From 802c1b40d3f986cb6541494b257d00701886caa5 Mon Sep 17 00:00:00 2001
From: mahmamdouh <mahmoud.elmohtady@gmail.com>
Date: Sun, 25 Jan 2026 15:44:15 +0100
Subject: [PATCH] fix

---
 backend/routers/auth.py | 6 ++++++
 backend/schemas.py      | 8 ++++++++
 2 files changed, 14 insertions(+)

diff --git a/backend/routers/auth.py b/backend/routers/auth.py
index 04605e5..f4d24c8 100644
--- a/backend/routers/auth.py
+++ b/backend/routers/auth.py
@@ -15,6 +15,12 @@ async def login_for_access_token(form_data: OAuth2PasswordRequestForm = Depends(
             detail="Incorrect username or password",
             headers={"WWW-Authenticate": "Bearer"},
         )
+    
+    if not user.is_admin:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Access denied. Only admins can login to the dashboard.",
+        )
     access_token_expires = timedelta(minutes=auth_utils.ACCESS_TOKEN_EXPIRE_MINUTES)
     access_token = auth_utils.create_access_token(
         data={"sub": user.username}, expires_delta=access_token_expires
diff --git a/backend/schemas.py b/backend/schemas.py
index 5a07b90..99b0067 100644
--- a/backend/schemas.py
+++ b/backend/schemas.py
@@ -19,10 +19,18 @@ class UserUpdate(BaseModel):
     is_active: Optional[bool] = None
     is_admin: Optional[bool] = None
 
+class UserApplicationOut(BaseModel):
+    application: "ApplicationOut"
+    assigned_at: datetime
+
+    class Config:
+        orm_mode = True
+
 class UserOut(UserBase):
     id: int
     created_at: datetime
     updated_at: datetime
+    applications: List[UserApplicationOut] = []
 
     class Config:
         orm_mode = True