Files
nick-doc/Issues/ISSUE-032-admin-delete-user-via-legacy-endpoint-performs-hard-delete-f.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.5 KiB

issue, title, severity, domain, status, resolved, fix, labels, status, created, source
issue title severity domain status resolved fix labels status created source
032 Admin delete user via legacy endpoint performs hard delete (findByIdAndDelete) instead of soft delete major User Management resolved 2026-05-29 Changed findByIdAndDelete to findByIdAndUpdate({ status: 'deleted' }) in legacy admin delete route in userRoutes.ts.
bug
frontend
backend
major
data-integrity
open 2026-05-29 Doc vs Code Audit 2026-05-29

🟠 Admin delete user via legacy endpoint performs hard delete (findByIdAndDelete) instead of soft delete

Severity: major Domain: User Management Labels: bug, frontend, backend, major, data-integrity

Description

Frontend deleteUser function calls the legacy /users/admin/:id DELETE route which performs findByIdAndDelete (hard delete). The new controller at /api/user/admin/:userId performs a soft delete (status='deleted'). The frontend comment says 'soft delete' but calls the hard-delete route. User records and all associated data are permanently destroyed.

Current Behavior

Admin 'delete user' action permanently destroys the user record from the database via findByIdAndDelete.

Expected Behavior

Frontend should call the new controller endpoint /api/user/admin/:userId for soft delete, or the legacy route should be updated to perform a soft delete.

Affected Files

  • frontend/src/actions/user.ts
  • frontend/src/lib/axios.ts

References