Support roles with rights and add moderator role

27 files changed, 190 insertions, 52 deletions

diff --git a/client/src/app/+admin/admin-routing.module.ts b/client/src/app/+admin/admin-routing.module.ts
index c3e4895ac..7262768fe 100644
--- a/client/src/app/+admin/admin-routing.module.ts
+++ b/client/src/app/+admin/admin-routing.module.ts
@@ -8,15 +8,14 @@ import { FriendsRoutes } from './friends'
 import { RequestSchedulersRoutes } from './request-schedulers'
 import { UsersRoutes } from './users'
 import { VideoAbusesRoutes } from './video-abuses'
-import { AdminGuard } from './admin-guard.service'
 import { VideoBlacklistRoutes } from './video-blacklist'
 
 const adminRoutes: Routes = [
   {
     path: '',
     component: AdminComponent,
-    canActivate: [ MetaGuard, AdminGuard ],
-    canActivateChild: [ MetaGuard, AdminGuard ],
+    canActivate: [ MetaGuard ],
+    canActivateChild: [ MetaGuard ],
     children: [
       {
         path: '',
diff --git a/client/src/app/+admin/admin.module.ts b/client/src/app/+admin/admin.module.ts
index f29c501b0..6c216e5d8 100644
--- a/client/src/app/+admin/admin.module.ts
+++ b/client/src/app/+admin/admin.module.ts
@@ -8,7 +8,6 @@ import { UsersComponent, UserAddComponent, UserUpdateComponent, UserListComponen
 import { VideoAbusesComponent, VideoAbuseListComponent } from './video-abuses'
 import { VideoBlacklistComponent, VideoBlacklistListComponent } from './video-blacklist'
 import { SharedModule } from '../shared'
-import { AdminGuard } from './admin-guard.service'
 
 @NgModule({
   imports: [
@@ -45,8 +44,7 @@ import { AdminGuard } from './admin-guard.service'
   providers: [
     FriendService,
     RequestSchedulersService,
-    UserService,
-    AdminGuard
+    UserService
   ]
 })
 export class AdminModule { }
diff --git a/client/src/app/+admin/friends/friends.routes.ts b/client/src/app/+admin/friends/friends.routes.ts
index 615b6f4f7..61cfcae19 100644
--- a/client/src/app/+admin/friends/friends.routes.ts
+++ b/client/src/app/+admin/friends/friends.routes.ts
@@ -1,13 +1,19 @@
 import { Routes } from '@angular/router'
 
+import { UserRightGuard } from '../../core'
 import { FriendsComponent } from './friends.component'
 import { FriendAddComponent } from './friend-add'
 import { FriendListComponent } from './friend-list'
+import { UserRight } from '../../../../../shared'
 
 export const FriendsRoutes: Routes = [
   {
     path: 'friends',
     component: FriendsComponent,
+    canActivate: [ UserRightGuard ],
+    data: {
+      userRight: UserRight.MANAGE_PODS
+    },
     children: [
       {
         path: '',
diff --git a/client/src/app/+admin/request-schedulers/request-schedulers.routes.ts b/client/src/app/+admin/request-schedulers/request-schedulers.routes.ts
index 4961c646b..c2564de15 100644
--- a/client/src/app/+admin/request-schedulers/request-schedulers.routes.ts
+++ b/client/src/app/+admin/request-schedulers/request-schedulers.routes.ts
@@ -1,5 +1,7 @@
 import { Routes } from '@angular/router'
 
+import { UserRightGuard } from '../../core'
+import { UserRight } from '../../../../../shared'
 import { RequestSchedulersComponent } from './request-schedulers.component'
 import { RequestSchedulersStatsComponent } from './request-schedulers-stats'
 
