feat: implement host dashboard

Add Host Dashboard for event and guest management, accessible at /host.

Backend — new /api/v1/host/* endpoints (RequireHost auth):
- GET  /host/event                    → event name + lock/release state
- POST /host/event/close|open         → lock or unlock uploads; SSE broadcast
- POST /host/gallery/release          → set release timestamp, enqueue export jobs
- GET  /host/users                    → all guests with upload count & bytes
- POST /host/users/{id}/ban           → ban with optional upload-hide choice
- POST /host/users/{id}/unban         → lift ban
- PATCH /host/users/{id}/role         → promote guest→host or demote host→guest
- DELETE /host/upload/{id}            → host-level soft-delete + SSE
- DELETE /host/comment/{id}           → host-level soft-delete

Frontend — /host page:
- Event controls: lock/unlock toggle and release-gallery button with status badges
- Guest table: display name, role badge, upload count, storage used
- Ban flow: modal asking whether to keep or hide the user's uploads
- Promote/demote buttons respecting caller role (host can promote guests; admin can demote hosts)
- auth.ts: getRole() decodes JWT payload client-side to gate the route

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/handlers/host.rs

@@ -0,0 +1,260 @@
+use axum::extract::{Path, State};
+use axum::http::StatusCode;
+use axum::Json;
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+
+use crate::auth::middleware::RequireHost;
+use crate::error::AppError;
+use crate::models::comment::Comment;
+use crate::models::event::Event;
+use crate::models::upload::Upload;
+use crate::state::AppState;
+
+// ── DTOs ─────────────────────────────────────────────────────────────────────
+
+#[derive(Serialize, sqlx::FromRow)]
+pub struct UserSummary {
+    pub id: Uuid,
+    pub display_name: String,
+    pub role: String,
+    pub is_banned: bool,
+    pub uploads_hidden: bool,
+    pub upload_count: i64,
+    pub total_upload_bytes: i64,
+    pub created_at: DateTime<Utc>,
+}
+
+#[derive(Serialize)]
+pub struct EventStatus {
+    pub name: String,
+    pub is_active: bool,
+    pub uploads_locked: bool,
+    pub export_released: bool,
+}
+
+#[derive(Deserialize)]
+pub struct BanRequest {
+    pub hide_uploads: bool,
+}
+
+#[derive(Deserialize)]
+pub struct SetRoleRequest {
+    pub role: String,
+}
+
+// ── Handlers ─────────────────────────────────────────────────────────────────
+
+pub async fn get_event_status(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+) -> Result<Json<EventStatus>, AppError> {
+    let event = Event::find_by_slug(&state.pool, &state.config.event_slug)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Event nicht gefunden.".into()))?;
+
+    Ok(Json(EventStatus {
+        name: event.name,
+        is_active: event.is_active,
+        uploads_locked: event.uploads_locked_at.is_some(),
+        export_released: event.export_released_at.is_some(),
+    }))
+}
+
+pub async fn list_users(
+    State(state): State<AppState>,
+    RequireHost(auth): RequireHost,
+) -> Result<Json<Vec<UserSummary>>, AppError> {
+    let rows = sqlx::query_as::<_, UserSummary>(
+        "SELECT u.id,
+                u.display_name,
+                u.role::text AS role,
+                u.is_banned,
+                u.uploads_hidden,
+                COALESCE(COUNT(up.id), 0) AS upload_count,
+                u.total_upload_bytes,
+                u.created_at
+         FROM \"user\" u
+         LEFT JOIN upload up ON up.user_id = u.id AND up.deleted_at IS NULL
+         WHERE u.event_id = $1
+         GROUP BY u.id
+         ORDER BY u.created_at ASC",
+    )
+    .bind(auth.event_id)
+    .fetch_all(&state.pool)
+    .await?;
+
+    Ok(Json(rows))
+}
+
+pub async fn ban_user(
+    State(state): State<AppState>,
+    RequireHost(auth): RequireHost,
+    Path(user_id): Path<Uuid>,
+    Json(body): Json<BanRequest>,
+) -> Result<StatusCode, AppError> {
+    // Cannot ban yourself or another host/admin
+    if user_id == auth.user_id {
+        return Err(AppError::BadRequest("Du kannst dich nicht selbst sperren.".into()));
+    }
+    let target = sqlx::query_as::<_, (String,)>(
+        "SELECT role::text FROM \"user\" WHERE id = $1 AND event_id = $2",
+    )
+    .bind(user_id)
+    .bind(auth.event_id)
+    .fetch_optional(&state.pool)
+    .await?
+    .ok_or_else(|| AppError::NotFound("Benutzer nicht gefunden.".into()))?;
+
+    if target.0 == "admin" || (target.0 == "host" && auth.role != crate::models::user::UserRole::Admin) {
