler.py
+++ b/backend/handler/database/users_handler.py
@@ -1,6 +1,7 @@
 from decorators.database import begin_session
 from models.user import Role, User
 from sqlalchemy import delete, select, update
+from sqlalchemy.exc import ProgrammingError
 from sqlalchemy.orm import Session
 
 from .base_handler import DBBaseHandler
@@ -42,4 +43,10 @@ def delete_user(self, id: int, session: Session = None):
 
     @begin_session
     def get_admin_users(self, session: Session = None) -> list[User]:
-        return session.scalars(select(User).filter_by(role=Role.ADMIN)).all()
+        try:
+            return session.scalars(select(User).filter_by(role=Role.ADMIN)).all()
+        except ProgrammingError as e:
+            if "Table" in str(e.orig) and "doesn't exist" in str(e.orig):
+                return []
+            else:
+                raise ProgrammingError from e
diff --git a/frontend/src/views/Home.vue b/frontend/src/views/Home.vue
index e6755a2f8..ff7475527 100644
--- a/frontend/src/views/Home.vue
+++ b/frontend/src/views/Home.vue
@@ -54,7 +54,6 @@ emitter?.on("refreshDrawer", async () => {
 
 // Functions
 onBeforeMount(async () => {
-  navigationStore.resetDrawers();
   await platformApi
     .getPlatforms()
     .then(({ data: platforms }) => {
@@ -79,6 +78,7 @@ onBeforeMount(async () => {
     .catch((error) => {
       console.error(error);
     });
+  navigationStore.resetDrawers();
 });
 </script>
 
diff --git a/frontend/src/views/Setup.vue b/frontend/src/views/Setup.vue
index 73a3d66d6..6ff50a901 100644
--- a/frontend/src/views/Setup.vue
+++ b/frontend/src/views/Setup.vue
@@ -4,6 +4,7 @@ import userApi from "@/services/api/user";
 import storeHeartbeat from "@/stores/heartbeat";
 import type { Events } from "@/types/emitter";
 import type { Emitter } from "mitt";
+import { useRoute } from "vue-router";
 import { computed, inject, ref } from "vue";
 import { useDisplay } from "vuetify";
 
@@ -11,6 +12,7 @@ import { useDisplay } from "vuetify";
 const { xs, smAndDown } = useDisplay();
 const emitter = inject<Emitter<Events>>("emitter");
 const heartbeat = storeHeartbeat();
+const route = useRoute()
 const visiblePassword = ref(false);
 // Use a computed property to reactively update metadataOptions based on heartbeat
 const metadataOptions = computed(() => [
@@ -71,7 +73,7 @@ async function finishWizard() {
   <span id="bg" />
 
   <v-container class="fill-height justify-center">
-    <v-card class="translucent-dark px-6" elevation="0">
+    <v-card class="translucent-dark px-3" elevation="0">
       <v-img src="/assets/isotipo.svg" class="mx-auto mt-4" width="70" />
       <v-stepper
         :mobile="smAndDown"
@@ -84,7 +86,7 @@ async function finishWizard() {
         <template v-slot:default="{ prev, next }">
           <v-stepper-header>
             <v-stepper-item
-              title="Create admin user"
+              title="Create an admin user"
               :value="1"
             ></v-stepper-item>
 
@@ -106,7 +108,7 @@ async function finishWizard() {
                 <v-col>
                   <v-row v-if="smAndDown" no-gutters class="text-center mb-6">
                     <v-col>
-                      <span>Create admin user</span>
+                      <span>Create an admin user</span>
                     </v-col>
                   </v-row>
                   <v-row class="text-white justify-center mt-3" no-gutters>
@@ -119,7 +121,6 @@ async function finishWizard() {
                           type="text"
                           label="Username"
                           variant="underlined"
-                          @keyup.enter=""
                         />
                         <v-text-field
                           v-model="defaultAdminUser.password"
@@ -131,7 +132,6 @@ async function finishWizard() {
                           :append-inner-icon="
                             visiblePassword ? 'mdi-eye-off' : 'mdi-eye'
                           "
-                          @keyup.enter=""
                           @click:append-inner="
                             visiblePassword = !visiblePassword
                           "