@@ -7,6 +9,10 @@ export const RequestSchedulersRoutes: Routes = [
   {
     path: 'requests',
     component: RequestSchedulersComponent,
+    canActivate: [ UserRightGuard ],
+    data: {
+      userRight: UserRight.MANAGE_REQUEST_SCHEDULERS
+    },
     children: [
       {
         path: '',
diff --git a/client/src/app/+admin/users/user-edit/user-add.component.ts b/client/src/app/+admin/users/user-edit/user-add.component.ts
index 6d8151b42..8e3e3d53d 100644
--- a/client/src/app/+admin/users/user-edit/user-add.component.ts
+++ b/client/src/app/+admin/users/user-edit/user-add.component.ts
@@ -9,10 +9,11 @@ import {
   USER_USERNAME,
   USER_EMAIL,
   USER_PASSWORD,
-  USER_VIDEO_QUOTA
+  USER_VIDEO_QUOTA,
+  USER_ROLE
 } from '../../../shared'
 import { ServerService } from '../../../core'
-import { UserCreate } from '../../../../../../shared'
+import { UserCreate, UserRole } from '../../../../../../shared'
 import { UserEdit } from './user-edit'
 
 @Component({
@@ -28,12 +29,14 @@ export class UserAddComponent extends UserEdit implements OnInit {
     'username': '',
     'email': '',
     'password': '',
+    'role': '',
     'videoQuota': ''
   }
   validationMessages = {
     'username': USER_USERNAME.MESSAGES,
     'email': USER_EMAIL.MESSAGES,
     'password': USER_PASSWORD.MESSAGES,
+    'role': USER_ROLE.MESSAGES,
     'videoQuota': USER_VIDEO_QUOTA.MESSAGES
   }
 
@@ -52,6 +55,7 @@ export class UserAddComponent extends UserEdit implements OnInit {
       username: [ '', USER_USERNAME.VALIDATORS ],
       email:    [ '', USER_EMAIL.VALIDATORS ],
       password: [ '', USER_PASSWORD.VALIDATORS ],
+      role: [ UserRole.USER, USER_ROLE.VALIDATORS ],
       videoQuota: [ '-1', USER_VIDEO_QUOTA.VALIDATORS ]
     })
 
diff --git a/client/src/app/+admin/users/user-edit/user-edit.component.html b/client/src/app/+admin/users/user-edit/user-edit.component.html
index 6988071ce..349be13c1 100644
--- a/client/src/app/+admin/users/user-edit/user-edit.component.html
+++ b/client/src/app/+admin/users/user-edit/user-edit.component.html
@@ -41,6 +41,19 @@
       </div>
 
       <div class="form-group">
+        <label for="role">Role</label>
+        <select class="form-control" id="role" formControlName="role">
+          <option *ngFor="let role of roles" [value]="role.value">
+            {{ role.label }}
+          </option>
+        </select>
+
+        <div *ngIf="formErrors.role" class="alert alert-danger">
+          {{ formErrors.role }}
+        </div>
+      </div>
+
+      <div class="form-group">
         <label for="videoQuota">Video quota</label>
         <select class="form-control" id="videoQuota" formControlName="videoQuota">
           <option *ngFor="let videoQuotaOption of videoQuotaOptions" [value]="videoQuotaOption.value">
diff --git a/client/src/app/+admin/users/user-edit/user-edit.ts b/client/src/app/+admin/users/user-edit/user-edit.ts
index 76497c9b6..51d90da39 100644
--- a/client/src/app/+admin/users/user-edit/user-edit.ts
+++ b/client/src/app/+admin/users/user-edit/user-edit.ts
@@ -1,6 +1,6 @@
 import { ServerService } from '../../../core'
 import { FormReactive } from '../../../shared'
-import { VideoResolution } from '../../../../../../shared/models/videos/video-resolution.enum'
+import { USER_ROLE_LABELS, VideoResolution } from '../../../../../../shared'
 
 export abstract class UserEdit extends FormReactive {
   videoQuotaOptions = [
@@ -14,6 +14,8 @@ export abstract class UserEdit extends FormReactive {
     { value: 50 * 1024 * 1024 * 1024, label: '50GB' }
   ]
 
