Skip to content

feat: admin control#4

Merged
dsh0416 merged 5 commits into
mainfrom
dsh0416/admin
Jul 9, 2026
Merged

feat: admin control#4
dsh0416 merged 5 commits into
mainfrom
dsh0416/admin

Conversation

@dsh0416

@dsh0416 dsh0416 commented Jul 9, 2026

Copy link
Copy Markdown
Member

No description provided.

Copilot AI review requested due to automatic review settings July 9, 2026 06:32

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces an explicit admin permission model across the app, adding system admins and group admins with inherited hierarchy rules, and updates both frontend affordances and backend authorization/policies to enforce those permissions.

Changes:

  • Add system_admin to users, restrict admin settings + admin toggles to system admins, and enforce via frontend route access + backend policies.
  • Add group-admin membership (group_memberships.admin) with descendant inheritance, expose can_admin/admin_user_ids in the API, and gate group/project management on admin rights.
  • Update UI for group/user management (admin badges, admin toggles, and “management unavailable” states) plus expand test coverage and OpenAPI schemas.

Reviewed changes

Copilot reviewed 45 out of 45 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
frontend/src/views/UserProfileView.vue Plumbs canManageSystemAdmins down to the user profile form.
frontend/src/views/UserGroupsView.vue Derives canManageSystemAdmins from auth state and passes it to profile view.
frontend/src/views/GroupEditorView.vue Shows a “management unavailable” state when group.can_admin is false.
frontend/src/views/DashboardView.vue Hides the admin settings card unless the current user is a system admin.
frontend/src/stores/tests/userGroups.spec.ts Updates store tests for new system_admin and group admin fields.
frontend/src/services/api/types.ts Extends API types with system_admin, admin_user_ids, admins_count, can_admin, and new inputs.
frontend/src/router/index.ts Adds requiresSystemAdmin route meta and applies it to /admin-settings.
frontend/src/router/access.ts Enforces requiresSystemAdmin via nextRouteForAccess.
frontend/src/router/tests/access.spec.ts Adds tests for system-admin route access behavior.
frontend/src/components/user-groups/UsersTab.vue Displays a “System admin” badge for system admin users.
frontend/src/components/user-groups/UserProfileForm.vue Adds a system-admin toggle (guarded by canManageSystemAdmins) and conditionally submits system_admin.
frontend/src/components/user-groups/UserProfileDetails.vue Displays user access level (“System admin” vs “Standard user”).
frontend/src/components/user-groups/GroupTree.vue Shows admin counts and hides management buttons when can_admin is false.
frontend/src/components/user-groups/GroupForm.vue Adds per-member “Admin” toggles and submits admin_user_ids.
frontend/src/components/projects/ProjectForm.vue Filters selectable groups to can_admin groups for project creation.
frontend/src/App.vue Passes current user into nextRouteForAccess so system-admin gating works.
frontend/e2e/kanban.spec.ts Updates mocked payloads to include system_admin and group admin fields.
docs/permissions.md Adds a “source of truth” doc for the new permission model and invariants.
backend/spec/requests/api/v1/users_spec.rb Adds coverage for system-admin-only updates to system_admin.
backend/spec/requests/api/v1/projects_spec.rb Adds coverage restricting project mutations to group admins and allowing system admins.
backend/spec/requests/api/v1/openapi/admin_settings_spec.rb Uses a system admin user for admin settings OpenAPI request specs.
backend/spec/requests/api/v1/iterations_spec.rb Refactors request specs into helper methods.
backend/spec/requests/api/v1/groups_spec.rb Adds coverage for admin-only group mutations and final-admin invariants.
backend/spec/requests/api/v1/admin_settings_spec.rb Restricts settings updates to system admins and adds forbidden coverage.
backend/spec/openapi_helper.rb Updates OpenAPI schema expectations for new fields.
backend/spec/models/user_spec.rb Adds coverage for admin inheritance and system admin override behavior.
backend/spec/models/group_membership_spec.rb Adds coverage for default admin flag + final-admin constraints.
backend/spec/factories/users.rb Adds a :system_admin trait.
backend/spec/factories/group_memberships.rb Sets factory default admin: true for group memberships.
backend/openapi/v1/openapi.yaml Updates OpenAPI spec for new user/group fields and inputs.
backend/db/seeds.rb Adds bootstrap for a default system admin (root@example.org) when none exists.
backend/db/schema.rb Adds users.system_admin and group_memberships.admin + index.
backend/db/migrate/20260709090000_add_system_admin_to_users.rb Migration adding system_admin to users.
backend/db/migrate/20260709091000_add_admin_to_group_memberships.rb Migration adding admin to group memberships + data backfill.
backend/app/views/api/v1/users/_user.json.jbuilder Exposes system_admin in user JSON.
backend/app/views/api/v1/groups/_group.json.jbuilder Exposes admin_user_ids, admins_count, and can_admin in group JSON.
backend/app/policies/project_policy.rb Requires group admin for project mutations; system admins see all in scope.
backend/app/policies/group_policy.rb Requires group admin for create/update/destroy, including parent checks; system admins see all in scope.
backend/app/policies/application_setting_policy.rb Restricts settings updates to system admins.
backend/app/models/user.rb Adds adminable group logic (can_admin_group?) and system admin overrides.
backend/app/models/group.rb Adds admin_user_ids accessor (used for input handling).
backend/app/models/group_membership.rb Enforces “group must keep an admin” invariant on demotion/destroy.
backend/app/models/group_hierarchy.rb Adds adminable_group_ids_for hierarchy query.
backend/app/controllers/api/v1/users_controller.rb Permits system_admin updates only for system admins.
backend/app/controllers/api/v1/groups_controller.rb Adds membership/admin syncing via admin_user_ids and ensures at least one admin.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread backend/app/models/user.rb
Comment thread backend/app/models/user.rb
Comment thread backend/app/views/api/v1/groups/_group.json.jbuilder Outdated
Comment thread backend/app/controllers/api/v1/groups_controller.rb
Comment on lines 2 to 6
factory :group_membership do
association :group
association :user
admin { true }
end

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 45 out of 45 changed files in this pull request and generated 3 comments.

Comment thread backend/app/policies/group_policy.rb
Comment thread frontend/src/components/user-groups/GroupTree.vue
Comment thread backend/app/models/user.rb
@dsh0416
dsh0416 merged commit bd42647 into main Jul 9, 2026
3 checks passed
@dsh0416
dsh0416 deleted the dsh0416/admin branch July 9, 2026 07:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants