[BUG]: Unable to Update User via Admin UI & API Requires Mandatory Fields Causing Full Name Loss

[rakdutta]

Description

Users created without admin privileges cannot be updated through the Edit User UI form. The issue is not limited to admin privilege — no user details (admin privilege, password, or full name) are updated from the UI.

Additionally, updating admin privileges through the API requires mandatory fields, which results in unintended overwriting of existing user details.

---

Steps to Reproduce

UI Issue

1. Create a user without admin privileges.

2. Navigate to the Edit User page.

3. Modify any of the following:

   • Administrator checkbox
   • Password
   • Full Name

4. Click Update User.

---

API Issue

1. Call the admin user update API without providing all required fields.
2. The API returns a "required field missing" error.
3. Provide all mandatory fields and update the user.

Example API Call:

curl -X 'PUT' \
  'http://localhost:4444/auth/email/admin/users/user_admin%40example.com' \
  -H "Authorization: Bearer $TOKEN" \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "email": "user_admin@example.com",
  "password": "abcd1235",
  "is_admin": true
}'

---

Actual Behavior

UI

• Clicking Update User does not update any user details, including admin privilege, password, or full name.

API

• email, password, and is_admin are treated as mandatory fields.
• If full_name is not included in the request payload, the existing full name is overwritten and becomes null / NA.

---

Expected Behavior

UI

• Users should be able to update admin privilege, password, or full name independently.

API

• The update endpoint should support partial updates.
• Existing user attributes should remain unchanged if they are not provided in the payload.
• Password and email should not be mandatory when updating admin privileges only.

---

Impact

• Prevents updating user details via UI.
• Causes unintended data loss when updating users through the API.
• Introduces usability and data integrity issues.

---

Environment

• Database: PostgreSQL
• API Endpoint: /auth/email/admin/users/{email}
• Commit: 4bbb15e

---

Screenshot

---

[crivetimihai]

Thanks for the detailed report, @rakdutta!

Root Cause Analysis

API Issue

The PUT /admin/users/{email} endpoint uses EmailRegistrationRequest schema for both create AND update:

@email_auth_router.put("/admin/users/{user_email}", response_model=EmailUserResponse)
async def update_user(user_email: str, user_request: EmailRegistrationRequest, ...):

The EmailRegistrationRequest schema (schemas.py lines 5216-5219):

email: EmailStr = Field(...)        # Required - but it's already in the URL!
password: str = Field(..., min_length=8)  # Required - shouldn't be for updates
full_name: Optional[str] = Field(None, ...)  # Optional - but when missing, becomes None
is_admin: bool = Field(False, ...)

Problems:

1. email is required but already in URL path
2. password is required but shouldn't be for updates (just changing name/admin)
3. Missing full_name sets it to None, overwriting existing value

Fix

Create a separate EmailUserUpdateRequest schema with all Optional fields:

class EmailUserUpdateRequest(BaseModel):
    password: Optional[str] = Field(None, min_length=8)
    full_name: Optional[str] = Field(None)
    is_admin: Optional[bool] = Field(None)

And update only the fields that are provided (not None).

UI Issue

Need to investigate the form submission in admin.py and admin.js to see why the Update User button doesn't work. This may be related to the duplicate password requirement IDs issue (#2702).