forgejo_admin/westside-app
1
0
Fork 0
Code Issues 11 Pull requests 3 Projects Releases Packages Wiki Activity Actions

Feature: Admin user management QA nits -- UUID validation, self-demotion guard, password docs #127

New issue
Open
opened 2026-03-28 02:06:25 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-28 02:06:25 +00:00
Owner
Copy link

Type

Feature

Lineage

Standalone -- migrated from todo-westside-app-pr11-qa-nits in pal-e-docs. QA nits from westside-app PR #11 (merged 2026-03-14), deferred as non-blocking.

Repo

forgejo_admin/westside-app

User Story

As an admin managing users,
I want the admin user management page to validate UUIDs, prevent self-demotion, and document password handling,
So that the admin experience is safe and well-documented.

Context

Three non-blocking QA nits from PR #11 (admin user management page):

  1. userId UUID validation -- validate UUID format before passing to Keycloak Admin API. Prevents malformed IDs from reaching the API and producing cryptic errors.
  2. Admin self-demotion protection -- prevent an admin from removing their own admin role via the role dropdown. Could lock everyone out if the last admin demotes themselves.
  3. Password-in-response documentation -- document that the reset password is returned in the SvelteKit form action result (server-side only, not leaked to client network tab). Confirm Auth.js session does not cache it.

File Targets

Files the agent should modify or create:

  • src/routes/admin/users/+page.server.ts -- UUID validation + self-demotion guard logic
  • src/routes/admin/users/+page.svelte -- UI feedback for blocked self-demotion
  • docs/ or inline code comments -- password handling documentation

Files the agent should NOT touch:

  • Keycloak configuration -- no server-side Keycloak changes needed

Acceptance Criteria

  • UUID format validated before Keycloak API calls (reject malformed UUIDs with clear error)
  • Admin cannot remove their own admin role (dropdown disabled or action blocked with message)
  • Password handling documented (server-side only, no client leakage confirmed)

Test Expectations

  • Unit test: malformed UUID rejected before API call
  • Unit test: self-demotion attempt blocked
  • Manual verification: password not visible in browser network tab

Constraints

  • Low priority -- defensive hardening, not urgent
  • Items 1-2 are code changes, item 3 is documentation only
  • Match existing code patterns in the admin user management page

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • westside-basketball -- project
  • westside-app PR #11 -- source of these nits
### Type Feature ### Lineage Standalone -- migrated from `todo-westside-app-pr11-qa-nits` in pal-e-docs. QA nits from westside-app PR #11 (merged 2026-03-14), deferred as non-blocking. ### Repo `forgejo_admin/westside-app` ### User Story As an admin managing users, I want the admin user management page to validate UUIDs, prevent self-demotion, and document password handling, So that the admin experience is safe and well-documented. ### Context Three non-blocking QA nits from PR #11 (admin user management page): 1. **userId UUID validation** -- validate UUID format before passing to Keycloak Admin API. Prevents malformed IDs from reaching the API and producing cryptic errors. 2. **Admin self-demotion protection** -- prevent an admin from removing their own admin role via the role dropdown. Could lock everyone out if the last admin demotes themselves. 3. **Password-in-response documentation** -- document that the reset password is returned in the SvelteKit form action result (server-side only, not leaked to client network tab). Confirm Auth.js session does not cache it. ### File Targets Files the agent should modify or create: - `src/routes/admin/users/+page.server.ts` -- UUID validation + self-demotion guard logic - `src/routes/admin/users/+page.svelte` -- UI feedback for blocked self-demotion - `docs/` or inline code comments -- password handling documentation Files the agent should NOT touch: - Keycloak configuration -- no server-side Keycloak changes needed ### Acceptance Criteria - [ ] UUID format validated before Keycloak API calls (reject malformed UUIDs with clear error) - [ ] Admin cannot remove their own admin role (dropdown disabled or action blocked with message) - [ ] Password handling documented (server-side only, no client leakage confirmed) ### Test Expectations - [ ] Unit test: malformed UUID rejected before API call - [ ] Unit test: self-demotion attempt blocked - [ ] Manual verification: password not visible in browser network tab ### Constraints - Low priority -- defensive hardening, not urgent - Items 1-2 are code changes, item 3 is documentation only - Match existing code patterns in the admin user management page ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `westside-basketball` -- project - westside-app PR #11 -- source of these nits
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
137-contract-status-admin-crm
139-fix-admin-dashboard-stats-showing-all-ze
129-validate-girls-draft-board-coach-login-a
204-auto-tag-update
deploy-update-image-tag
110-fix-harbor-push-target
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend
No labels
domain:backend
domain:devops
domain:frontend
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/westside-app#127
No description provided.