From bab71b00c280fec4e9c4c74a3ebc022b9e2c0877 Mon Sep 17 00:00:00 2001
From: zurdi <zurdizurdo25@gmail.com>
Date: Thu, 4 Jul 2024 23:45:44 +0200
Subject: [PATCH 05/12] fixes from trunk

---
 backend/handler/auth/base_handler.py | 4 +---
 backend/main.py                      | 2 --
 frontend/src/services/api/index.ts   | 2 +-
 3 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/backend/handler/auth/base_handler.py b/backend/handler/auth/base_handler.py
index 79bb7ae5e..60999e5ca 100644
--- a/backend/handler/auth/base_handler.py
+++ b/backend/handler/auth/base_handler.py
@@ -1,15 +1,13 @@
 from datetime import datetime, timedelta
 from typing import Final
 
-from config import ROMM_AUTH_PASSWORD, ROMM_AUTH_SECRET_KEY, ROMM_AUTH_USERNAME
+from config import ROMM_AUTH_SECRET_KEY
 from exceptions.auth_exceptions import OAuthCredentialsException
 from fastapi import HTTPException, status
 from joserfc import jwt
 from joserfc.errors import BadSignatureError
 from joserfc.jwk import OctKey
-from logger.logger import log
 from passlib.context import CryptContext
-from sqlalchemy.exc import IntegrityError
 from starlette.requests import HTTPConnection
 
 ALGORITHM: Final = "HS256"
diff --git a/backend/main.py b/backend/main.py
index aac9f1aae..c1aac2d95 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -25,11 +25,9 @@
 )
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
-from handler.auth import auth_handler
 from handler.auth.base_handler import ALGORITHM
 from handler.auth.hybrid_auth import HybridAuthBackend
 from handler.auth.middleware import CustomCSRFMiddleware, SessionMiddleware
-from handler.database import db_user_handler
 from handler.socket_handler import socket_handler
 from starlette.middleware.authentication import AuthenticationMiddleware
 from utils import get_version
diff --git a/frontend/src/services/api/index.ts b/frontend/src/services/api/index.ts
index 27741a99d..33adc1a67 100644
--- a/frontend/src/services/api/index.ts
+++ b/frontend/src/services/api/index.ts
@@ -39,7 +39,7 @@ api.interceptors.response.use(
   (error) => {
     if (error.response?.status === 403) {
       const allCookies = Cookies.get(); // Get all cookies
-      for (let cookie in allCookies) {
+      for (const cookie in allCookies) {
         Cookies.remove(cookie); // Remove each cookie
       }
       router.push({

From eda1c9486860ecf5a9989fe29c07e772ff2185a0 Mon Sep 17 00:00:00 2001
From: Zurdi <zurdizurdo25@gmail.com>
Date: Fri, 5 Jul 2024 19:16:47 +0200
Subject: [PATCH 06/12] fixed user endpoint tests

---
 backend/endpoints/user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/endpoints/user.py b/backend/endpoints/user.py
index 6a89246ad..557896771 100644
--- a/backend/endpoints/user.py
+++ b/backend/endpoints/user.py
@@ -114,7 +114,7 @@ def update_user(
             status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
         )
 
-    if not db_user.id == request.user.id:
+    if not db_user.id == request.user.id and request.user.role != Role.ADMIN:
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Forbidden")
 
     cleaned_data = {}

From 9ca60f28e6e4cf91e65a4f4bcbb849b00e974903 Mon Sep 17 00:00:00 2001
From: zurdi <zurdizurdo25@gmail.com>
Date: Fri, 5 Jul 2024 00:04:14 +0200
Subject: [PATCH 07/12] fixed add to collection for non-admin users