+  roles = Object.keys(USER_ROLE_LABELS).map(key => ({ value: key, label: USER_ROLE_LABELS[key] }))
+
   protected abstract serverService: ServerService
   abstract isCreation (): boolean
   abstract getFormButtonTitle (): string
diff --git a/client/src/app/+admin/users/user-edit/user-update.component.ts b/client/src/app/+admin/users/user-edit/user-update.component.ts
index bd901e655..bcba78a35 100644
--- a/client/src/app/+admin/users/user-edit/user-update.component.ts
+++ b/client/src/app/+admin/users/user-edit/user-update.component.ts
@@ -6,11 +6,15 @@ import { Subscription } from 'rxjs/Subscription'
 import { NotificationsService } from 'angular2-notifications'
 
 import { UserService } from '../shared'
-import { USER_EMAIL, USER_VIDEO_QUOTA } from '../../../shared'
+import {
+  USER_EMAIL,
+  USER_VIDEO_QUOTA,
+  USER_ROLE,
+  User
+} from '../../../shared'
 import { ServerService } from '../../../core'
-import { UserUpdate } from '../../../../../../shared/models/users/user-update.model'
-import { User } from '../../../shared/users/user.model'
 import { UserEdit } from './user-edit'
+import { UserUpdate, UserRole } from '../../../../../../shared'
 
 @Component({
   selector: 'my-user-update',
@@ -25,10 +29,12 @@ export class UserUpdateComponent extends UserEdit implements OnInit, OnDestroy {
   form: FormGroup
   formErrors = {
     'email': '',
+    'role': '',
     'videoQuota': ''
   }
   validationMessages = {
     'email': USER_EMAIL.MESSAGES,
+    'role': USER_ROLE.MESSAGES,
     'videoQuota': USER_VIDEO_QUOTA.MESSAGES
   }
 
@@ -48,6 +54,7 @@ export class UserUpdateComponent extends UserEdit implements OnInit, OnDestroy {
   buildForm () {
     this.form = this.formBuilder.group({
       email:    [ '', USER_EMAIL.VALIDATORS ],
+      role: [ '', USER_ROLE.VALIDATORS ],
       videoQuota: [ '-1', USER_VIDEO_QUOTA.VALIDATORS ]
     })
 
@@ -103,6 +110,7 @@ export class UserUpdateComponent extends UserEdit implements OnInit, OnDestroy {
 
     this.form.patchValue({
       email: userJson.email,
+      role: userJson.role,
       videoQuota: userJson.videoQuota
     })
   }
diff --git a/client/src/app/+admin/users/user-list/user-list.component.html b/client/src/app/+admin/users/user-list/user-list.component.html
index 2944e3cbf..16a8a8033 100644
--- a/client/src/app/+admin/users/user-list/user-list.component.html
+++ b/client/src/app/+admin/users/user-list/user-list.component.html
@@ -11,7 +11,7 @@
       <p-column field="username" header="Username" [sortable]="true"></p-column>
       <p-column field="email" header="Email"></p-column>
       <p-column field="videoQuota" header="Video quota"></p-column>
-      <p-column field="role" header="Role"></p-column>
+      <p-column field="roleLabel" header="Role"></p-column>
       <p-column field="createdAt" header="Created date" [sortable]="true"></p-column>
       <p-column header="Edit" styleClass="action-cell">
         <ng-template pTemplate="body" let-user="rowData">
diff --git a/client/src/app/+admin/users/users.routes.ts b/client/src/app/+admin/users/users.routes.ts
index a6a9c4c19..3718dfd5c 100644
--- a/client/src/app/+admin/users/users.routes.ts
+++ b/client/src/app/+admin/users/users.routes.ts
@@ -1,5 +1,7 @@
 import { Routes } from '@angular/router'
 
