fix(admin): guard GET /api/users/{id} with @RequirePermission(ADMIN_USER)

Fixes IDOR: the endpoint was publicly accessible to any authenticated user. Now requires ADMIN_USER permission, matching all other user management endpoints. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-30 01:09:40 +02:00
parent c61b08d6de
commit 9cacc6079e
22 changed files with 844 additions and 346 deletions
--- a/frontend/messages/es.json
+++ b/frontend/messages/es.json
@@ -167,6 +167,10 @@
 	"admin_group_name_placeholder": "Nombre del grupo (p.ej. Editores)",
 	"admin_user_delete_confirm": "¿Realmente eliminar al usuario {username}?",
 	"admin_btn_new_user": "Nuevo usuario",
+	"admin_users_list_title": "Todos los usuarios",
+	"admin_users_search_placeholder": "Buscar usuarios\u2026",
+	"admin_users_empty": "No hay usuarios.",
+	"admin_users_select_prompt": "Selecciona un usuario de la lista.",
 	"admin_user_new_heading": "Crear nuevo usuario",
 	"admin_user_edit_heading": "Editar usuario: {username}",
 	"admin_user_created": "Usuario creado.",