---
 frontend/src/components/Details/ActionBar.vue |  8 +-
 .../src/components/common/Game/AdminMenu.vue  | 82 ++++++++++---------
 .../components/common/Game/Card/ActionBar.vue |  3 -
 frontend/src/components/common/Game/Table.vue |  8 +-
 4 files changed, 46 insertions(+), 55 deletions(-)

diff --git a/frontend/src/components/Details/ActionBar.vue b/frontend/src/components/Details/ActionBar.vue
index f210dcf08..5c9140919 100644
--- a/frontend/src/components/Details/ActionBar.vue
+++ b/frontend/src/components/Details/ActionBar.vue
@@ -1,7 +1,6 @@
 <script setup lang="ts">
 import AdminMenu from "@/components/common/Game/AdminMenu.vue";
 import romApi from "@/services/api/rom";
-import storeAuth from "@/stores/auth";
 import storeDownload from "@/stores/download";
 import type { DetailedRom } from "@/stores/roms";
 import type { Events } from "@/types/emitter";
@@ -13,7 +12,6 @@ import { inject, ref } from "vue";
 const props = defineProps<{ rom: DetailedRom }>();
 const downloadStore = storeDownload();
 const emitter = inject<Emitter<Events>>("emitter");
-const auth = storeAuth();
 const playInfoIcon = ref("mdi-play");
 const emulationSupported = isEmulationSupported(props.rom.platform_slug);
 
@@ -88,11 +86,7 @@ async function copyDownloadLink(rom: DetailedRom) {
     </v-btn>
     <v-menu location="bottom">
       <template #activator="{ props: menuProps }">
-        <v-btn
-          v-if="auth.scopes.includes('roms.write')"
-          class="flex-grow-1"
-          v-bind="menuProps"
-        >
+        <v-btn class="flex-grow-1" v-bind="menuProps">
           <v-icon icon="mdi-dots-vertical" size="large" />
         </v-btn>
       </template>
diff --git a/frontend/src/components/common/Game/AdminMenu.vue b/frontend/src/components/common/Game/AdminMenu.vue
index d1d86efc9..f9c2e160d 100644
--- a/frontend/src/components/common/Game/AdminMenu.vue
+++ b/frontend/src/components/common/Game/AdminMenu.vue
@@ -1,42 +1,46 @@
 <script setup lang="ts">
-import { inject } from "vue";
-import type { Emitter } from "mitt";
-import type { Events } from "@/types/emitter";
-import type { SimpleRom } from "@/stores/roms";
+import storeAuth from "@/stores/auth";
 import storeHeartbeat from "@/stores/heartbeat";
+import type { SimpleRom } from "@/stores/roms";
+import type { Events } from "@/types/emitter";
+import type { Emitter } from "mitt";
+import { inject } from "vue";
 
 defineProps<{ rom: SimpleRom }>();
 const emitter = inject<Emitter<Events>>("emitter");
 const heartbeat = storeHeartbeat();
+const auth = storeAuth();
 </script>
 
