// Admin — owner-only access control. // // Lets the owner (SITE_OWNER_EMAIL) grant any Supabase-auth email access to // specific private pages, at a chosen level (full / read-only), and toggle them // on/off — all persisted to the `site_access` table, which also drives the // Row-Level-Security policies server-side (see the site_access migration). No // SQL editor required. // // The route (#admin) and this component are gated to the owner in index.html. const ADMIN_PAGES = [ { id: 'objects', label: 'Objects' }, { id: 'ideas', label: 'Ideas' }, { id: 'places', label: 'Places' }, { id: 'forme', label: 'For Me' }, ]; const LEVELS = [ { id: 'full', label: 'Full access', hint: 'view + add / edit / delete' }, { id: 'read', label: 'Read-only', hint: 'view only — every write blocked' }, ]; const blankGrant = () => ({ email: '', pages: ['objects', 'ideas', 'places'], access_level: 'read', active: true, note: '' }); const emailValid = (e) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test((e || '').trim()); const lbl = { fontFamily: fontMono, fontSize: '10px', letterSpacing: '0.12em', color: tokens.inkMute, display: 'block', marginBottom: '6px' }; const inp = { width: '100%', padding: '9px 11px', border: `1px solid ${tokens.inkLine}`, background: '#FDFBF7', fontFamily: 'inherit', fontSize: '13px', color: tokens.ink, boxSizing: 'border-box', outline: 'none' }; // Page-checkbox + level + active editor shared by the add form and each row. const GrantEditor = ({ value, onChange }) => { const togglePage = (id) => { const has = value.pages.includes(id); onChange({ ...value, pages: has ? value.pages.filter((p) => p !== id) : [...value.pages, id] }); }; return (
{ADMIN_PAGES.map((p) => { const on = value.pages.includes(p.id); return ( togglePage(p.id)} style={{ fontFamily: fontMono, fontSize: '11px', letterSpacing: '0.04em', padding: '6px 12px', cursor: 'pointer', border: `1px solid ${on ? tokens.ink : tokens.inkLine}`, background: on ? tokens.ink : 'none', color: on ? tokens.paper : tokens.inkMute }}> {on ? '✓ ' : ''}{p.label} ); })}
{LEVELS.map((l) => { const on = value.access_level === l.id; return ( onChange({ ...value, access_level: l.id })} title={l.hint} style={{ fontFamily: fontMono, fontSize: '11px', letterSpacing: '0.04em', padding: '6px 12px', cursor: 'pointer', border: `1px solid ${on ? (l.id === 'full' ? tokens.green : tokens.ochre) : tokens.inkLine}`, background: on ? (l.id === 'full' ? tokens.green : tokens.ochre) : 'none', color: on ? tokens.paper : tokens.inkMute }}> {l.label} ); })}
onChange({ ...value, active: !value.active })} style={{ fontFamily: fontMono, fontSize: '11px', letterSpacing: '0.04em', padding: '6px 14px', cursor: 'pointer', display: 'inline-block', border: `1px solid ${value.active ? tokens.green : tokens.inkLine}`, background: value.active ? tokens.green : 'none', color: value.active ? tokens.paper : tokens.inkMute }}> {value.active ? '● ACTIVE' : '○ DISABLED'}
); }; const AddGrantForm = ({ onAdd, onCancel }) => { const [g, setG] = React.useState(blankGrant()); const [saving, setSaving] = React.useState(false); const [err, setErr] = React.useState(''); const submit = async (e) => { e.preventDefault(); if (!emailValid(g.email)) { setErr('Enter a valid email address.'); return; } if (!g.pages.length) { setErr('Grant at least one page.'); return; } setSaving(true); setErr(''); const error = await onAdd({ ...g, email: g.email.trim().toLowerCase() }); if (error) { setErr(error.message || 'Failed to save.'); setSaving(false); } }; return (
GRANT ACCESS
setG({ ...g, email: e.target.value })} placeholder="person@firm.com" autoFocus />
setG({ ...g, note: e.target.value })} placeholder="e.g. LP at Acme · diligence access to Ideas" />
{err &&
{err}
}
); }; const GrantRow = ({ grant, onSave, onDelete }) => { const [editing, setEditing] = React.useState(false); const [draft, setDraft] = React.useState(grant); const [busy, setBusy] = React.useState(false); React.useEffect(() => { setDraft(grant); }, [grant]); const builtIn = grant.invited_by === 'system'; const save = async () => { setBusy(true); const e = await onSave(grant.email, { pages: draft.pages, access_level: draft.access_level, active: draft.active, note: draft.note }); setBusy(false); if (!e) setEditing(false); }; const levelColor = grant.access_level === 'full' ? tokens.green : tokens.ochre; return (
{grant.email} {builtIn && BUILT-IN} {grant.note &&
{grant.note}
}
{grant.access_level === 'full' ? 'FULL' : 'READ-ONLY'} {grant.active ? '● ACTIVE' : '○ OFF'} setEditing((x) => !x)} style={{ fontFamily: fontMono, fontSize: '10px', letterSpacing: '0.08em', color: tokens.inkMute, cursor: 'pointer', borderBottom: `1px solid ${tokens.inkLine}` }}>{editing ? 'CLOSE' : 'EDIT'}
{!editing && (
{ADMIN_PAGES.filter((p) => (grant.pages || []).includes(p.id)).map((p) => ( {p.label} ))} {(grant.pages || []).length === 0 && no pages granted}
)} {editing && (
setDraft({ ...draft, note: e.target.value })} />
{!builtIn && }
)}
); }; const Admin = () => { const isMobile = useIsMobile(); const [grants, setGrants] = React.useState(null); const [showAdd, setShowAdd] = React.useState(false); const [err, setErr] = React.useState(''); const load = React.useCallback(async () => { const client = window._supabaseClient; if (!client) { setGrants([]); setErr('No backend connected.'); return; } const { data, error } = await client.from('site_access').select('email, pages, access_level, active, note, invited_by, created_at').order('created_at', { ascending: true }); if (error) { setGrants([]); setErr(error.message); return; } setGrants(data || []); }, []); React.useEffect(() => { load(); }, [load]); const add = async (g) => { const client = window._supabaseClient; if (!client) return { message: 'No backend connected.' }; const { data: { user } } = await client.auth.getUser(); const { error } = await client.from('site_access').upsert({ ...g, invited_by: user ? user.email : null }, { onConflict: 'email' }); if (error) return error; setShowAdd(false); await load(); return null; }; const save = async (email, patch) => { const client = window._supabaseClient; if (!client) return { message: 'No backend connected.' }; const { error } = await client.from('site_access').update(patch).eq('email', email); if (error) { setErr(error.message); return error; } await load(); return null; }; const del = async (email) => { const client = window._supabaseClient; if (!client) return; await client.from('site_access').delete().eq('email', email); await load(); }; return (
AUTHORIZED EMAILS {grants ? `· ${grants.length}` : ''}
{!showAdd && ( )}
{err &&
{err}
} {showAdd && setShowAdd(false)} />} {grants === null ? (
LOADING…
) : grants.length === 0 ? (
No grants yet. The owner (you) always has full access. Click + GRANT ACCESS to invite someone — they must already exist as a user in Supabase Auth (Dashboard → Authentication → Add user).
) : (
{grants.map((g) => )}
)}
OWNER · {(window.SITE_OWNER_EMAIL || '').toUpperCase()} — ALWAYS FULL ACCESS · SERVER-SIDE ENFORCEMENT VIA site_access RLS · SEE ADMIN-SETUP.md
); }; window.Admin = Admin;