feat: admin user management with UUID validation, self-demotion guard, password docs #181

Merged

forgejo_admin merged 1 commit from 127-admin-qa-nits into main 2026-03-29 18:53:04 +00:00

Conversation 0 Commits 1 Files changed 3 +561 -1

forgejo_admin commented 2026-03-29 18:50:14 +00:00

Contributor

Copy link

Summary

Re-creates the admin user management page (originally from PR #11) adapted for the current client-side SPA architecture (adapter-static + keycloak-js). Bakes in the three QA nits from PR #11 review as defensive improvements rather than afterthoughts.

Changes

• src/lib/keycloak.js -- added getUserId() function exposing the token sub claim (Keycloak UUID)
• src/routes/(app)/admin/users/+page.svelte -- new admin user management page with all three QA nits:
  1. UUID validation: regex check before any Keycloak API call rejects malformed IDs with clear error
  2. Self-demotion guard: compares edited user ID against current admin's ID, blocks role demotion with explanation
  3. Password handling docs: inline code comments + UI tooltip documenting server-side-only password handling
• src/routes/(app)/admin/+page.svelte -- added "Users" link to admin dashboard manage section, renamed Keycloak link to "Keycloak Console"

Test Plan

• Build passes: npm run build succeeds with 0 errors
• svelte-check passes: 0 errors, no new warnings
• UUID validation: page rejects non-UUID strings before API call (client-side guard)
• Self-demotion: current admin sees "locked" hint, role dropdown change to non-admin triggers error message
• Password banner: shows server-side-only documentation note, dismissable, copy works
• Page gracefully handles missing API endpoints (shows yellow warning, not crash)
• Admin dashboard links to /admin/users
• Manual: verify password not visible in browser network tab as URL parameter

Review Checklist

• No Tailwind -- pure CSS vars + explicit styles
• Matches existing code patterns (apiFetch, keycloak.js exports, card-list/card-row components)
• 0 build errors, 0 svelte-check errors, no new warnings
• Scoped CSS in component, design tokens from app.css
• Graceful degradation when API endpoints not yet available

Related Notes

• Forgejo issue: #127
• Closes #127
• Source: QA nits from westside-app PR #11 (merged 2026-03-14)

## Summary Re-creates the admin user management page (originally from PR #11) adapted for the current client-side SPA architecture (adapter-static + keycloak-js). Bakes in the three QA nits from PR #11 review as defensive improvements rather than afterthoughts. ## Changes - `src/lib/keycloak.js` -- added `getUserId()` function exposing the token `sub` claim (Keycloak UUID) - `src/routes/(app)/admin/users/+page.svelte` -- new admin user management page with all three QA nits: 1. **UUID validation**: regex check before any Keycloak API call rejects malformed IDs with clear error 2. **Self-demotion guard**: compares edited user ID against current admin's ID, blocks role demotion with explanation 3. **Password handling docs**: inline code comments + UI tooltip documenting server-side-only password handling - `src/routes/(app)/admin/+page.svelte` -- added "Users" link to admin dashboard manage section, renamed Keycloak link to "Keycloak Console" ## Test Plan - [ ] Build passes: `npm run build` succeeds with 0 errors - [ ] `svelte-check` passes: 0 errors, no new warnings - [ ] UUID validation: page rejects non-UUID strings before API call (client-side guard) - [ ] Self-demotion: current admin sees "locked" hint, role dropdown change to non-admin triggers error message - [ ] Password banner: shows server-side-only documentation note, dismissable, copy works - [ ] Page gracefully handles missing API endpoints (shows yellow warning, not crash) - [ ] Admin dashboard links to `/admin/users` - [ ] Manual: verify password not visible in browser network tab as URL parameter ## Review Checklist - [x] No Tailwind -- pure CSS vars + explicit styles - [x] Matches existing code patterns (apiFetch, keycloak.js exports, card-list/card-row components) - [x] 0 build errors, 0 svelte-check errors, no new warnings - [x] Scoped CSS in component, design tokens from app.css - [x] Graceful degradation when API endpoints not yet available ## Related Notes - Forgejo issue: #127 - Closes #127 - Source: QA nits from westside-app PR #11 (merged 2026-03-14)

forgejo_admin added 1 commit 2026-03-29 18:50:14 +00:00

feat: add admin user management page with UUID validation, self-demotion guard, and password docs (#127) ... acfc6a4572

Re-creates the admin user management page (originally from PR #11) for the
client-side SPA architecture. Bakes in three QA nits as defensive improvements:

1. UUID validation before Keycloak API calls (regex check prevents malformed IDs)
2. Self-demotion guard prevents admin from removing their own admin role
3. Password reset section documents server-side-only handling (no client leakage)

Also adds getUserId() to keycloak.js and links the page from admin dashboard.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin merged commit 294274c1d0 into main 2026-03-29 18:53:04 +00:00

forgejo_admin deleted branch 127-admin-qa-nits 2026-03-29 18:53:04 +00:00

forgejo_admin referenced this pull request from a commit 2026-03-29 18:53:05 +00:00

feat: admin user management with UUID validation, self-demotion guard, password docs (#181)

forgejo_admin referenced this pull request 2026-03-29 22:31:51 +00:00

Validate: admin users page and bulk visibility on prod #195

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

No labels

domain:backend

domain:devops

domain:frontend

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/westside-app!181

No description provided.