jonas/Hoard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Admin user edit: UI, API and server guard

Browse Source 
Add full admin user editing flow: introduce EditUserDialog component and integrate it into AdminUserDetail (with minor copy and button variant tweaks), plus layout tweaks to animate the account chevron. Implement updateAdminUser(...) in GUI services to PATCH /auth/user/{id} with comprehensive error handling and export FORBIDDEN_NOT_ADMIN_MESSAGE. Server-side AppUserController now prevents deactivating users in the Admin role and returns a 403, ensuring admin accounts cannot be disabled. These changes enable editing usernames and activation status from the admin UI while protecting admin accounts.
This commit is contained in:
Jonas
2026-05-01 15:40:54 +02:00
parent 847ac119d8
commit 1d00fb3a4b
5 changed files with 395 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
API/Controllers/Auth/AppUserController.cs
+7
View File
@@ -2,6 +2,7 @@ using API.Contracts.Auth;
using API.Models;
using API.Security;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
@@ -48,6 +49,12 @@ namespace API.Controllers.Auth
if (changeDto.IsActive != null)
{
if (!changeDto.IsActive.Value && await userManager.IsInRoleAsync(user, RoleNames.Admin))
{
return StatusCode(StatusCodes.Status403Forbidden,
new { message = "Adminkonten können nicht deaktiviert werden." });
}
user.IsActive = changeDto.IsActive.Value;
if (!changeDto.IsActive.Value)