feat: admin grant/revoke from admin panel

Add PUT /v1/admin/users/{id}/admin endpoint and frontend UI for granting and revoking platform admin status. Uses atomic conditional SQL (RevokeUserAdmin) to prevent race conditions that could remove the last admin. Includes idempotency check, audit logging, and confirmation dialog with self-demotion warning.
2026-05-03 15:24:34 +06:00
parent 4954b19d7c
commit cac6fcd626
8 changed files with 242 additions and 2 deletions
--- a/db/queries/users.sql
+++ b/db/queries/users.sql
@ -22,6 +22,12 @@ RETURNING *;
 -- name: SetUserAdmin :exec
 UPDATE users SET is_admin = $2, updated_at = NOW() WHERE id = $1;

+-- name: RevokeUserAdmin :execrows
+UPDATE users u SET is_admin = false, updated_at = NOW()
+WHERE u.id = $1
+  AND u.is_admin = true
+  AND (SELECT COUNT(*) FROM users WHERE is_admin = true AND status != 'deleted') > 1;
+
 -- name: GetAdminUsers :many
 SELECT * FROM users WHERE is_admin = TRUE ORDER BY created_at;

--- a/frontend/src/lib/api/admin-users.ts
+++ b/frontend/src/lib/api/admin-users.ts
@ -26,3 +26,7 @@ export async function listAdminUsers(page: number = 1): Promise<ApiResult<AdminU
 export async function setUserActive(id: string, active: boolean): Promise<ApiResult<void>> {
 	return apiFetch('PUT', `/api/v1/admin/users/${id}/active`, { active });
 }
+
+export async function setUserAdmin(id: string, admin: boolean): Promise<ApiResult<void>> {
+	return apiFetch('PUT', `/api/v1/admin/users/${id}/admin`, { admin });
+}
--- a/frontend/src/routes/admin/users/+page.svelte
+++ b/frontend/src/routes/admin/users/+page.svelte
@ -5,8 +5,10 @@
 	import {
 		listAdminUsers,
 		setUserActive,
+		setUserAdmin,
 		type AdminUser,
 	} from '$lib/api/admin-users';
+	import { auth } from '$lib/auth.svelte';

 	// Data state
 	let users = $state<AdminUser[]>([]);
@ -22,6 +24,11 @@
 	// Toggle state
 	let togglingId = $state<string | null>(null);

+	// Admin dialog state
+	let adminTarget = $state<AdminUser | null>(null);
+	let togglingAdmin = $state(false);
+	let adminError = $state<string | null>(null);
+
 	async function fetchUsers(page: number = 1) {
 		const wasEmpty = users.length === 0;
 		if (wasEmpty) loading = true;
@ -56,6 +63,23 @@
 		togglingId = null;
 	}

+	async function handleConfirmAdminToggle() {
+		if (!adminTarget) return;
+		togglingAdmin = true;
+		adminError = null;
+		const target = adminTarget;
+		const newAdmin = !target.is_admin;
+		const result = await setUserAdmin(target.id, newAdmin);
+		if (result.ok) {
+			adminTarget = null;
+			target.is_admin = newAdmin;
+			toast.success(`${target.email} ${newAdmin ? 'granted' : 'revoked'} admin`);
+		} else {
+			adminError = result.error;
+		}
+		togglingAdmin = false;
+	}
+
 	function goToPage(page: number) {
 		if (page < 1 || page > totalPages) return;
 		fetchUsers(page);
@ -222,8 +246,18 @@
 							</div>

 							<!-- Role -->
-							<div class="px-5 py-4">
-								<span class="text-ui text-[var(--color-text-secondary)]">{user.is_admin ? 'Admin' : 'User'}</span>
+							<div class="flex items-center px-5 py-4">
+								<button
+									onclick={() => { adminError = null; adminTarget = user; }}
+									disabled={user.status !== 'active'}
+									aria-label="{user.is_admin ? 'Revoke admin for' : 'Grant admin to'} {user.name || user.email}"
+									class="rounded-[var(--radius-button)] border px-3 py-1.5 text-meta font-medium transition-all duration-150 disabled:opacity-50
+										{user.is_admin
+											? 'border-[var(--color-amber)]/30 bg-[var(--color-amber)]/10 text-[var(--color-amber)] hover:bg-[var(--color-amber)]/20 hover:border-[var(--color-amber)]/50'
+											: 'border-[var(--color-border)] text-[var(--color-text-tertiary)] hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-secondary)]'}"
+								>
+									{user.is_admin ? 'Admin' : 'User'}
+								</button>
 							</div>

