From 4d2673c4656f5cb402c37f6227699d9684dc5ac3 Mon Sep 17 00:00:00 2001
From: Tharun Sevvel <tharunsevvel@MacBook-Air.local>
Date: Thu, 5 Mar 2026 16:54:41 -0600
Subject: [PATCH] Batch role updating route

---
 .gitignore                  |  2 +-
 cmd/api/middlewares.go      | 78 +++++++++++++++++++++++++++++++++++++
 cmd/api/middlewares_test.go |  1 +
 3 files changed, 80 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 139d0b93..b1338c25 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,5 @@
 # Environment variables
-.env
+*.env
 .env.local
 .env.*.local
 
diff --git a/cmd/api/middlewares.go b/cmd/api/middlewares.go
index 5a45d46d..051f111c 100644
--- a/cmd/api/middlewares.go
+++ b/cmd/api/middlewares.go
@@ -155,6 +155,84 @@ func (app *application) RequireRoleMiddleware(minRole store.UserRole) func(http.
 	}
 }
 
+func (app *application) SuperAdminUpdate() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+			//Check if this specifc user exists from the context we get
+			user := getUserFromContext(r.Context())
+			if user == nil {
+				app.unauthorizedErrorResponse(w, r, fmt.Errorf("This user does not exist"))
+				return
+			}
+
+			//Turning the HTTPs request into the actual struct
+			var req RoleUpdateRequest
+			if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+				app.badRequestResponse(w, r, err)
+				return
+			}
+
+			//Checking if the user role is a super admin or not
+			if req.Role == store.RoleSuperAdmin {
+				app.unauthorizedErrorResponse(w, r, fmt.Errorf("User can not give this role"))
+				return
+			}
+
+			for _, userID := range req.UserIds {
+				//user is trying to modify their own role
+				if userID == user.ID {
+					app.forbiddenResponse(w, r, fmt.Errorf("User cannot update their own roles"))
+					return
+				}
+
+				//user id is not found
+				target, err := app.store.Users.GetById(r.Context(), userID)
+				if err != nil {
+					//Check what type of error we actuall got
+					if errors.Is(err, store.ErrNotFound) {
+						app.forbiddenResponse(w, r, fmt.Errorf("User ID does not exist"))
+						return
+					}
+
+					//Else we just have some internal server error
+					app.internalServerError(w, r, err)
+					return
+				}
+
+				//User is trying to modify a super admin
+				if target.Role == store.RoleSuperAdmin {
+					app.unauthorizedErrorResponse(w, r, fmt.Errorf("Cannot modify a super Admin"))
+					return
+				}
+			}
+
+			//Now its actually going to check wiht the database to make sure we're good
+			updatedUsers, rowsChanged, err := app.store.Users.BatchUpdateRole(r.Context(), req.UserIds, req.Role)
+
+			//Check if we actually checked the database properly
+			if err != nil {
+				app.internalServerError(w, r, err)
+				return
+			}
+
+			//The rows changed is not equal to the amount of rows that were supposed ot be changed so something went wrong
+			if rowsChanged != int64(len(req.UserIds)) {
+				app.badRequestResponse(w, r, fmt.Errorf("Certain User Ids do not exist"))
+				return
+			}
+
+			//Return the updated Users
+			if err := app.writeJSON(w, http.StatusOK, envelope{
+				"updated": updatedUsers,
+			}, nil); err != nil {
+				app.internalServerError(w, r, err)
+				return
+			}
+		})
+	}
+}
+
 func getUserFromContext(ctx context.Context) *store.User {
 	user, _ := ctx.Value(userContextKey).(*store.User)
 	return user
diff --git a/cmd/api/middlewares_test.go b/cmd/api/middlewares_test.go
index a90188fc..cbce7ff7 100644
--- a/cmd/api/middlewares_test.go
+++ b/cmd/api/middlewares_test.go
@@ -241,3 +241,4 @@ func TestRateLimiterMiddleware(t *testing.T) {
 		checkResponseCode(t, http.StatusOK, rr.Code)
 	})
 }
+