+import { UserRightGuard } from '../../core'
+import { UserRight } from '../../../../../shared'
 import { UsersComponent } from './users.component'
 import { UserAddComponent, UserUpdateComponent } from './user-edit'
 import { UserListComponent } from './user-list'
@@ -8,6 +10,10 @@ export const UsersRoutes: Routes = [
   {
     path: 'users',
     component: UsersComponent,
+    canActivate: [ UserRightGuard ],
+    data: {
+      userRight: UserRight.MANAGE_USERS
+    },
     children: [
       {
         path: '',
diff --git a/client/src/app/+admin/video-abuses/video-abuses.routes.ts b/client/src/app/+admin/video-abuses/video-abuses.routes.ts
index a8c1561cd..68b756059 100644
--- a/client/src/app/+admin/video-abuses/video-abuses.routes.ts
+++ b/client/src/app/+admin/video-abuses/video-abuses.routes.ts
@@ -1,13 +1,18 @@
 import { Routes } from '@angular/router'
 
+import { UserRightGuard } from '../../core'
+import { UserRight } from '../../../../../shared'
 import { VideoAbusesComponent } from './video-abuses.component'
 import { VideoAbuseListComponent } from './video-abuse-list'
 
 export const VideoAbusesRoutes: Routes = [
   {
     path: 'video-abuses',
-    component: VideoAbusesComponent
-    ,
+    component: VideoAbusesComponent,
+    canActivate: [ UserRightGuard ],
+    data: {
+      userRight: UserRight.MANAGE_VIDEO_ABUSES
+    },
     children: [
       {
         path: '',
diff --git a/client/src/app/+admin/video-blacklist/video-blacklist.routes.ts b/client/src/app/+admin/video-blacklist/video-blacklist.routes.ts
index 682b6f8bd..b1e0e5049 100644
--- a/client/src/app/+admin/video-blacklist/video-blacklist.routes.ts
+++ b/client/src/app/+admin/video-blacklist/video-blacklist.routes.ts
@@ -1,5 +1,7 @@
 import { Routes } from '@angular/router'
 
+import { UserRightGuard } from '../../core'
+import { UserRight } from '../../../../../shared'
 import { VideoBlacklistComponent } from './video-blacklist.component'
 import { VideoBlacklistListComponent } from './video-blacklist-list'
 
@@ -7,6 +9,10 @@ export const VideoBlacklistRoutes: Routes = [
   {
     path: 'video-blacklist',
     component: VideoBlacklistComponent,
+    canActivate: [ UserRightGuard ],
+    data: {
+      userRight: UserRight.MANAGE_VIDEO_BLACKLIST
+    },
     children: [
       {
         path: '',
diff --git a/client/src/app/core/auth/auth-user.model.ts b/client/src/app/core/auth/auth-user.model.ts
index 81bff99a0..085b763ec 100644
--- a/client/src/app/core/auth/auth-user.model.ts
+++ b/client/src/app/core/auth/auth-user.model.ts
@@ -1,6 +1,7 @@
 // Do not use the barrel (dependency loop)
-import { UserRole } from '../../../../../shared/models/users/user-role.type'
+import { hasUserRight, UserRole } from '../../../../../shared/models/users/user-role'
 import { User, UserConstructorHash } from '../../shared/users/user.model'
+import { UserRight } from '../../../../../shared/models/users/user-right.enum'
 
 export type TokenOptions = {
   accessToken: string
@@ -81,7 +82,7 @@ export class AuthUser extends User {
           id: parseInt(localStorage.getItem(this.KEYS.ID), 10),
           username: localStorage.getItem(this.KEYS.USERNAME),
           email: localStorage.getItem(this.KEYS.EMAIL),
-          role: localStorage.getItem(this.KEYS.ROLE) as UserRole,
+          role: parseInt(localStorage.getItem(this.KEYS.ROLE), 10) as UserRole,
           displayNSFW: localStorage.getItem(this.KEYS.DISPLAY_NSFW) === 'true'
         },
         Tokens.load()
@@ -122,11 +123,15 @@ export class AuthUser extends User {
     this.tokens.refreshToken = refreshToken
   }
 
