feat: Implement admin role validation and enhance user management scripts
All checks were successful
Gitea Actions Demo / build-and-push (push) Successful in 17s
All checks were successful
Gitea Actions Demo / build-and-push (push) Successful in 17s
This commit is contained in:
15
README.md
15
README.md
@@ -77,7 +77,16 @@ export ACCOUNT_DELETION_THRESHOLD_HOURS=168 # 7 days
|
||||
|
||||
### Admin Endpoints
|
||||
|
||||
All admin endpoints require JWT authentication and admin role.
|
||||
All admin endpoints require JWT authentication and **admin role**.
|
||||
|
||||
**Note:** Admin users must be created manually or via the provided script (`backend/scripts/create_admin.py`). The admin role cannot be assigned through the signup API for security reasons.
|
||||
|
||||
**Creating an Admin User:**
|
||||
|
||||
```bash
|
||||
cd backend
|
||||
python scripts/create_admin.py
|
||||
```
|
||||
|
||||
#### Account Deletion Management
|
||||
|
||||
@@ -123,7 +132,9 @@ npm run test
|
||||
## 🔒 Security
|
||||
|
||||
- JWT tokens stored in HttpOnly, Secure, SameSite=Strict cookies
|
||||
- Admin-only endpoints protected by role validation
|
||||
- **Role-Based Access Control (RBAC)**: Admin endpoints protected by admin role validation
|
||||
- Admin users can only be created via direct database manipulation or provided script
|
||||
- Regular users cannot escalate privileges to admin
|
||||
- Account deletion requires email confirmation
|
||||
- Marked accounts blocked from login immediately
|
||||
|
||||
|
||||
Reference in New Issue
Block a user