 <template>
   <v-list rounded="0" class="pa-0">
-    <v-list-item
-      :disabled="!heartbeat.value.ANY_SOURCE_ENABLED"
-      class="py-4 pr-5"
-      @click="emitter?.emit('showMatchRomDialog', rom)"
-    >
-      <v-list-item-title class="d-flex">
-        <v-icon icon="mdi-search-web" class="mr-2" />Manual match
-      </v-list-item-title>
-      <v-list-item-subtitle>
-        {{
-          !heartbeat.value.ANY_SOURCE_ENABLED
-            ? "No metadata source enabled"
-            : ""
-        }}
-      </v-list-item-subtitle>
-    </v-list-item>
-    <v-list-item
-      class="py-4 pr-5"
-      @click="emitter?.emit('showEditRomDialog', { ...rom })"
-    >
-      <v-list-item-title class="d-flex">
-        <v-icon icon="mdi-pencil-box" class="mr-2" />Edit
-      </v-list-item-title>
-    </v-list-item>
-    <v-divider />
+    <template v-if="auth.scopes.includes('roms.write')">
+      <v-list-item
+        :disabled="!heartbeat.value.ANY_SOURCE_ENABLED"
+        class="py-4 pr-5"
+        @click="emitter?.emit('showMatchRomDialog', rom)"
+      >
+        <v-list-item-title class="d-flex">
+          <v-icon icon="mdi-search-web" class="mr-2" />Manual match
+        </v-list-item-title>
+        <v-list-item-subtitle>
+          {{
+            !heartbeat.value.ANY_SOURCE_ENABLED
+              ? "No metadata source enabled"
+              : ""
+          }}
+        </v-list-item-subtitle>
+      </v-list-item>
+      <v-list-item
+        class="py-4 pr-5"
+        @click="emitter?.emit('showEditRomDialog', { ...rom })"
+      >
+        <v-list-item-title class="d-flex">
+          <v-icon icon="mdi-pencil-box" class="mr-2" />Edit
+        </v-list-item-title>
+      </v-list-item>
+      <v-divider />
+    </template>
     <v-list-item
       class="py-4 pr-5"
       @click="emitter?.emit('showAddToCollectionDialog', [{ ...rom }])"
@@ -46,14 +50,16 @@ const heartbeat = storeHeartbeat();
         collection
       </v-list-item-title>
     </v-list-item>
-    <v-divider />
-    <v-list-item
-      class="py-4 pr-5 text-romm-red"
-      @click="emitter?.emit('showDeleteRomDialog', [rom])"
-    >
-      <v-list-item-title class="d-flex">
-        <v-icon icon="mdi-delete" class="mr-2" />Delete
-      </v-list-item-title>
-    </v-list-item>
+    <template v-if="auth.scopes.includes('roms.write')">
+      <v-divider />
+      <v-list-item
+        class="py-4 pr-5 text-romm-red"
+        @click="emitter?.emit('showDeleteRomDialog', [rom])"
+      >
+        <v-list-item-title class="d-flex">
+          <v-icon icon="mdi-delete" class="mr-2" />Delete
+        </v-list-item-title>
+      </v-list-item>
+    </template>
   </v-list>
 </template>
diff --git a/frontend/src/components/common/Game/Card/ActionBar.vue b/frontend/src/components/common/Game/Card/ActionBar.vue
index c3b8e9720..618f54621 100644
--- a/frontend/src/components/common/Game/Card/ActionBar.vue
+++ b/frontend/src/components/common/Game/Card/ActionBar.vue
@@ -1,14 +1,12 @@
 <script setup lang="ts">
 import AdminMenu from "@/components/common/Game/AdminMenu.vue";
 import romApi from "@/services/api/rom";
-import storeAuth from "@/stores/auth";
 import storeDownload from "@/stores/download";
 import type { SimpleRom } from "@/stores/roms";
 import { isEmulationSupported } from "@/utils";
 
 // Props
 defineProps<{ rom: SimpleRom }>();
-const auth = storeAuth();
 const downloadStore = storeDownload();
 </script>
 
@@ -44,7 +42,6 @@ const downloadStore = storeDownload();
     <v-menu location="bottom">
       <template #activator="{ props }">
         <v-btn
-          v-if="auth.scopes.includes('roms.write')"
           class="action-bar-btn-small"
           size="x-small"
           v-bind="props"
diff --git a/frontend/src/components/common/Game/Table.vue b/frontend/src/components/common/Game/Table.vue
index bcb98c33f..b0529dcd3 100644
--- a/frontend/src/components/common/Game/Table.vue
+++ b/frontend/src/components/common/Game/Table.vue
@@ -2,7 +2,6 @@
 import AdminMenu from "@/components/common/Game/AdminMenu.vue";
 import RAvatar from "@/components/common/Game/RAvatar.vue";
 import romApi from "@/services/api/rom";
-import storeAuth from "@/stores/auth";
 import storeDownload from "@/stores/download";
 import storeRoms, { type SimpleRom } from "@/stores/roms";
 import type { Events } from "@/types/emitter";
@@ -30,7 +29,6 @@ const router = useRouter();
 const route = useRoute();
 const downloadStore = storeDownload();
 const romsStore = storeRoms();
-const auth = storeAuth();
 const page = ref(parseInt(window.location.hash.slice(1)) || 1);
 const storedRomsPerPage = parseInt(localStorage.getItem("romsPerPage") ?? "");
 const itemsPerPage = ref(isNaN(storedRomsPerPage) ? 25 : storedRomsPerPage);
@@ -181,11 +179,7 @@ onMounted(() => {
         </v-btn>
         <v-menu location="bottom">
           <template #activator="{ props }">
-            <v-btn
-              v-if="auth.scopes.includes('roms.write')"
-              v-bind="props"
-              size="small"
-            >
+            <v-btn v-bind="props" size="small">
               <v-icon>mdi-dots-vertical</v-icon>
             </v-btn>
           </template>

