Skip to content

API: Batch update user roles (PATCH /v1/superadmin/users/role) #14

New issue
New issue
Open
Open
API: Batch update user roles (PATCH /v1/superadmin/users/role)#14
Assignees
tharunthunder
Labels
enhancementNew feature or requestgood first issueGood for newcomers
@balebbae

Description

@balebbae
balebbae
opened on Feb 12, 2026

Summary

Implement a super admin endpoint that batch-updates user roles. This is the second step of the "Set Admin" flow — after searching users by email, the super admin confirms and submits role changes (e.g., promoting hackers to admins).

Endpoint

PATCH /v1/superadmin/users/role

Auth: Requires super_admin role (behind RequireRoleMiddleware(store.RoleSuperAdmin))

Request Payload

{
  "user_ids": ["uuid1", "uuid2"],
  "role": "admin"
}

Validation

  • user_ids is required, must contain 1–50 entries
  • Each user_id must be a valid UUID
  • role is required, must be one of: "hacker", "admin" (NOT "super_admin" — reject with 400)
  • The caller's own user ID must NOT be in the user_ids list (prevent self-demotion/lockout — reject with 400)
  • All user IDs must exist in the database, otherwise reject the entire request with 400

Response

200 OK

{
  "data": {
    "updated": [
      { "id": "uuid1", "email": "alice@utdallas.edu", "role": "admin" },
      { "id": "uuid2", "email": "bob@utdallas.edu", "role": "admin" }
    ]
  }
}

400 Bad Request — invalid payload, self-inclusion, super_admin role attempted, or user IDs not found
403 Forbidden — caller is not a super admin

Implementation Details

Files to modify/create

File Change
internal/store/storage.go Add BatchUpdateRole(ctx context.Context, userIDs []string, role UserRole) ([]User, error) to the Users interface
internal/store/users.go Implement BatchUpdateRole using UPDATE users SET role = $1 WHERE id = ANY($2) RETURNING id, email, role
cmd/api/users.go Add batchUpdateUserRoleHandler (same file created in the search endpoint task)
cmd/api/api.go Register r.Patch("/users/role", app.batchUpdateUserRoleHandler) under the super admin route group

Store query

UPDATE users
SET role = $1
WHERE id = ANY($2)
RETURNING id, email, role

Handler logic

  1. Parse and validate request body
  2. Check that caller's user ID is not in the user_ids list
  3. Check that role is not super_admin
  4. Call store.Users.BatchUpdateRole(ctx, userIDs, role)
  5. Verify the number of returned rows matches the input count (if not, some IDs didn't exist — return 400)
  6. Return updated users

Depends on

  • Batch search users by email endpoint (for the users.go handler file and store interface additions)

Labels

enhancement, good first issue

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestgood first issueGood for newcomers

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions