feat: admin control#4
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces an explicit admin permission model across the app, adding system admins and group admins with inherited hierarchy rules, and updates both frontend affordances and backend authorization/policies to enforce those permissions.
Changes:
- Add
system_adminto users, restrict admin settings + admin toggles to system admins, and enforce via frontend route access + backend policies. - Add group-admin membership (
group_memberships.admin) with descendant inheritance, exposecan_admin/admin_user_idsin the API, and gate group/project management on admin rights. - Update UI for group/user management (admin badges, admin toggles, and “management unavailable” states) plus expand test coverage and OpenAPI schemas.
Reviewed changes
Copilot reviewed 45 out of 45 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| frontend/src/views/UserProfileView.vue | Plumbs canManageSystemAdmins down to the user profile form. |
| frontend/src/views/UserGroupsView.vue | Derives canManageSystemAdmins from auth state and passes it to profile view. |
| frontend/src/views/GroupEditorView.vue | Shows a “management unavailable” state when group.can_admin is false. |
| frontend/src/views/DashboardView.vue | Hides the admin settings card unless the current user is a system admin. |
| frontend/src/stores/tests/userGroups.spec.ts | Updates store tests for new system_admin and group admin fields. |
| frontend/src/services/api/types.ts | Extends API types with system_admin, admin_user_ids, admins_count, can_admin, and new inputs. |
| frontend/src/router/index.ts | Adds requiresSystemAdmin route meta and applies it to /admin-settings. |
| frontend/src/router/access.ts | Enforces requiresSystemAdmin via nextRouteForAccess. |
| frontend/src/router/tests/access.spec.ts | Adds tests for system-admin route access behavior. |
| frontend/src/components/user-groups/UsersTab.vue | Displays a “System admin” badge for system admin users. |
| frontend/src/components/user-groups/UserProfileForm.vue | Adds a system-admin toggle (guarded by canManageSystemAdmins) and conditionally submits system_admin. |
| frontend/src/components/user-groups/UserProfileDetails.vue | Displays user access level (“System admin” vs “Standard user”). |
| frontend/src/components/user-groups/GroupTree.vue | Shows admin counts and hides management buttons when can_admin is false. |
| frontend/src/components/user-groups/GroupForm.vue | Adds per-member “Admin” toggles and submits admin_user_ids. |
| frontend/src/components/projects/ProjectForm.vue | Filters selectable groups to can_admin groups for project creation. |
| frontend/src/App.vue | Passes current user into nextRouteForAccess so system-admin gating works. |
| frontend/e2e/kanban.spec.ts | Updates mocked payloads to include system_admin and group admin fields. |
| docs/permissions.md | Adds a “source of truth” doc for the new permission model and invariants. |
| backend/spec/requests/api/v1/users_spec.rb | Adds coverage for system-admin-only updates to system_admin. |
| backend/spec/requests/api/v1/projects_spec.rb | Adds coverage restricting project mutations to group admins and allowing system admins. |
| backend/spec/requests/api/v1/openapi/admin_settings_spec.rb | Uses a system admin user for admin settings OpenAPI request specs. |
| backend/spec/requests/api/v1/iterations_spec.rb | Refactors request specs into helper methods. |
| backend/spec/requests/api/v1/groups_spec.rb | Adds coverage for admin-only group mutations and final-admin invariants. |
| backend/spec/requests/api/v1/admin_settings_spec.rb | Restricts settings updates to system admins and adds forbidden coverage. |
| backend/spec/openapi_helper.rb | Updates OpenAPI schema expectations for new fields. |
| backend/spec/models/user_spec.rb | Adds coverage for admin inheritance and system admin override behavior. |
| backend/spec/models/group_membership_spec.rb | Adds coverage for default admin flag + final-admin constraints. |
| backend/spec/factories/users.rb | Adds a :system_admin trait. |
| backend/spec/factories/group_memberships.rb | Sets factory default admin: true for group memberships. |
| backend/openapi/v1/openapi.yaml | Updates OpenAPI spec for new user/group fields and inputs. |
| backend/db/seeds.rb | Adds bootstrap for a default system admin (root@example.org) when none exists. |
| backend/db/schema.rb | Adds users.system_admin and group_memberships.admin + index. |
| backend/db/migrate/20260709090000_add_system_admin_to_users.rb | Migration adding system_admin to users. |
| backend/db/migrate/20260709091000_add_admin_to_group_memberships.rb | Migration adding admin to group memberships + data backfill. |
| backend/app/views/api/v1/users/_user.json.jbuilder | Exposes system_admin in user JSON. |
| backend/app/views/api/v1/groups/_group.json.jbuilder | Exposes admin_user_ids, admins_count, and can_admin in group JSON. |
| backend/app/policies/project_policy.rb | Requires group admin for project mutations; system admins see all in scope. |
| backend/app/policies/group_policy.rb | Requires group admin for create/update/destroy, including parent checks; system admins see all in scope. |
| backend/app/policies/application_setting_policy.rb | Restricts settings updates to system admins. |
| backend/app/models/user.rb | Adds adminable group logic (can_admin_group?) and system admin overrides. |
| backend/app/models/group.rb | Adds admin_user_ids accessor (used for input handling). |
| backend/app/models/group_membership.rb | Enforces “group must keep an admin” invariant on demotion/destroy. |
| backend/app/models/group_hierarchy.rb | Adds adminable_group_ids_for hierarchy query. |
| backend/app/controllers/api/v1/users_controller.rb | Permits system_admin updates only for system admins. |
| backend/app/controllers/api/v1/groups_controller.rb | Adds membership/admin syncing via admin_user_ids and ensures at least one admin. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
2
to
6
| factory :group_membership do | ||
| association :group | ||
| association :user | ||
| admin { true } | ||
| end |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.