mirror of
https://github.com/screentinker/screentinker.git
synced 2026-05-15 07:32:23 -06:00
388e9e6ab8
Password reset for other users: - New PUT /api/auth/users/:id/password endpoint - Superadmin can reset any local user; admin can reset role=user members of teams they own only (cannot reset other admins or superadmins, cannot self-reset — that goes through PUT /me with current_password) - OAuth users are excluded (no password to reset) - Rate-limited 20 req/min/IP to cap blast radius if an admin session is compromised - Explicit audit log entry "password_reset_for_user / target: <email>" on every reset; activity logger's summarizeAction never reads the password field, so the password value is not stored anywhere Frontend: Reset Password button in the Admin user table and Settings > User Management table. Shown only for local-auth users that aren't the current user; prompts for an 8+ char password. Widgets visibility fix: - routes/widgets.js had `const isAdmin = req.user.role === 'superadmin'` which mislabeled superadmin as admin and silently restricted real admins (role=admin) to seeing only their own widgets. Now matches /auth/users behavior: superadmin sees all, admin sees own + public + widgets owned by members of teams they own, user sees own + public. 7 new i18n keys (admin.reset_password, admin.prompt_reset_password, admin.toast.password_min_8, admin.toast.password_reset, and the matching settings.user.* / settings.toast.* trio). 1024 keys total, parity 100% across en/es/fr/de/pt. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| components | ||
| i18n | ||
| views | ||
| api.js | ||
| app.js | ||
| branding.js | ||
| i18n.js | ||
| socket.js | ||
| utils.js | ||