Feature: Add admin endpoint to update other users' profiles #39
Description
Summary
Currently, the PATCH /api/users/{id} endpoint only allows users to update their own profile (first name, last name, password). Administrators cannot use this endpoint to update other users' profile information.
Current Behavior
The selfPatch method in UserController.java enforces that the authenticated user's ID must match the path parameter ID:
@Patch("{id}")
public HttpResponse<UserResponse> selfPatch(@PathVariable Long id, ...) {
User user = userOptional.get();
if (!Objects.equals(user.getId(), id)) {
throw new HttpStatusException(HttpStatus.BAD_REQUEST, "User id mismatch.");
}
// ...
}This means:
- Users can update their own profile ✓
- Administrators cannot update other users' profiles ✗
Requested Feature
Add a new admin endpoint (or modify the existing one) to allow administrators with appropriate permissions (AUTH_SERVICE_EDIT-SYSTEM or AUTH_SERVICE_EDIT-TENANT) to update other users' profile information.
Proposed Endpoint
PATCH /api/users/{id}/profile
Or alternatively, modify the existing PATCH /api/users/{id} to check for admin permissions when the user ID doesn't match.
Request Body
{
"firstName": "NewFirst",
"lastName": "NewLast",
"password": "NewPassword123"
}Permission Requirements
AUTH_SERVICE_EDIT-SYSTEM: Can update any user's profileAUTH_SERVICE_EDIT-TENANT: Can update profiles of users in their tenant
Impact
This limitation affects:
- The UnityAuth CLI
user update-profilecommand (currently documented as self-service only) - Administrative workflows that need to reset passwords or correct user names
- Automation scripts that manage user accounts
Workarounds
Currently, administrators must:
- Use the web interface directly, or
- Access the database directly to make changes
Related
- CLI command:
unityauth user update-profile - Backend file:
UnityAuth/src/main/java/io/unityfoundation/auth/UserController.java