Overhaul nav, fix DB transaction bugs, add admin UI

- Replace nav user area with display name (non-clickable), gear settings modal, admin button (admins only), and logout button - Settings modal handles display name, timezone, and password change - Add admin.html + admin.js: user table with reset PW, disable/enable, login-as (impersonation), and delete; return-to-admin flow in nav - Add is_admin to UserResponse so frontend can gate the Admin button - Fix all db.begin() bugs in admin.py and users.py (transaction already active from get_current_user query; use commit() directly instead) - Add email-validator and pin bcrypt==4.0.1 for passlib compatibility - Add escHtml() to api.js and admin API namespace - Group nav brand + links in nav-left for left-aligned layout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-24 21:09:38 -07:00
parent 48a15c54f6
commit f1b82baebd
15 changed files with 570 additions and 68 deletions
--- a/backend/app/routers/admin.py
+++ b/backend/app/routers/admin.py
@@ -35,8 +35,8 @@ async def create_user(
        display_name=body.display_name or body.email.split("@")[0],
        is_admin=False,
    )
-    async with db.begin():
-        db.add(user)
+    db.add(user)
+    await db.commit()
    await db.refresh(user)
    return user

@@ -53,8 +53,8 @@ async def reset_password(
    if not user:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")

-    async with db.begin():
-        user.password_hash = hash_password(body.new_password)
+    user.password_hash = hash_password(body.new_password)
+    await db.commit()


@router.post("/users/{user_id}/disable", status_code=status.HTTP_204_NO_CONTENT)
@@ -71,8 +71,8 @@ async def disable_user(
    if not user:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")

-    async with db.begin():
-        user.is_disabled = True
+    user.is_disabled = True
+    await db.commit()


@router.post("/users/{user_id}/enable", status_code=status.HTTP_204_NO_CONTENT)
@@ -86,8 +86,8 @@ async def enable_user(
    if not user:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")

-    async with db.begin():
-        user.is_disabled = False
+    user.is_disabled = False
+    await db.commit()


@router.delete("/users/{user_id}", status_code=status.HTTP_204_NO_CONTENT)
@@ -104,8 +104,8 @@ async def delete_user(
    if not user:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")

-    async with db.begin():
-        await db.delete(user)
+    await db.delete(user)
+    await db.commit()


@router.post("/users/{user_id}/impersonate", response_model=Token)
--- a/backend/app/routers/users.py
+++ b/backend/app/routers/users.py
@@ -25,9 +25,8 @@ async def update_me(
    if body.timezone is not None:
        current_user.timezone = body.timezone

-    async with db.begin():
-        db.add(current_user)
-
+    db.add(current_user)
+    await db.commit()
    await db.refresh(current_user)
    return current_user

@@ -43,5 +42,5 @@ async def change_password(

    current_user.password_hash = hash_password(body.new_password)

-    async with db.begin():
-        db.add(current_user)
+    db.add(current_user)
+    await db.commit()
--- a/backend/app/schemas/user.py
+++ b/backend/app/schemas/user.py
@@ -24,6 +24,7 @@ class UserResponse(BaseModel):
    email: str
    display_name: Optional[str]
    timezone: str
+    is_admin: bool
    created_at: datetime

    model_config = {"from_attributes": True}