--- issue: "010" title: "Admin user status/role actions broken: wrong HTTP verb (PUT vs PATCH) and wrong status values" severity: critical domain: admin labels: [frontend, bug] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🔴 Admin user status/role actions broken: wrong HTTP verb (PUT vs PATCH) and wrong status values **Severity:** critical **Domain:** admin **Labels:** frontend, bug ## Description Two separate bugs on the admin user management actions: **Bug 1 — Wrong HTTP verb:** `frontend/src/actions/user.ts`: - `updateUserStatus` calls `axiosInstance.put(...)` — backend registers `PATCH` - `updateUserRole` calls `axiosInstance.put(...)` — backend registers `PATCH` Both will 404/405 in production since Express doesn't alias PUT to PATCH. **Bug 2 — Wrong status values:** `updateUserStatus` accepts and sends `'active' | 'inactive' | 'pending'`. The backend `User.status` enum only accepts `'active' | 'suspended' | 'deleted'`. Sending `'inactive'` or `'pending'` is silently rejected or ignored. `'suspended'` is completely absent from the frontend type. ## Current Behavior - Clicking "Suspend user" in admin panel sends `PUT /api/users/admin/:userId/status` with `{ status: 'inactive' }` → 404 and wrong value - Clicking "Update role" sends `PUT /api/users/admin/:userId/role` → 404 ## Expected Behavior - Use `axiosInstance.patch(...)` for both actions - Status values should be `'active' | 'suspended' | 'deleted'` to match the backend enum ## Affected Files - `frontend/src/actions/user.ts` — `updateUserStatus` (line ~162), `updateUserRole` (line ~175) - `frontend/src/types/user.ts` (line ~159) — status union type needs to include `'suspended'` and remove `'inactive'`/`'pending'` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) — Findings C26, C27