From 533555ef9d567c6a45fc3494526b7474a3287648 Mon Sep 17 00:00:00 2001
From: zurdi <zurdizurdo25@gmail.com>
Date: Fri, 5 Jul 2024 09:34:29 +0200
Subject: [PATCH 08/12] fixed edit collection permission for non-admin user

---
 frontend/src/components/Gallery/AppBar/Collection/Base.vue | 2 +-
 frontend/src/components/common/Game/AdminMenu.vue          | 1 +
 frontend/src/views/Play/Base.vue                           | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/frontend/src/components/Gallery/AppBar/Collection/Base.vue b/frontend/src/components/Gallery/AppBar/Collection/Base.vue
index 6af920b9a..584696d13 100644
--- a/frontend/src/components/Gallery/AppBar/Collection/Base.vue
+++ b/frontend/src/components/Gallery/AppBar/Collection/Base.vue
@@ -21,7 +21,7 @@ const auth = storeAuth();
     <v-menu location="bottom">
       <template #activator="{ props }">
         <v-btn
-          v-if="auth.scopes.includes('roms.write')"
+          v-if="auth.scopes.includes('collections.write')"
           v-bind="props"
           rounded="0"
           variant="text"
diff --git a/frontend/src/components/common/Game/AdminMenu.vue b/frontend/src/components/common/Game/AdminMenu.vue
index f9c2e160d..bc1dca9bd 100644
--- a/frontend/src/components/common/Game/AdminMenu.vue
+++ b/frontend/src/components/common/Game/AdminMenu.vue
@@ -42,6 +42,7 @@ const auth = storeAuth();
       <v-divider />
     </template>
     <v-list-item
+      v-if="auth.scopes.includes('collections.write')"
       class="py-4 pr-5"
       @click="emitter?.emit('showAddToCollectionDialog', [{ ...rom }])"
     >
diff --git a/frontend/src/views/Play/Base.vue b/frontend/src/views/Play/Base.vue
index e1decaa3e..ac27b39d3 100644
--- a/frontend/src/views/Play/Base.vue
+++ b/frontend/src/views/Play/Base.vue
@@ -81,7 +81,7 @@ onMounted(async () => {
       :md="!gameRunning ? 8 : 4"
       :xl="!gameRunning ? 6 : 2"
     >
-      <v-row class="px-3" no-gutters>
+      <v-row class="px-3 mt-6" no-gutters>
         <v-col>
           <v-img
             class="mx-auto"

From 2962441ec665b2c5902986a70cbb222914006767 Mon Sep 17 00:00:00 2001
From: Zurdi <34356590+zurdi15@users.noreply.github.com>
Date: Fri, 5 Jul 2024 20:31:27 +0200
Subject: [PATCH 09/12] Update frontend/src/stores/users.ts

Co-authored-by: Georges-Antoine Assi <3247106+gantoine@users.noreply.github.com>
---
 .../src/components/Administration/Users/Table.vue  |  6 +++---
 frontend/src/stores/users.ts                       | 14 +++++++-------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/frontend/src/components/Administration/Users/Table.vue b/frontend/src/components/Administration/Users/Table.vue
index cc9f6ada6..6318c420a 100644
--- a/frontend/src/components/Administration/Users/Table.vue
+++ b/frontend/src/components/Administration/Users/Table.vue
@@ -15,7 +15,7 @@ const userSearch = ref("");
 const { xs } = useDisplay();
 const emitter = inject<Emitter<Events>>("emitter");
 const usersStore = storeUsers();
-const { allUSers } = storeToRefs(usersStore);
+const { allUsers } = storeToRefs(usersStore);
 const auth = storeAuth();
 const HEADERS = [
   {
@@ -60,7 +60,7 @@ emitter?.on("updateDataTablePages", updateDataTablePages);
 