+        return Err(AppError::Forbidden("Du kannst diesen Benutzer nicht sperren.".into()));
+    }
+
+    sqlx::query(
+        "UPDATE \"user\" SET is_banned = TRUE, uploads_hidden = $2 WHERE id = $1",
+    )
+    .bind(user_id)
+    .bind(body.hide_uploads)
+    .execute(&state.pool)
+    .await?;
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn unban_user(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+    Path(user_id): Path<Uuid>,
+) -> Result<StatusCode, AppError> {
+    sqlx::query("UPDATE \"user\" SET is_banned = FALSE WHERE id = $1")
+        .bind(user_id)
+        .execute(&state.pool)
+        .await?;
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn set_role(
+    State(state): State<AppState>,
+    RequireHost(auth): RequireHost,
+    Path(user_id): Path<Uuid>,
+    Json(body): Json<SetRoleRequest>,
+) -> Result<StatusCode, AppError> {
+    if user_id == auth.user_id {
+        return Err(AppError::BadRequest("Du kannst deine eigene Rolle nicht ändern.".into()));
+    }
+    let new_role = match body.role.as_str() {
+        "guest" => "guest",
+        "host" => "host",
+        _ => return Err(AppError::BadRequest("Ungültige Rolle. Erlaubt: guest, host.".into())),
+    };
+    sqlx::query("UPDATE \"user\" SET role = $2::user_role WHERE id = $1 AND event_id = $3")
+        .bind(user_id)
+        .bind(new_role)
+        .bind(auth.event_id)
+        .execute(&state.pool)
+        .await?;
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn host_delete_upload(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+    Path(upload_id): Path<Uuid>,
+) -> Result<StatusCode, AppError> {
+    let upload = Upload::find_by_id(&state.pool, upload_id)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Upload nicht gefunden.".into()))?;
+
+    Upload::soft_delete(&state.pool, upload_id).await?;
+
+    let _ = state.sse_tx.send(crate::state::SseEvent {
+        event_type: "upload-deleted".to_string(),
+        data: serde_json::json!({ "upload_id": upload.id }).to_string(),
+    });
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn host_delete_comment(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+    Path(comment_id): Path<Uuid>,
+) -> Result<StatusCode, AppError> {
+    Comment::find_by_id(&state.pool, comment_id)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Kommentar nicht gefunden.".into()))?;
+
+    Comment::soft_delete(&state.pool, comment_id).await?;
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn close_event(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+) -> Result<StatusCode, AppError> {
+    sqlx::query(
+        "UPDATE event SET uploads_locked_at = NOW() WHERE slug = $1 AND uploads_locked_at IS NULL",
+    )
+    .bind(&state.config.event_slug)
+    .execute(&state.pool)
+    .await?;
+
+    let _ = state.sse_tx.send(crate::state::SseEvent {
+        event_type: "event-closed".to_string(),
+        data: "{}".to_string(),
+    });
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn open_event(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+) -> Result<StatusCode, AppError> {
+    sqlx::query(
+        "UPDATE event SET uploads_locked_at = NULL WHERE slug = $1",
+    )
+    .bind(&state.config.event_slug)
+    .execute(&state.pool)
+    .await?;
+
+    let _ = state.sse_tx.send(crate::state::SseEvent {
+        event_type: "event-opened".to_string(),
+        data: "{}".to_string(),
+    });
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn release_gallery(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+) -> Result<StatusCode, AppError> {
+    let event = Event::find_by_slug(&state.pool, &state.config.event_slug)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Event nicht gefunden.".into()))?;
+
+    if event.export_released_at.is_some() {
+        return Err(AppError::BadRequest("Galerie wurde bereits freigegeben.".into()));
+    }
+
+    sqlx::query("UPDATE event SET export_released_at = NOW() WHERE slug = $1")
+        .bind(&state.config.event_slug)
+        .execute(&state.pool)
+        .await?;
+
+    // Enqueue export jobs (processed by the export worker in a later step)
+    for export_type in ["zip", "html"] {
+        sqlx::query(
+            "INSERT INTO export_job (event_id, type) VALUES ($1, $2::export_type)
+             ON CONFLICT (event_id, type) DO NOTHING",
+        )
+        .bind(event.id)
+        .bind(export_type)
+        .execute(&state.pool)
+        .await?;
+    }
+
+    Ok(StatusCode::NO_CONTENT)
+}

backend/src/handlers/mod.rs

@@ -1,4 +1,5 @@
 pub mod feed;
+pub mod host;
 pub mod social;
 pub mod sse;
 pub mod upload;