--- issue: 032 title: "Admin delete user via legacy endpoint performs hard delete (findByIdAndDelete) instead of soft delete" severity: major domain: User Management status: resolved resolved: 2026-05-29 fix: "Changed findByIdAndDelete to findByIdAndUpdate({ status: 'deleted' }) in legacy admin delete route in userRoutes.ts." labels: [bug, frontend, backend, major, data-integrity] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 Admin delete user via legacy endpoint performs hard delete (findByIdAndDelete) instead of soft delete **Severity:** major **Domain:** User Management **Labels:** bug, frontend, backend, major, data-integrity ## Description Frontend deleteUser function calls the legacy /users/admin/:id DELETE route which performs findByIdAndDelete (hard delete). The new controller at /api/user/admin/:userId performs a soft delete (status='deleted'). The frontend comment says 'soft delete' but calls the hard-delete route. User records and all associated data are permanently destroyed. ## Current Behavior Admin 'delete user' action permanently destroys the user record from the database via findByIdAndDelete. ## Expected Behavior Frontend should call the new controller endpoint /api/user/admin/:userId for soft delete, or the legacy route should be updated to perform a soft delete. ## Affected Files - `frontend/src/actions/user.ts` - `frontend/src/lib/axios.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)