feat(admin): enhance admin modification security and add password change notifications

- Refactor admin ownership and self-modification checks with helper variables for clarity
- Add validation to prevent owner role assignment and modification via standard endpoints
- Prevent non-owner admins from changing their own role
- Add password change detection and automatic logout with re-authentication prompt
- Add localization strings for password change notifications (en, fa, ru, zh)
- Improve admin modal to handle password changes and redirect to login when current admin's password is modified
- Enhance security by invalidating auth token when admin changes their own password

Author: x0sina

app/operation/admin.py

@@ -94,22 +94,31 @@ async def _modify_admin(
         self, db: AsyncSession, db_admin: Admin, modified_admin: AdminModify, current_admin: AdminDetails
     ) -> AdminDetails:
         """Modify an existing admin's details."""
-        # Owner can only be modified by themselves — not by other admins via normal routes
-        if db_admin.role_id == 1 and (current_admin.id is None or db_admin.id != current_admin.id):
+        # Owner can only be modified by themselves via normal routes.
+        is_owner_target = self._is_owner_admin(db_admin)
+        is_self = current_admin.id is not None and db_admin.id == current_admin.id
+
+        if is_owner_target and not is_self:
             await self.raise_error(message="Owner cannot be modified via this endpoint. Use the setup flow.", code=403)
 
-        if modified_admin.role_id == 1:
+        if modified_admin.role_id == 1 and not (is_owner_target and is_self and db_admin.role_id == 1):
             await self.raise_error(
                 message="Owner role cannot be assigned via this endpoint. Use the setup flow.", code=403
             )
 
-        if not current_admin.is_owner and db_admin.id == current_admin.id:
+        if is_owner_target and modified_admin.role_id is not None and modified_admin.role_id != db_admin.role_id:
+            await self.raise_error(message="Owner role cannot be changed via this endpoint. Use the setup flow.", code=403)
+
+        if not current_admin.is_owner and is_self and modified_admin.role_id is not None and modified_admin.role_id != db_admin.role_id:
+            await self.raise_error(message="You're not allowed to change your own role.", code=403)
+
+        if not current_admin.is_owner and is_self:
             if modified_admin.status is not None and modified_admin.status == AdminStatus.disabled:
                 await self.raise_error(message="You're not allowed to disable your own account.", code=403)
 
         # Non-owner admins cannot modify other admins with equal or higher role level (role_id <= 2)
         # Only the owner can modify administrators (role_id=2)
-        if not current_admin.is_owner and db_admin.id != current_admin.id and db_admin.role_id <= 2:
+        if not current_admin.is_owner and not is_self and db_admin.role_id <= 2:
             await self.raise_error(message="You're not allowed to modify an administrator account.", code=403)
 
         if modified_admin.telegram_id is not None:

dashboard/public/statics/locales/en.json

@@ -661,6 +661,8 @@
     "createFailed": "Failed to create admin «{{name}}»",
     "editSuccess": "Admin «{{name}}» has been modified successfully",
     "editFailed": "Failed to modify admin «{{name}}»",
+    "passwordChangedTitle": "Password changed",
+    "passwordChangedLogout": "Please sign in again with your new password.",
     "deleteSuccess": "Admin {{name}} removed successfully",
     "deleteFailed": "Failed to remove admin {{name}}",
     "bulkDeleteSuccess": "{{count}} admins deleted successfully.",

dashboard/public/statics/locales/fa.json

@@ -526,6 +526,8 @@
     "createFailed": "ایجاد مدیر «{{name}}» ناموفق بود",
     "editSuccess": "مدیر «{{name}}» با موفقیت به‌روزرسانی شد",
     "editFailed": "به‌روزرسانی مدیر «{{name}}» ناموفق بود",
+    "passwordChangedTitle": "گذرواژه تغییر کرد",
+    "passwordChangedLogout": "لطفاً دوباره با گذرواژه جدید وارد شوید.",
     "deleteSuccess": "مدیر {{name}} با موفقیت حذف شد",
     "deleteFailed": "حذف مدیر {{name}} ناموفق بود",
     "bulkDeleteSuccess": "{{count}} مدیر با موفقیت حذف شد.",

dashboard/public/statics/locales/ru.json

@@ -647,6 +647,8 @@
     "createFailed": "Не удалось создать администратора «{{name}}»",
     "editSuccess": "Администратор «{{name}}» успешно обновлен",
     "editFailed": "Не удалось обновить администратора «{{name}}»",
+    "passwordChangedTitle": "Пароль изменен",
+    "passwordChangedLogout": "Войдите снова с новым паролем.",
     "deleteSuccess": "Администратор {{name}} успешно удалён",
     "deleteFailed": "Не удалось удалить администратора {{name}}",
     "bulkDeleteSuccess": "{{count}} администраторов успешно удалено.",