+  hasRight(right: UserRight) {
+    return hasUserRight(this.role, right)
+  }
+
   save () {
     localStorage.setItem(AuthUser.KEYS.ID, this.id.toString())
     localStorage.setItem(AuthUser.KEYS.USERNAME, this.username)
     localStorage.setItem(AuthUser.KEYS.EMAIL, this.email)
-    localStorage.setItem(AuthUser.KEYS.ROLE, this.role)
+    localStorage.setItem(AuthUser.KEYS.ROLE, this.role.toString())
     localStorage.setItem(AuthUser.KEYS.DISPLAY_NSFW, JSON.stringify(this.displayNSFW))
     this.tokens.save()
   }
diff --git a/client/src/app/core/auth/auth.service.ts b/client/src/app/core/auth/auth.service.ts
index 9ac9ba7bb..df6e5135b 100644
--- a/client/src/app/core/auth/auth.service.ts
+++ b/client/src/app/core/auth/auth.service.ts
@@ -21,7 +21,7 @@ import {
 // Do not use the barrel (dependency loop)
 import { RestExtractor } from '../../shared/rest'
 import { UserLogin } from '../../../../../shared/models/users/user-login.model'
-import { User, UserConstructorHash } from '../../shared/users/user.model'
+import { UserConstructorHash } from '../../shared/users/user.model'
 
 interface UserLoginWithUsername extends UserLogin {
   access_token: string
@@ -126,12 +126,6 @@ export class AuthService {
     return this.user
   }
 
-  isAdmin () {
-    if (this.user === null) return false
-
-    return this.user.isAdmin()
-  }
-
   isLoggedIn () {
     return !!this.getAccessToken()
   }
diff --git a/client/src/app/core/auth/index.ts b/client/src/app/core/auth/index.ts
index a81f2c002..bc7bfec0e 100644
--- a/client/src/app/core/auth/index.ts
+++ b/client/src/app/core/auth/index.ts
@@ -1,4 +1,4 @@
 export * from './auth-status.model'
 export * from './auth-user.model'
 export * from './auth.service'
-export * from './login-guard.service'
+export * from '../routing/login-guard.service'
diff --git a/client/src/app/core/core.module.ts b/client/src/app/core/core.module.ts
index 163a6bbde..90e2cb190 100644
--- a/client/src/app/core/core.module.ts
+++ b/client/src/app/core/core.module.ts
@@ -7,7 +7,8 @@ import { BrowserAnimationsModule } from '@angular/platform-browser/animations'
 import { SimpleNotificationsModule } from 'angular2-notifications'
 import { ModalModule } from 'ngx-bootstrap/modal'
 
-import { AuthService, LoginGuard } from './auth'
+import { AuthService } from './auth'
+import { LoginGuard, UserRightGuard } from './routing'
 import { ServerService } from './server'
 import { ConfirmComponent, ConfirmService } from './confirm'
 import { MenuComponent, MenuAdminComponent } from './menu'
@@ -42,7 +43,8 @@ import { throwIfAlreadyLoaded } from './module-import-guard'
     AuthService,
     ConfirmService,
     ServerService,
-    LoginGuard
+    LoginGuard,
+    UserRightGuard
   ]
 })
 export class CoreModule {
diff --git a/client/src/app/core/menu/menu-admin.component.html b/client/src/app/core/menu/menu-admin.component.html
index edacdee6d..c2b2958b4 100644
--- a/client/src/app/core/menu/menu-admin.component.html
+++ b/client/src/app/core/menu/menu-admin.component.html
@@ -1,26 +1,26 @@
 <menu>
   <div class="panel-block">
-    <a routerLink="/admin/users/list" routerLinkActive="active">
+    <a *ngIf="hasUsersRight()" routerLink="/admin/users" routerLinkActive="active">
       <span class="hidden-xs glyphicon glyphicon-user"></span>
       List users
     </a>
 
-    <a routerLink="/admin/friends/list" routerLinkActive="active">
+    <a *ngIf="hasFriendsRight()" routerLink="/admin/friends" routerLinkActive="active">
       <span class="hidden-xs glyphicon glyphicon-cloud"></span>
       List friends
     </a>
 
