From 001de31097454f66c0437695ee0e34a1dd21c89d Mon Sep 17 00:00:00 2001
From: qwerty287 <qwerty287@posteo.de>
Date: Sun, 17 May 2026 11:59:28 +0200
Subject: [PATCH 1/2] View warning if admin is configured at env level

---
 cmd/server/openapi/docs.go         | 3 +++
 rpc/proto/woodpecker.pb.go         | 2 +-
 rpc/proto/woodpecker_grpc.pb.go    | 4 ++--
 server/api/users.go                | 4 ++++
 server/model/user.go               | 2 ++
 web/src/assets/locales/en.json     | 3 ++-
 web/src/lib/api/types/user.ts      | 3 +++
 web/src/views/admin/AdminUsers.vue | 7 +++++++
 8 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/cmd/server/openapi/docs.go b/cmd/server/openapi/docs.go
index 617841b10a3..ccce77b336b 100644
--- a/cmd/server/openapi/docs.go
+++ b/cmd/server/openapi/docs.go
@@ -5756,6 +5756,9 @@ const docTemplate = `{
                     "description": "Admin indicates the user is a system administrator.\n\nNOTE: If the username is part of the WOODPECKER_ADMIN\nenvironment variable, this value will be set to true on login.",
                     "type": "boolean"
                 },
+                "admin_env": {
+                    "type": "boolean"
+                },
                 "avatar_url": {
                     "description": "the avatar url for this user.",
                     "type": "string"
diff --git a/rpc/proto/woodpecker.pb.go b/rpc/proto/woodpecker.pb.go
index 5150d30649f..b81001ccb82 100644
--- a/rpc/proto/woodpecker.pb.go
+++ b/rpc/proto/woodpecker.pb.go
@@ -16,7 +16,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v6.33.1
+// 	protoc        v7.34.1
 // source: woodpecker.proto
 
 package proto
diff --git a/rpc/proto/woodpecker_grpc.pb.go b/rpc/proto/woodpecker_grpc.pb.go
index 4dfd78a0efb..0000eb7fc00 100644
--- a/rpc/proto/woodpecker_grpc.pb.go
+++ b/rpc/proto/woodpecker_grpc.pb.go
@@ -15,8 +15,8 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.6.1
-// - protoc             v6.33.1
+// - protoc-gen-go-grpc v1.6.2
+// - protoc             v7.34.1
 // source: woodpecker.proto
 
 package proto
diff --git a/server/api/users.go b/server/api/users.go
index 072f87d00ee..9f45f4a1b18 100644
--- a/server/api/users.go
+++ b/server/api/users.go
@@ -24,6 +24,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/tink-crypto/tink-go/v2/subtle/random"
 
+	"go.woodpecker-ci.org/woodpecker/v3/server"
 	"go.woodpecker-ci.org/woodpecker/v3/server/model"
 	"go.woodpecker-ci.org/woodpecker/v3/server/router/middleware/session"
 	"go.woodpecker-ci.org/woodpecker/v3/server/store"
@@ -49,6 +50,9 @@ func GetUsers(c *gin.Context) {
 		c.String(http.StatusInternalServerError, "Error getting user list. %s", err)
 		return
 	}
+	for _, user := range users {
+		user.AdminEnv = server.Config.Permissions.Admins.IsAdmin(user)
+	}
 	c.JSON(http.StatusOK, users)
 }
 
diff --git a/server/model/user.go b/server/model/user.go
index fc6211074c3..042cb5f6e84 100644
--- a/server/model/user.go
+++ b/server/model/user.go
@@ -66,6 +66,8 @@ type User struct {
 	// environment variable, this value will be set to true on login.
 	Admin bool `json:"admin,omitempty" xorm:"admin"`
 
+	AdminEnv bool `json:"admin_env,omitempty"`
+
 	// Hash is a unique token used to sign tokens.
 	Hash string `json:"-" xorm:"UNIQUE varchar(500) 'hash'"`
 
diff --git a/web/src/assets/locales/en.json b/web/src/assets/locales/en.json
index 3a3fadd9e2a..a15daff3075 100644
--- a/web/src/assets/locales/en.json
+++ b/web/src/assets/locales/en.json
@@ -412,7 +412,8 @@
         "saved": "User saved",
         "admin": {
           "admin": "Admin",
-          "placeholder": "User is an admin"
+          "placeholder": "User is an admin",
+          "admin_warning": "This user has admin permissions because of your environment configuration. If you revoke the permission here, the user will regain them when they sign in next time."
         },
         "delete_user": "Delete user",
         "edit_user": "Edit user"
diff --git a/web/src/lib/api/types/user.ts b/web/src/lib/api/types/user.ts
index 6d6589b88d1..e4ef100d316 100644
--- a/web/src/lib/api/types/user.ts
+++ b/web/src/lib/api/types/user.ts
@@ -21,6 +21,9 @@ export interface User {
   admin: boolean;
   // Whether the account has administrative privileges.
 
+  admin_env: boolean;
+  // Whether the administrative privileges are defined at env var level.
+
   active: boolean;
   // Whether the account is currently active.
 
diff --git a/web/src/views/admin/AdminUsers.vue b/web/src/views/admin/AdminUsers.vue
index a8f6bcd014e..fa15b7e0b59 100644
--- a/web/src/views/admin/AdminUsers.vue
+++ b/web/src/views/admin/AdminUsers.vue
@@ -63,6 +63,12 @@
         </InputField>
 
         <InputField :label="$t('admin.settings.users.admin.admin')">
+          <Warning
+            v-if="selectedUser.admin_env"
+            class="mb-4 text-sm"
+            :text="$t('admin.settings.users.admin.admin_warning')"
+          />
+
           <Checkbox
             :model-value="selectedUser.admin || false"
             :label="$t('admin.settings.users.admin.placeholder')"
@@ -94,6 +100,7 @@ import Button from '~/components/atomic/Button.vue';
 import Icon from '~/components/atomic/Icon.vue';
 import IconButton from '~/components/atomic/IconButton.vue';
 import ListItem from '~/components/atomic/ListItem.vue';
+import Warning from '~/components/atomic/Warning.vue';
 import Checkbox from '~/components/form/Checkbox.vue';
 import InputField from '~/components/form/InputField.vue';
 import TextField from '~/components/form/TextField.vue';

From 5ef656ea0be288799d0eb4a511af49600b5f1572 Mon Sep 17 00:00:00 2001
From: qwerty287 <qwerty287@posteo.de>
Date: Mon, 18 May 2026 08:29:51 +0200
Subject: [PATCH 2/2] missing xorm tag

---
 server/model/user.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/model/user.go b/server/model/user.go
index 042cb5f6e84..862b6aec5e5 100644
--- a/server/model/user.go
+++ b/server/model/user.go
@@ -66,7 +66,7 @@ type User struct {
 	// environment variable, this value will be set to true on login.
 	Admin bool `json:"admin,omitempty" xorm:"admin"`
 
-	AdminEnv bool `json:"admin_env,omitempty"`
+	AdminEnv bool `json:"admin_env,omitempty" xorm:"-"`
 
 	// Hash is a unique token used to sign tokens.
 	Hash string `json:"-" xorm:"UNIQUE varchar(500) 'hash'"`