Issue #67 — Backend: Update Member Status Provider & Endpoint #659
Description
Location:
backend/src/users/providers/update-member-status.provider.tsbackend/src/users/members.controller.ts
Description
Admins need to take four distinct actions on individual member accounts: suspend an active member (preventing login), reactivate a suspended member, promote a regular user to staff role, or demote a staff member back to regular user. All four actions are handled through a single PATCH /members/:id endpoint using an action field in the request body to describe the intent.
Several guard rails are required: admins must not be able to act on other admin accounts, a SUPER_ADMIN account must never be modifiable, and no-op actions (e.g. suspending an already suspended member) should return a clear error rather than silently succeeding.
Acceptance Criteria
- An
UpdateMemberStatusProviderclass is created atbackend/src/users/providers/update-member-status.provider.ts -
PATCH /members/:idacceptsUpdateMemberStatusDtoand applies the requested action:suspend— setsmembershipStatus = SUSPENDED. ThrowsBadRequestExceptionif already suspendedactivate— setsmembershipStatus = ACTIVE. ThrowsBadRequestExceptionif already activepromote— setsrole = UserRole.STAFF. ThrowsBadRequestExceptionif alreadySTAFFor higherdemote— setsrole = UserRole.USER. ThrowsBadRequestExceptionif alreadyUSER
- The provider throws
NotFoundExceptionif the target user does not exist - The provider throws
ForbiddenExceptionif the target user's role isADMINorSUPER_ADMIN— admins cannot manage other admins through this endpoint - The provider throws
ForbiddenExceptionif the requesting user attempts to act on their own account - Returns
{ success: true, message: "<Action> applied successfully", data: User }with sensitive fields excluded - The endpoint is guarded with
@UseGuards(RolesGuard)and@Roles(UserRole.ADMIN, UserRole.SUPER_ADMIN) -
UpdateMemberStatusProvideris registered inUsersModule -
npx tsc --noEmitpasses with no errors