 // Functions
 function updateDataTablePages() {
-  pageCount.value = Math.ceil(usersStore.allUSers.length / usersPerPage.value);
+  pageCount.value = Math.ceil(usersStore.allUsers.length / usersPerPage.value);
 }
 
 function disableUser(user: User) {
@@ -108,7 +108,7 @@ onMounted(() => {
         :items-per-page-options="PER_PAGE_OPTIONS"
         :search="userSearch"
         :headers="HEADERS"
-        :items="allUSers"
+        :items="allUsers"
         :sort-by="[{ key: 'username', order: 'asc' }]"
         fixed-header
         fixed-footer
diff --git a/frontend/src/stores/users.ts b/frontend/src/stores/users.ts
index 601aa97d3..a5448b080 100644
--- a/frontend/src/stores/users.ts
+++ b/frontend/src/stores/users.ts
@@ -5,22 +5,22 @@ export type User = UserSchema;
 
 export default defineStore("users", {
   state: () => ({
-    allUSers: [] as User[],
+    allUsers: [] as User[],
   }),
 
   getters: {
-    admins: (state) => state.allUSers.filter((user) => user.role === "admin"),
+    admins: (state) => state.allUsers.filter((user) => user.role === "admin"),
   },
 
   actions: {
     set(users: User[]) {
-      this.allUSers = users;
+      this.allUsers = users;
     },
     add(user: User) {
-      this.allUSers = this.allUSers.concat(user);
+      this.allUsers = this.allUsers.concat(user);
     },
     update(user: User) {
-      this.allUSers = this.allUSers.map((value) => {
+      this.allUsers = this.allUsers.map((value) => {
         if (value.id === user.id) {
           return user;
         }
@@ -28,12 +28,12 @@ export default defineStore("users", {
       });
     },
     remove(userId: number) {
-      this.allUSers = this.allUSers.filter((value) => {
+      this.allUsers = this.allUsers.filter((value) => {
         return value.id !== userId;
       });
     },
     reset() {
-      this.allUSers = [];
+      this.allUsers = [];
     },
   },
 });

From d8a9cb1e4bf45cbd31ee51f12eac0df514f80164 Mon Sep 17 00:00:00 2001
From: Zurdi <zurdizurdo25@gmail.com>
Date: Fri, 5 Jul 2024 20:59:14 +0200
Subject: [PATCH 10/12] fixed filter roms both by platform and collection

---
 backend/handler/database/roms_handler.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/handler/database/roms_handler.py b/backend/handler/database/roms_handler.py
index 44897ecc5..bb69cead2 100644
--- a/backend/handler/database/roms_handler.py
+++ b/backend/handler/database/roms_handler.py
@@ -56,7 +56,7 @@ def _filter(
         if platform_id:
             data = data.filter(Rom.platform_id == platform_id)
 
-        elif collection_id:
+        if collection_id:
             collection = (
                 session.query(Collection)
                 .filter(Collection.id == collection_id)

From 443509332905865b422cf2c98ec802930cb9e574 Mon Sep 17 00:00:00 2001
From: Zurdi <34356590+zurdi15@users.noreply.github.com>
Date: Sat, 6 Jul 2024 18:53:29 +0200
Subject: [PATCH 11/12] Update backend/endpoints/user.py

Co-authored-by: Georges-Antoine Assi <3247106+gantoine@users.noreply.github.com>
---
 backend/endpoints/user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/endpoints/user.py b/backend/endpoints/user.py
index a1b277086..8f696fdfd 100644
--- a/backend/endpoints/user.py
+++ b/backend/endpoints/user.py
@@ -94,7 +94,7 @@ def get_user(request: Request, id: int) -> UserSchema:
     return user
 
 
-@protected_route(router.put, "/users/{id}")
+@protected_route(router.put, "/users/{id}", ["me.write"])
 def update_user(
     request: Request, id: int, form_data: Annotated[UserForm, Depends()]
 ) -> UserSchema:

From 14e2377f3a63f0efa17784c8e9f105ae2fbd0bd2 Mon Sep 17 00:00:00 2001
From: Zurdi <zurdizurdo25@gmail.com>
Date: Sat, 6 Jul 2024 18:55:45 +0200
Subject: [PATCH 12/12] fixes from PR review

---
 backend/endpoints/user.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/backend/endpoints/user.py b/backend/endpoints/user.py
index 8f696fdfd..63975e71d 100644
--- a/backend/endpoints/user.py
+++ b/backend/endpoints/user.py
@@ -119,7 +119,8 @@ def update_user(
             status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
         )
 
-    if not db_user.id == request.user.id and request.user.role != Role.ADMIN:
+    # Admin users can edit any user, while other users can only edit self
+    if db_user.id != request.user.id and request.user.role != Role.ADMIN:
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Forbidden")
 
     cleaned_data = {}