-    <a routerLink="/admin/requests/stats" routerLinkActive="active">
+    <a *ngIf="hasRequestsStatRight()" routerLink="/admin/requests/stats" routerLinkActive="active">
       <span class="hidden-xs glyphicon glyphicon-stats"></span>
       Request stats
     </a>
 
-    <a routerLink="/admin/video-abuses/list" routerLinkActive="active">
+    <a *ngIf="hasVideoAbusesRight()" routerLink="/admin/video-abuses" routerLinkActive="active">
       <span class="hidden-xs glyphicon glyphicon-alert"></span>
       Video abuses
     </a>
 
-    <a routerLink="/admin/video-blacklist/list" routerLinkActive="active">
+    <a *ngIf="hasVideoBlacklistRight()" routerLink="/admin/video-blacklist" routerLinkActive="active">
       <span class="hidden-xs glyphicon glyphicon-eye-close"></span>
       Video blacklist
     </a>
diff --git a/client/src/app/core/menu/menu-admin.component.ts b/client/src/app/core/menu/menu-admin.component.ts
index f6cc6554c..074f1dbaf 100644
--- a/client/src/app/core/menu/menu-admin.component.ts
+++ b/client/src/app/core/menu/menu-admin.component.ts
@@ -1,8 +1,33 @@
 import { Component } from '@angular/core'
 
+import { AuthService } from '../auth/auth.service'
+import { UserRight } from '../../../../../shared'
+
 @Component({
   selector: 'my-menu-admin',
   templateUrl: './menu-admin.component.html',
   styleUrls: [ './menu.component.scss' ]
 })
-export class MenuAdminComponent { }
+export class MenuAdminComponent {
+  constructor (private auth: AuthService) {}
+
+  hasUsersRight () {
+    return this.auth.getUser().hasRight(UserRight.MANAGE_USERS)
+  }
+
+  hasFriendsRight () {
+    return this.auth.getUser().hasRight(UserRight.MANAGE_PODS)
+  }
+
+  hasRequestsStatRight () {
+    return this.auth.getUser().hasRight(UserRight.MANAGE_REQUEST_SCHEDULERS)
+  }
+
+  hasVideoAbusesRight () {
+    return this.auth.getUser().hasRight(UserRight.MANAGE_VIDEO_ABUSES)
+  }
+
+  hasVideoBlacklistRight () {
+    return this.auth.getUser().hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)
+  }
+}
diff --git a/client/src/app/core/menu/menu.component.html b/client/src/app/core/menu/menu.component.html
index ca341a0fd..2d8aace54 100644
--- a/client/src/app/core/menu/menu.component.html
+++ b/client/src/app/core/menu/menu.component.html
@@ -39,10 +39,10 @@
     </a>
   </div>
 
-  <div *ngIf="isUserAdmin()" class="panel-block">
+  <div *ngIf="userHasAdminAccess" class="panel-block">
     <div class="block-title">Other</div>
 
-    <a routerLink="/admin" routerLinkActive="active">
+    <a [routerLink]="getFirstAdminRouteAvailable()" routerLinkActive="active">
       <span class="hidden-xs glyphicon glyphicon-cog"></span>
       Administration
     </a>
diff --git a/client/src/app/core/menu/menu.component.ts b/client/src/app/core/menu/menu.component.ts
index 8f15d8838..c66a5eccc 100644
--- a/client/src/app/core/menu/menu.component.ts
+++ b/client/src/app/core/menu/menu.component.ts
@@ -3,6 +3,7 @@ import { Router } from '@angular/router'
 
 import { AuthService, AuthStatus } from '../auth'
 import { ServerService } from '../server'
+import { UserRight } from '../../../../../shared/models/users/user-right.enum'
 