dashboard/public/statics/locales/zh.json

@@ -661,6 +661,8 @@
     "createFailed": "创建管理员「{{name}}」失败",
     "editSuccess": "管理员「{{name}}」更新成功",
     "editFailed": "更新管理员「{{name}}」失败",
+    "passwordChangedTitle": "密码已更改",
+    "passwordChangedLogout": "请使用新密码重新登录。",
     "deleteSuccess": "管理员{{name}}删除成功",
     "deleteFailed": "删除管理员{{name}}失败",
     "bulkDeleteSuccess": "已成功删除 {{count}} 个管理员。",

dashboard/src/features/admins/dialogs/admin-modal.tsx

@@ -12,16 +12,19 @@ import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@
 import { Switch } from '@/components/ui/switch'
 import { Textarea } from '@/components/ui/textarea'
 import { VariablesPopover } from '@/components/ui/variables-popover'
+import { useAdmin } from '@/hooks/use-admin'
 import useDynamicErrorHandler from '@/hooks/use-dynamic-errors.ts'
 import { useCreateAdmin, useGetRolesSimple, useModifyAdminById } from '@/service/api'
 import type { RoleLimits } from '@/service/api'
 import { upsertAdminInAdminsCache } from '@/utils/adminsCache'
+import { removeAuthToken } from '@/utils/authStorage'
 import { bytesToFormGigabytes, formatBytes, gbToBytes } from '@/utils/formatByte'
 import { useQueryClient } from '@tanstack/react-query'
 import { Bell, IdCard, Pencil, Sliders, UserCog } from 'lucide-react'
 import { useEffect, useMemo, useState } from 'react'
 import { UseFormReturn, useWatch } from 'react-hook-form'
 import { useTranslation } from 'react-i18next'
+import { useNavigate } from 'react-router'
 import { toast } from 'sonner'
 
 const BUILTIN_ADMIN_ROLES = [
@@ -69,8 +72,10 @@ interface AdminModalProps {
 
 export default function AdminModal({ isDialogOpen, onOpenChange, editingAdminId, editingAdmin, form }: AdminModalProps) {
   const { t } = useTranslation()
+  const navigate = useNavigate()
   const handleError = useDynamicErrorHandler()
   const queryClient = useQueryClient()
+  const { admin: currentAdmin } = useAdmin()
   const addAdminMutation = useCreateAdmin()
   const modifyAdminMutation = useModifyAdminById()
   const rolesQuery = useGetRolesSimple()
@@ -133,6 +138,9 @@ export default function AdminModal({ isDialogOpen, onOpenChange, editingAdminId,
 
   const onSubmit = async (values: AdminFormValuesInput) => {
     try {
+      const passwordChanged = typeof values.password === 'string' && values.password.length > 0
+      const isEditingCurrentAdmin =
+        editingAdmin && currentAdmin != null && ((currentAdmin.id != null && editingAdminId === currentAdmin.id) || values.username === currentAdmin.username)
       const dataLimitChanged = !!form.formState.dirtyFields.data_limit
       const dataLimitHasValue = values.data_limit !== null && values.data_limit !== undefined && values.data_limit !== ''
       const dataLimitPayload = editingAdmin
@@ -164,6 +172,18 @@ export default function AdminModal({ isDialogOpen, onOpenChange, editingAdminId,
           data: editData,
         })
         upsertAdminInAdminsCache(queryClient, updatedAdmin, { allowInsert: true })
+        if (passwordChanged && isEditingCurrentAdmin) {
+          toast.success(t('admins.passwordChangedTitle', { defaultValue: 'Password changed' }), {
+            description: t('admins.passwordChangedLogout', { defaultValue: 'Please sign in again with your new password.' }),
+          })
+          onOpenChange(false)
+          form.reset()
+          await queryClient.cancelQueries()
+          removeAuthToken()
+          queryClient.clear()
+          navigate('/login', { replace: true })
+          return
+        }
         toast.success(
           t('admins.editSuccess', {
             name: values.username,

dashboard/src/pages/_dashboard.admins.tsx

@@ -137,6 +137,8 @@ export default function AdminsPage() {
 
   const getRoleIdForAdmin = (admin: AdminDetails) => {
     const roleName = admin.role?.name
+    if (admin.role?.is_owner || roleName === 'owner') return 1
+    if (admin.role?.id != null) return admin.role.id
     const roleId = rolesQuery.data?.roles.find(role => role.name === roleName)?.id
     if (roleId != null) return roleId
     if (roleName === 'administrator') return 2