Plan: phase3/user-admin-router
Scope
User management CRUD endpoints for org_admin+ roles, following the same patterns as the organizations router.
Endpoints
| Method | Path | Auth | Description |
|---|---|---|---|
| GET | /api/users | org_admin+ | List users (scoped to own org; system_admin sees all) |
| GET | /api/users/{id} | org_admin+ | Get user detail |
| PATCH | /api/users/{id} | org_admin+ | Update user (username, email, is_active, org_id, roles) |
| DELETE | /api/users/{id} | org_admin+ | Deactivate user (soft delete β sets is_active=false) |
Files
New
cmmc/schemas/user.pyβUserAdminResponse,UserAdminUpdate,UserListResponsecmmc/routers/users.pyβ Router with CRUD endpointstests/test_user_api.pyβ Test suite
Modified
cmmc/app.pyβ Register users router
Access Control Rules
- system_admin: Full access to all users across all orgs. Can assign any role, change org_id.
- org_admin: Can manage users within their own org only. Cannot assign system_admin role. Cannot change org_id.
- Others: 403 Forbidden on all endpoints.
- A user cannot deactivate themselves.
- org_admin cannot remove their own org_admin role.
Implementation Steps
- Write tests (test-first)
- Create schemas (
cmmc/schemas/user.py) - Create router (
cmmc/routers/users.py) - Register router in
cmmc/app.py - Verify tests pass