 @Component({
   selector: 'my-menu',
@@ -11,6 +12,15 @@ import { ServerService } from '../server'
 })
 export class MenuComponent implements OnInit {
   isLoggedIn: boolean
+  userHasAdminAccess = false
+
+  private routesPerRight = {
+    [UserRight.MANAGE_USERS]: '/admin/users',
+    [UserRight.MANAGE_PODS]: '/admin/friends',
+    [UserRight.MANAGE_REQUEST_SCHEDULERS]: '/admin/requests/stats',
+    [UserRight.MANAGE_VIDEO_ABUSES]: '/admin/video-abuses',
+    [UserRight.MANAGE_VIDEO_BLACKLIST]: '/admin/video-blacklist'
+  }
 
   constructor (
     private authService: AuthService,
@@ -20,14 +30,17 @@ export class MenuComponent implements OnInit {
 
   ngOnInit () {
     this.isLoggedIn = this.authService.isLoggedIn()
+    this.computeIsUserHasAdminAccess()
 
     this.authService.loginChangedSource.subscribe(
       status => {
         if (status === AuthStatus.LoggedIn) {
           this.isLoggedIn = true
+          this.computeIsUserHasAdminAccess()
           console.log('Logged in.')
         } else if (status === AuthStatus.LoggedOut) {
           this.isLoggedIn = false
+          this.computeIsUserHasAdminAccess()
           console.log('Logged out.')
         } else {
           console.error('Unknown auth status: ' + status)
@@ -40,8 +53,31 @@ export class MenuComponent implements OnInit {
     return this.serverService.getConfig().signup.allowed
   }
 
-  isUserAdmin () {
-    return this.authService.isAdmin()
+  getFirstAdminRightAvailable () {
+    const user = this.authService.getUser()
+    if (!user) return undefined
+
+    const adminRights = [
+      UserRight.MANAGE_USERS,
+      UserRight.MANAGE_PODS,
+      UserRight.MANAGE_REQUEST_SCHEDULERS,
+      UserRight.MANAGE_VIDEO_ABUSES,
+      UserRight.MANAGE_VIDEO_BLACKLIST
+    ]
+
+    for (const adminRight of adminRights) {
+      if (user.hasRight(adminRight)) {
+        return adminRight
+      }
+    }
+
+    return undefined
+  }
+
+  getFirstAdminRouteAvailable () {
+    const right = this.getFirstAdminRightAvailable()
+
+    return this.routesPerRight[right]
   }
 
   logout () {
@@ -49,4 +85,10 @@ export class MenuComponent implements OnInit {
     // Redirect to home page
     this.router.navigate(['/videos/list'])
   }
+
+  private computeIsUserHasAdminAccess () {
+    const right = this.getFirstAdminRightAvailable()
+
+    this.userHasAdminAccess = right !== undefined
+  }
 }
diff --git a/client/src/app/core/routing/index.ts b/client/src/app/core/routing/index.ts
index 17f3ee833..d1b982834 100644
--- a/client/src/app/core/routing/index.ts
+++ b/client/src/app/core/routing/index.ts
@@ -1 +1,3 @@
+export * from './login-guard.service'
+export * from './user-right-guard.service'
 export * from './preload-selected-modules-list'
diff --git a/client/src/app/core/auth/login-guard.service.ts b/client/src/app/core/routing/login-guard.service.ts
index c09e8fe97..18bc41ca6 100644
--- a/client/src/app/core/auth/login-guard.service.ts
+++ b/client/src/app/core/routing/login-guard.service.ts
@@ -7,7 +7,7 @@ import {
   Router
 } from '@angular/router'
 
-import { AuthService } from './auth.service'
+import { AuthService } from '../auth/auth.service'
 
 @Injectable()
 export class LoginGuard implements CanActivate, CanActivateChild {
diff --git a/client/src/app/+admin/admin-guard.service.ts b/client/src/app/core/routing/user-right-guard.service.ts
index 429dc032d..65d029977 100644
--- a/client/src/app/+admin/admin-guard.service.ts
+++ b/client/src/app/core/routing/user-right-guard.service.ts
@@ -7,10 +7,10 @@ import {
   Router
 } from '@angular/router'
 
-import { AuthService } from '../core'
+import { AuthService } from '../auth'
 
