Tigase Forge
Dashboards
Projects
Global Views
Code Search
sztab
Issues
List
Boards
Iterations
Builds
Statistics
Child Projects
OneDev 11.9.7
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects sztab Issues SZ-39
Admin User Management (Create, List, Update, Delete Users) (SZ-39)
rk@tigase.net opened 4 weeks ago

Overview

Sztab currently allows full authentication and self-service profile updates, but there is no admin-facing UI or REST-endpoint layer to manage other users.
This issue introduces complete Admin User Management, enabling administrators to:

  • Create users
  • List all users
  • Update user data (name, email, roles, status flags)
  • Delete users

All operations will require the ADMIN role.

This is the foundation for onboarding developers, QA engineers, project managers, and other team members into Sztab.

Scope

1. Backend: REST Endpoints

Add new admin-only endpoints to UserController:

  • POST /api/users → create a new user
  • GET /api/users → list all users
  • GET /api/users/{id} → fetch user by ID
  • PUT /api/users/{id} → update user fields
  • DELETE /api/users/{id} → delete user

DTOs required:

  • UserCreateDto
  • UserUpdateDto
  • UserDto (response)

Business rules:

  • Username and email MUST be unique
  • Cannot delete the last remaining admin
  • Cannot delete your own account
  • Role updates must validate role names
  • Password must be encoded when user is created

2. Backend: Service Layer

Extend UserService:

  • User createUser(UserCreateDto)
  • List<User> getAllUsers()
  • User updateUser(Long id, UserUpdateDto)
  • void deleteUser(Long id)
  • Keep existing self-service methods (getCurrentUser, updateCurrentUser, etc.)

Ensure:

  • Transactional boundaries are correct
  • Validation exceptions map to 400/409 correctly
  • Service prevents self-delete and last-admin-delete

3. Backend: Security Enforcement

All new endpoints must require:

@PreAuthorize(“hasRole(‘ADMIN’)”)

Session-auth only (no impacts to JWT auth yet).

4. Unit + Integration Tests

Tests must validate:

  • Creating a user
  • Listing users
  • Updating user details
  • Updating roles
  • Deleting users
  • 409 on duplicate username/email
  • 400 on invalid role
  • 403 for non-admin access
  • Cannot delete own account
  • Cannot delete final admin

5. OpenAPI / API Docs

Add complete API documentation:

  • Parameters
  • Schemas
  • Examples
  • Error cases

This should appear automatically under Swagger UI.

6. README Update

Document the new Admin User Management API:

  • Endpoint list
  • Required roles
  • Sample curl commands for CRUD operations

Acceptance Criteria

  •  All endpoints exist and work under session-auth
  •  Only ADMIN can call them
  •  Full CRUD works
  •  Duplicate username/email triggers 409
  •  Self-delete is blocked
  •  Last-admin-delete is blocked
  •  All tests pass
  •  OpenAPI docs are correct
  •  README updated

Estimate

6–8 hours, including testing and documentation.

Dependencies

  • Role system already implemented (SZ-3)
  • User entity stable (post-SZ-23 changes)
  • Self-service endpoints (SZ-38)
  • rk@tigase.net referenced from other issue 4 weeks ago
    Web UI alongside the functionality (SZ-26)
    In Progress
  • rk@tigase.net changed state to 'In Progress' 4 weeks ago
    Previous Value Current Value 
    Open
    		 
    In Progress
  • rk@tigase.net commented 2 weeks ago

    Worklog — SZ-39: Admin User Management (Create, List, Update, Delete Users)

    Full-stack implementation: backend + frontend + auth + UX + regression tests

    Total time: 7 hours 10 minutes (falls within original 6–8 hour estimate)

    1. Backend: complete CRUD + security integration (1h 40m)

    • Added UpdateUserPayload DTO (role-aware).
    • Implemented PUT /api/users/{id} for updates and DELETE /api/users/{id}.
    • Added admin password-reset endpoint.
    • Updated UserService, UserServiceImpl, and repository queries.
    • Updated UserDto mapping and pagination endpoint.
    • Added /me and /me/password profile endpoints.
    • Ensured Spring Security roles (ADMIN, PROJECT_MANAGER) apply consistently.
    • Verified password-change logic with exception handling.

    2. Frontend: Full user-management UI (Create, List, Update, Delete) (1h 55m)

    • Implemented CreateUserModal, EditUserModal, and UserDeleteModal.
    • Connected UI modals to backend API (axios calls in api.ts).
    • Updated UserListPage with:
      • pagination,
      • role display,
      • live table refresh,
      • edit/delete actions,
      • proper disable states.
    • Implemented front-end form validation.
    • Ensured smooth integration with AuthContext so UI respects real backend roles.

    3. Role loading and form population (25m)

    • Added role-loading API and caching.
    • Auto-populated roles inside EditUserModal and CreateUserModal.
    • Added UI blocking until roles load (prevents inconsistent state).

    4. Self-delete protection (35m)

    • Prevented the logged-in admin from deleting their own account.
    • Added:
      • disabled Delete button,
      • gray styling,
      • non-hoverable state,
      • and a tooltip “You cannot delete your own account.”

    5. Brand-consistent UI improvements (45m)

    • Updated LoginPage to include real Sztab logo + italic gradient title.
    • Synced login branding with AboutModal and Sidebar.
    • Updated Change Password page to show icon.
    • Added consistent typography and spacing across all user-management screens.

    6. Regression tests — full backend flow validation (1h 10m)

    • Updated UserRegressionTest to handle new paginated JSON format.
    • Repaired JSONPath ($.content[*].username instead of $[*].username).
    • Verified create → list → delete → verify deletion logic.
    • Added coverage for update and role-changing logic.
    • Added UserServiceImplTest.

    7. Project restructuring: rename sztab-uifrontend (50m)

    • Renamed full folder tree using git mv.
    • Updated docker-compose paths, Nginx mount path, Vite config, and Dockerfile context.
    • Ran end-to-end smoke test:
      • mvn clean test
      • npm install && npm run build
      • docker compose up --build
      • Browser login, CRUD operations.

    8. Final cleanup, commit, push, and merge (20m)

    • Fixed tooltip wrapping.
    • Ran final test suite — all passing.
    • Committed rename + UI changes.
    • Pushed feature/sz-39-admin-user-management and merged into wolnosc.

    Final Summary

    SZ-39 delivered a complete admin user-management system across both backend and frontend:

    • Backend CRUD, DTOs, pagination, security rules
    • Frontend add / edit / delete modals
    • User list table with pagination
    • Self-delete protection
    • Polished UI (icons, branding, styling)
    • Regression test coverage
    • Repository rename + Docker alignment

    Total time: 7h 10m (Full-stack feature)

  • rk@tigase.net changed state to 'Closed' 2 weeks ago
    Previous Value Current Value 
    In Progress
    		 
    Closed
issue 1 of 1
Type
New Feature
Priority
Normal
Assignee
rk@tigase.net
Version
1.0
Sprints
n/a
Customer
n/a
Issue Votes (0)
Login to vote
Watchers (3)
Reference
SZ-39
Please wait...
Page is in error, reload to recover