From 275126d61b425772f2b000e46ffeb2a07db8c626 Mon Sep 17 00:00:00 2001
From: hampus-fluxer <hampus@fluxer.app>
Date: Sat, 3 Jan 2026 00:47:06 +0100
Subject: [PATCH] fix(admin): allow fetching current user without elevated ACL
 (#3)

---
 fluxer_admin/src/fluxer_admin/api/users.gleam | 39 ++++++++++++++++++-
 .../admin/controllers/UserAdminController.ts  |  9 +++++
 2 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/fluxer_admin/src/fluxer_admin/api/users.gleam b/fluxer_admin/src/fluxer_admin/api/users.gleam
index e7337438..957e4b3e 100644
--- a/fluxer_admin/src/fluxer_admin/api/users.gleam
+++ b/fluxer_admin/src/fluxer_admin/api/users.gleam
@@ -486,7 +486,44 @@ pub fn get_current_admin(
   ctx: web.Context,
   session: web.Session,
 ) -> Result(Option(UserLookupResult), ApiError) {
-  lookup_user(ctx, session, session.user_id)
+  let url = ctx.api_endpoint <> "/admin/users/me"
+
+  let assert Ok(req) = request.to(url)
+  let req =
+    req
+    |> request.set_method(http.Get)
+    |> request.set_header("authorization", "Bearer " <> session.access_token)
+  case httpc.send(req) {
+    Ok(resp) if resp.status == 200 -> {
+      let decoder = {
+        use user <- decode.field("user", decode.optional(user_lookup_decoder()))
+        decode.success(user)
+      }
+
+      case json.parse(resp.body, decoder) {
+        Ok(result) -> Ok(result)
+        Error(_) -> Error(ServerError)
+      }
+    }
+    Ok(resp) if resp.status == 401 -> Error(Unauthorized)
+    Ok(resp) if resp.status == 403 -> {
+      let message_decoder = {
+        use message <- decode.field("message", decode.string)
+        decode.success(message)
+      }
+
+      let message = case json.parse(resp.body, message_decoder) {
+        Ok(msg) -> msg
+        Error(_) ->
+          "Missing required permissions. Contact an administrator to request access."
+      }
+
+      Error(Forbidden(message))
+    }
+    Ok(resp) if resp.status == 404 -> Error(NotFound)
+    Ok(_resp) -> Error(ServerError)
+    Error(_) -> Error(NetworkError)
+  }
 }
 
 pub fn set_user_acls(
diff --git a/fluxer_api/src/admin/controllers/UserAdminController.ts b/fluxer_api/src/admin/controllers/UserAdminController.ts
index 2e5abd03..115c86e0 100644
--- a/fluxer_api/src/admin/controllers/UserAdminController.ts
+++ b/fluxer_api/src/admin/controllers/UserAdminController.ts
@@ -36,6 +36,7 @@ import {
 	ListUserGuildsRequest,
 	ListUserSessionsRequest,
 	LookupUserRequest,
+	mapUserToAdminResponse,
 	ScheduleAccountDeletionRequest,
 	SendPasswordResetRequest,
 	SetUserAclsRequest,
@@ -50,6 +51,14 @@ import {
 } from '../AdminModel';
 
 export const UserAdminController = (app: HonoApp) => {
+	app.get('/admin/users/me', requireAdminACL(AdminACLs.AUTHENTICATE), async (ctx) => {
+		const adminUser = ctx.get('user');
+		const cacheService = ctx.get('cacheService');
+		return ctx.json({
+			user: await mapUserToAdminResponse(adminUser, cacheService),
+		});
+	});
+
 	app.post(
 		'/admin/users/lookup',
 		RateLimitMiddleware(RateLimitConfigs.ADMIN_LOOKUP),