feat(admin): expand user management with detail page + new actions #59

Merged

YousifShkara merged 1 commit from feat/admin-user-management into main 2026-06-04 03:38:02 +02:00

Conversation 0 Commits 1 Files changed 3 +222 -4

YousifShkara commented 2026-06-04 03:37:59 +02:00

Owner

Copy link

The /admin/users page only exposed Make/Demote Admin and Delete. Backend
already supports more (suspend via /status, password-reset email, lifetime
grant, single-user fetch). Wire them up:

• New row actions: View, Reset Password, Lifetime (hidden if already
  granted), Suspend. Each routed via a corresponding bunyip-web POST
  handler that calls the matching bunyip-api endpoint.
• New /admin/users/{id} detail page (GET) showing the user's profile +
  every admin action in one place. Linked from the list View button so
  admins can read full context before acting.
• Existing user_role / user_delete handlers gained redirect_cookies so
  any rotated session cookies survive the form-submit hop. Was
  redirect(...) which dropped Set-Cookies on the floor; same fix applied
  to the new handlers up-front.
• New api/admin.rs client methods: get_user, suspend_user,
  admin_reset_password, grant_lifetime. Mirror the existing thin
  wrap-call-parse pattern.

Notes:

• Suspend is one-way today: the backend rejects PUT /status with
  active=true (Cannot reactivate deleted users through this endpoint).
  Tracked as follow-up; reactivation needs a new endpoint.
• Impersonate is intentionally NOT exposed in this UI - the backend
  endpoint exists but the SSR flow for swapping the admin's bearer for
  an impersonated user's needs its own design pass.
• All write actions go through admin_guard; failures bubble through let
  _ = with a redirect to the same surface, matching the pattern used by
  the entitlement actions.

The /admin/users page only exposed Make/Demote Admin and Delete. Backend already supports more (suspend via /status, password-reset email, lifetime grant, single-user fetch). Wire them up: - New row actions: View, Reset Password, Lifetime (hidden if already granted), Suspend. Each routed via a corresponding bunyip-web POST handler that calls the matching bunyip-api endpoint. - New /admin/users/{id} detail page (GET) showing the user's profile + every admin action in one place. Linked from the list View button so admins can read full context before acting. - Existing user_role / user_delete handlers gained redirect_cookies so any rotated session cookies survive the form-submit hop. Was redirect(...) which dropped Set-Cookies on the floor; same fix applied to the new handlers up-front. - New api/admin.rs client methods: get_user, suspend_user, admin_reset_password, grant_lifetime. Mirror the existing thin wrap-call-parse pattern. Notes: - Suspend is one-way today: the backend rejects PUT /status with active=true (Cannot reactivate deleted users through this endpoint). Tracked as follow-up; reactivation needs a new endpoint. - Impersonate is intentionally NOT exposed in this UI - the backend endpoint exists but the SSR flow for swapping the admin's bearer for an impersonated user's needs its own design pass. - All write actions go through admin_guard; failures bubble through let _ = with a redirect to the same surface, matching the pattern used by the entitlement actions.

YousifShkara self-assigned this 2026-06-04 03:37:59 +02:00

YousifShkara added 1 commit 2026-06-04 03:37:59 +02:00

feat(admin): expand user management with detail page + new actions ... fff3968af3

The /admin/users page only exposed Make/Demote Admin and Delete. Backend
already supports more (suspend via /status, password-reset email, lifetime
grant, single-user fetch). Wire them up:

- New row actions: View, Reset Password, Lifetime (hidden if already
  granted), Suspend. Each routed via a corresponding bunyip-web POST
  handler that calls the matching bunyip-api endpoint.
- New /admin/users/{id} detail page (GET) showing the user's profile +
  every admin action in one place. Linked from the list View button so
  admins can read full context before acting.
- Existing user_role / user_delete handlers gained redirect_cookies so
  any rotated session cookies survive the form-submit hop. Was
  redirect(...) which dropped Set-Cookies on the floor; same fix applied
  to the new handlers up-front.
- New api/admin.rs client methods: get_user, suspend_user,
  admin_reset_password, grant_lifetime. Mirror the existing thin
  wrap-call-parse pattern.

Notes:
- Suspend is one-way today: the backend rejects PUT /status with
  active=true (Cannot reactivate deleted users through this endpoint).
  Tracked as follow-up; reactivation needs a new endpoint.
- Impersonate is intentionally NOT exposed in this UI - the backend
  endpoint exists but the SSR flow for swapping the admin's bearer for
  an impersonated user's needs its own design pass.
- All write actions go through admin_guard; failures bubble through let
  _ = with a redirect to the same surface, matching the pattern used by
  the entitlement actions.

YousifShkara merged commit 61c851df01 into main 2026-06-04 03:38:02 +02:00

YousifShkara deleted branch feat/admin-user-management 2026-06-04 03:38:03 +02:00

YousifShkara referenced this pull request from a commit 2026-06-04 03:38:04 +02:00

Merge pull request 'feat(admin): expand user management with detail page + new actions' (#59) from feat/admin-user-management into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

YousifShkara

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

psa-systems/bunyip!59

No description provided.