Feature: Add admin endpoint to update other users' profiles

[stanleykc]

Summary

Currently, the PATCH /api/users/{id} endpoint only allows users to update their own profile (first name, last name, password). Administrators cannot use this endpoint to update other users' profile information.

Current Behavior

The selfPatch method in UserController.java enforces that the authenticated user's ID must match the path parameter ID:

@Patch("{id}")
public HttpResponse<UserResponse> selfPatch(@PathVariable Long id, ...) {
    User user = userOptional.get();
    if (!Objects.equals(user.getId(), id)) {
        throw new HttpStatusException(HttpStatus.BAD_REQUEST, "User id mismatch.");
    }
    // ...
}

This means:

• Users can update their own profile ✓
• Administrators cannot update other users' profiles ✗

Requested Feature

Add a new admin endpoint (or modify the existing one) to allow administrators with appropriate permissions (AUTH_SERVICE_EDIT-SYSTEM or AUTH_SERVICE_EDIT-TENANT) to update other users' profile information.

Proposed Endpoint

PATCH /api/users/{id}/profile

Or alternatively, modify the existing PATCH /api/users/{id} to check for admin permissions when the user ID doesn't match.

Request Body

{
  "firstName": "NewFirst",
  "lastName": "NewLast",
  "password": "NewPassword123"
}

Permission Requirements

• AUTH_SERVICE_EDIT-SYSTEM: Can update any user's profile
• AUTH_SERVICE_EDIT-TENANT: Can update profiles of users in their tenant

Impact

This limitation affects:

• The UnityAuth CLI user update-profile command (currently documented as self-service only)
• Administrative workflows that need to reset passwords or correct user names
• Automation scripts that manage user accounts

Workarounds

Currently, administrators must:

1. Use the web interface directly, or
2. Access the database directly to make changes

Related

• CLI command: unityauth user update-profile
• Backend file: UnityAuth/src/main/java/io/unityfoundation/auth/UserController.java