 @Injectable()
-export class AdminGuard implements CanActivate, CanActivateChild {
+export class UserRightGuard implements CanActivate, CanActivateChild {
 
   constructor (
     private router: Router,
@@ -18,7 +18,12 @@ export class AdminGuard implements CanActivate, CanActivateChild {
   ) {}
 
   canActivate (route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {
-    if (this.auth.isAdmin() === true) return true
+    const user = this.auth.getUser()
+    if (user) {
+      const neededUserRight = route.data.userRight
+
+      if (user.hasRight(neededUserRight)) return true
+    }
 
     this.router.navigate([ '/login' ])
     return false
diff --git a/client/src/app/shared/forms/form-validators/user.ts b/client/src/app/shared/forms/form-validators/user.ts
index d4c4c1d33..e7473b75b 100644
--- a/client/src/app/shared/forms/form-validators/user.ts
+++ b/client/src/app/shared/forms/form-validators/user.ts
@@ -29,3 +29,9 @@ export const USER_VIDEO_QUOTA = {
     'min': 'Quota must be greater than -1.'
   }
 }
+export const USER_ROLE = {
+  VALIDATORS: [ Validators.required ],
+  MESSAGES: {
+    'required': 'User role is required.',
+  }
+}
diff --git a/client/src/app/shared/users/user.model.ts b/client/src/app/shared/users/user.model.ts
index 7beea5910..d738899ab 100644
--- a/client/src/app/shared/users/user.model.ts
+++ b/client/src/app/shared/users/user.model.ts
@@ -1,7 +1,9 @@
 import {
   User as UserServerModel,
   UserRole,
-  VideoChannel
+  VideoChannel,
+  UserRight,
+  hasUserRight
 } from '../../../../../shared'
 
 export type UserConstructorHash = {
@@ -56,7 +58,7 @@ export class User implements UserServerModel {
     }
   }
 
-  isAdmin () {
-    return this.role === 'admin'
+  hasRight (right: UserRight) {
+    return hasUserRight(this.role, right)
   }
 }
diff --git a/client/src/app/videos/shared/video-details.model.ts b/client/src/app/videos/shared/video-details.model.ts
index e99a5ce2e..3a6ecc480 100644
--- a/client/src/app/videos/shared/video-details.model.ts
+++ b/client/src/app/videos/shared/video-details.model.ts
@@ -1,9 +1,11 @@
 import { Video } from './video.model'
+import { AuthUser } from '../../core'
 import {
   VideoDetails as VideoDetailsServerModel,
   VideoFile,
   VideoChannel,
-  VideoResolution
+  VideoResolution,
+  UserRight
 } from '../../../../../shared'
 
 export class VideoDetails extends Video implements VideoDetailsServerModel {
@@ -61,15 +63,15 @@ export class VideoDetails extends Video implements VideoDetailsServerModel {
     return betterResolutionFile.magnetUri
   }
 
-  isRemovableBy (user) {
-    return user && this.isLocal === true && (this.author === user.username || user.isAdmin() === true)
+  isRemovableBy (user: AuthUser) {
+    return user && this.isLocal === true && (this.author === user.username || user.hasRight(UserRight.REMOVE_ANY_VIDEO))
   }
 
-  isBlackistableBy (user) {
-    return user && user.isAdmin() === true && this.isLocal === false
+  isBlackistableBy (user: AuthUser) {
+    return user && user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST) === true && this.isLocal === false
   }
 
-  isUpdatableBy (user) {
+  isUpdatableBy (user: AuthUser) {
     return user && this.isLocal === true && user.username === this.author
   }
 }
diff --git a/client/src/app/videos/video-list/video-list.component.ts b/client/src/app/videos/video-list/video-list.component.ts
index 35a7b6521..bf6f60215 100644
--- a/client/src/app/videos/video-list/video-list.component.ts
+++ b/client/src/app/videos/video-list/video-list.component.ts
@@ -12,7 +12,7 @@ import {
   VideoService,
   VideoPagination
 } from '../shared'
-import { Search, SearchField, SearchService, User} from '../../shared'
+import { Search, SearchField, SearchService, User } from '../../shared'
 
 @Component({
   selector: 'my-videos-list',