Overview

Sztab currently allows full authentication and self-service profile updates, but there is no admin-facing UI or REST-endpoint layer to manage other users.
This issue introduces complete Admin User Management, enabling administrators to:

• Create users
• List all users
• Update user data (name, email, roles, status flags)
• Delete users

All operations will require the ADMIN role.

This is the foundation for onboarding developers, QA engineers, project managers, and other team members into Sztab.

Scope

1. Backend: REST Endpoints

Add new admin-only endpoints to UserController:

• POST /api/users → create a new user
• GET /api/users → list all users
• GET /api/users/{id} → fetch user by ID
• PUT /api/users/{id} → update user fields
• DELETE /api/users/{id} → delete user

DTOs required:

• UserCreateDto
• UserUpdateDto
• UserDto (response)

Business rules:

• Username and email MUST be unique
• Cannot delete the last remaining admin
• Cannot delete your own account
• Role updates must validate role names
• Password must be encoded when user is created

2. Backend: Service Layer

Extend UserService:

• User createUser(UserCreateDto)
• List<User> getAllUsers()
• User updateUser(Long id, UserUpdateDto)
• void deleteUser(Long id)
• Keep existing self-service methods (getCurrentUser, updateCurrentUser, etc.)

Ensure:

• Transactional boundaries are correct
• Validation exceptions map to 400/409 correctly
• Service prevents self-delete and last-admin-delete

3. Backend: Security Enforcement

All new endpoints must require:

@PreAuthorize(“hasRole(‘ADMIN’)”)

Session-auth only (no impacts to JWT auth yet).

4. Unit + Integration Tests

Tests must validate:

• Creating a user
• Listing users
• Updating user details
• Updating roles
• Deleting users
• 409 on duplicate username/email
• 400 on invalid role
• 403 for non-admin access
• Cannot delete own account
• Cannot delete final admin

5. OpenAPI / API Docs

Add complete API documentation:

• Parameters
• Schemas
• Examples
• Error cases

This should appear automatically under Swagger UI.

6. README Update

Document the new Admin User Management API:

• Endpoint list
• Required roles
• Sample curl commands for CRUD operations

Acceptance Criteria

•  All endpoints exist and work under session-auth
•  Only ADMIN can call them
•  Full CRUD works
•  Duplicate username/email triggers 409
•  Self-delete is blocked
•  Last-admin-delete is blocked
•  All tests pass
•  OpenAPI docs are correct
•  README updated

Estimate

6–8 hours, including testing and documentation.

Dependencies

• Role system already implemented (SZ-3)
• User entity stable (post-SZ-23 changes)
• Self-service endpoints (SZ-38)