 							<!-- Joined -->
@ -292,3 +326,72 @@
 			</div>
 		</footer>
 </main>
+
+<!-- Admin confirmation dialog -->
+{#if adminTarget}
+	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
+		<div
+			class="absolute inset-0 bg-black/60"
+			onclick={() => { if (!togglingAdmin) adminTarget = null; }}
+			onkeydown={(e) => { if (e.key === 'Escape' && !togglingAdmin) adminTarget = null; }}
+		></div>
+		<div
+			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
+		>
+			<div class="p-6">
+				<h2 class="font-serif text-heading leading-tight text-[var(--color-text-bright)]">
+					{adminTarget.is_admin ? 'Revoke Admin' : 'Grant Admin'}
+				</h2>
+				<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+					{adminTarget.is_admin ? 'Remove admin access from' : 'Grant admin access to'}
+					<code class="rounded bg-[var(--color-bg-4)] px-1.5 py-0.5 font-mono text-[0.8rem] text-[var(--color-text-primary)]">{adminTarget.email}</code>.
+					{adminTarget.is_admin
+						? 'They will lose access to the admin panel immediately.'
+						: 'They will be able to manage all platform resources.'}
+				</p>
+
+				{#if adminTarget.is_admin && adminTarget.id === auth.userId}
+					<div class="mt-3 flex items-start gap-2.5 rounded-[var(--radius-input)] border border-[var(--color-amber)]/30 bg-[var(--color-amber)]/5 px-3 py-2.5">
+						<svg class="mt-0.5 shrink-0 text-[var(--color-amber)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+							<path d="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z" /><line x1="12" y1="9" x2="12" y2="13" /><line x1="12" y1="17" x2="12.01" y2="17" />
+						</svg>
+						<span class="text-meta text-[var(--color-amber)]">
+							You are removing your own admin access. You will lose access to this panel.
+						</span>
+					</div>
+				{/if}
+
+				{#if adminError}
+					<div class="mt-3 rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
+						{adminError}
+					</div>
+				{/if}
+
+				<div class="mt-6 flex justify-end gap-3">
+					<button
+						onclick={() => (adminTarget = null)}
+						disabled={togglingAdmin}
+						class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
+					>
+						Cancel
+					</button>
+					<button
+						onclick={handleConfirmAdminToggle}
+						disabled={togglingAdmin}
+						class="flex items-center gap-2 rounded-[var(--radius-button)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-110 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0
+							{adminTarget.is_admin ? 'bg-[var(--color-red)]' : 'bg-[var(--color-accent)]'}"
+					>
+						{#if togglingAdmin}
+							<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56"/></svg>
+							{adminTarget.is_admin ? 'Revoking...' : 'Granting...'}
+						{:else}
+							{adminTarget.is_admin ? 'Revoke admin' : 'Grant admin'}
+						{/if}
+					</button>
+				</div>
+			</div>
+		</div>
+	</div>
+{/if}
--- a/internal/api/handlers_users.go
+++ b/internal/api/handlers_users.go
@ -162,3 +162,58 @@ func (h *usersHandler) SetUserActive(w http.ResponseWriter, r *http.Request) {
 	}
 	w.WriteHeader(http.StatusNoContent)
 }
+
+// SetUserAdmin handles PUT /v1/admin/users/{id}/admin
+// Grants or revokes platform admin status. Cannot remove the last admin.
+func (h *usersHandler) SetUserAdmin(w http.ResponseWriter, r *http.Request) {
+	ac := auth.MustFromContext(r.Context())
+	userIDStr := chi.URLParam(r, "id")
+
+	userID, err := id.ParseUserID(userIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid user ID")
+		return
+	}
+
+	var req struct {
+		Admin bool `json:"admin"`
+	}
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+
+	user, err := h.db.GetUserByID(r.Context(), userID)
+	if err != nil {
+		writeError(w, http.StatusNotFound, "not_found", "user not found")
+		return
+	}
+
+	if user.IsAdmin == req.Admin {
+		w.WriteHeader(http.StatusNoContent)
+		return
+	}
+
+	if req.Admin {
+		if err := h.db.SetUserAdmin(r.Context(), db.SetUserAdminParams{
+			ID:      userID,
+			IsAdmin: true,
+		}); err != nil {
+			writeError(w, http.StatusInternalServerError, "internal", "failed to update admin status")
+			return
+		}
+		h.audit.LogUserGrantAdmin(r.Context(), ac, userID, user.Email)
+	} else {
+		affected, err := h.db.RevokeUserAdmin(r.Context(), userID)
+		if err != nil {
+			writeError(w, http.StatusInternalServerError, "internal", "failed to update admin status")
+			return
+		}
+		if affected == 0 {
+			writeError(w, http.StatusBadRequest, "invalid_request", "cannot remove the last admin")
+			return
+		}
+		h.audit.LogUserRevokeAdmin(r.Context(), ac, userID, user.Email)
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
--- a/internal/api/openapi.yaml
+++ b/internal/api/openapi.yaml
@ -2346,6 +2346,54 @@ paths:
              schema:
                $ref: "#/components/schemas/Error"

+  /v1/admin/users/{id}/admin:
+    put:
+      summary: Grant or revoke platform admin
+      operationId: setUserAdmin
+      tags: [admin]
+      description: |
+        Sets the platform admin flag on a user. Cannot remove the last admin.
+        Requires platform admin access (JWT + is_admin).
+        The target user's JWT is not re-issued — their frontend will reflect the
+        change on next login or team switch.
+      security:
+        - bearerAuth: []
+      parameters:
+        - name: id
+          in: path
+          required: true
+          schema:
+            type: string
+            example: "usr-a1b2c3d4"
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required: [admin]
+              properties:
+                admin:
+                  type: boolean
+                  description: true to grant admin, false to revoke.
+      responses:
+        "204":
+          description: Admin status updated
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "403":
+          description: Caller is not a platform admin
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+        "404":
+          description: User not found
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
 components:
  securitySchemes:
    apiKeyAuth:
--- a/internal/api/server.go
+++ b/internal/api/server.go
@ -269,6 +269,7 @@ func New(
 			r.Delete("/teams/{id}", teamH.AdminDeleteTeam)
 			r.Get("/users", usersH.AdminListUsers)
 			r.Put("/users/{id}/active", usersH.SetUserActive)
+			r.Put("/users/{id}/admin", usersH.SetUserAdmin)
 			r.Get("/audit-logs", auditH.AdminList)
 			r.Get("/templates", buildH.ListTemplates)
 			r.Delete("/templates/{name}", buildH.DeleteTemplate)
--- a/pkg/audit/logger.go
+++ b/pkg/audit/logger.go
@ -365,6 +365,14 @@ func (l *AuditLogger) LogUserDeactivate(ctx context.Context, ac auth.AuthContext
 	l.Log(ctx, newAdminEntry(ac, "user", id.FormatUserID(userID), "deactivate", "warning", map[string]any{"email": email}))
 }

+func (l *AuditLogger) LogUserGrantAdmin(ctx context.Context, ac auth.AuthContext, userID pgtype.UUID, email string) {
+	l.Log(ctx, newAdminEntry(ac, "user", id.FormatUserID(userID), "grant_admin", "success", map[string]any{"email": email}))
+}
+
+func (l *AuditLogger) LogUserRevokeAdmin(ctx context.Context, ac auth.AuthContext, userID pgtype.UUID, email string) {
+	l.Log(ctx, newAdminEntry(ac, "user", id.FormatUserID(userID), "revoke_admin", "warning", map[string]any{"email": email}))
+}
+
 // --- Team admin events (scope: admin) ---

 func (l *AuditLogger) LogTeamSetBYOC(ctx context.Context, ac auth.AuthContext, teamID pgtype.UUID, enabled bool) {
--- a/pkg/db/users.sql.go
+++ b/pkg/db/users.sql.go
@ -415,6 +415,21 @@ func (q *Queries) ListUsersAdmin(ctx context.Context, arg ListUsersAdminParams)
 	return items, nil
 }

+const revokeUserAdmin = `-- name: RevokeUserAdmin :execrows
+UPDATE users u SET is_admin = false, updated_at = NOW()
+WHERE u.id = $1
+  AND u.is_admin = true
+  AND (SELECT COUNT(*) FROM users WHERE is_admin = true AND status != 'deleted') > 1
+`
+
+func (q *Queries) RevokeUserAdmin(ctx context.Context, id pgtype.UUID) (int64, error) {
+	result, err := q.db.Exec(ctx, revokeUserAdmin, id)
+	if err != nil {
+		return 0, err
+	}
+	return result.RowsAffected(), nil
+}
+
 const searchUsersByEmailPrefix = `-- name: SearchUsersByEmailPrefix :many
 SELECT id, email FROM users WHERE email LIKE $1 || '%' ORDER BY email LIMIT 10
 `