User Management
Overview Description
The User Management feature allows administrators to oversee all user accounts within the system. Administrators can view a paginated list of users, filter and sort them by various criteria, and perform operations such as creating new admin users, updating existing user information, changing user status, and deleting users when necessary. This feature includes role-based access controls, where certain actions are restricted to users with Super Admin privileges.
Activity Diagram
---
config:
theme: base
layout: dagre
flowchart:
curve: linear
htmlLabels: true
themeVariables:
edgeLabelBackground: "transparent"
---
flowchart TD
%% Main components
AdminUser[Admin User]
AdminInterface[User Management Interface]
%% Action components
ActionSelect{Action Selection}
%% Flow connections with numbered steps
AdminUser --- Step1[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #6699cc !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>1</span>
<p style='margin-top: 8px'>Access Interface</p>
</div>
]
Step1 --> AdminInterface
AdminInterface --- Step2[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #6699cc !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>2</span>
<p style='margin-top: 8px'>Select Action</p>
</div>
]
Step2 --> ActionSelect
ActionSelect --- Step3A[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #6699cc !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>3A</span>
<p style='margin-top: 8px'>View Users</p>
</div>
]
Step3A --> ViewUsers[List Users]
ActionSelect --- Step3B[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #99cc66 !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>3B</span>
<p style='margin-top: 8px'>Create User</p>
</div>
]
Step3B --> CreateForm[User Creation Form]
ActionSelect --- Step3C[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #cc66cc !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>3C</span>
<p style='margin-top: 8px'>Update User</p>
</div>
]
Step3C --> EditForm[User Edit Form]
ActionSelect --- Step3D[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #cc9966 !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>3D</span>
<p style='margin-top: 8px'>Change Status</p>
</div>
]
Step3D --> ToggleStatus[Toggle User Status]
ActionSelect --- Step3E[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #cc6666 !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>3E</span>
<p style='margin-top: 8px'>Delete User</p>
</div>
]
Step3E --> DeleteConfirm{Confirm Deletion}
ViewUsers --- Step4A[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #6699cc !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>4A</span>
<p style='margin-top: 8px'>Filter/Sort</p>
</div>
]
Step4A --> FilterSort[Apply Filters/Sorting]
CreateForm --- Step4B[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #99cc66 !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>4B</span>
<p style='margin-top: 8px'>Validate</p>
</div>
]
Step4B --> ValidateCreate{Validate Input}
EditForm --- Step4C[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #cc66cc !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>4C</span>
<p style='margin-top: 8px'>Validate</p>
</div>
]
Step4C --> ValidateEdit{Validate Input}
ToggleStatus --- Step4D[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #cc9966 !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>4D</span>
<p style='margin-top: 8px'>Update DB</p>
</div>
]
Step4D --> UpdateStatusDB[Update Status in Database]
DeleteConfirm --- Step4E[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #cc6666 !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>4E</span>
<p style='margin-top: 8px'>Delete Record</p>
</div>
]
Step4E --> DeleteUserDB[Delete User from Database]
ValidateCreate --- Step5B1[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #99cc66 !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>5B</span>
<p style='margin-top: 8px'>Create Record</p>
</div>
]
Step5B1 --> CreateUserDB[Create User in Database]
ValidateEdit --- Step5C1[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #cc66cc !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>5C</span>
<p style='margin-top: 8px'>Update Record</p>
</div>
]
Step5C1 --> UpdateUserDB[Update User in Database]
FilterSort --- Step5A[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #6699cc !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>5A</span>
<p style='margin-top: 8px'>Return to Interface</p>
</div>
]
Step5A --> AdminInterface
CreateUserDB --- Step6B[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #99cc66 !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>6B</span>
<p style='margin-top: 8px'>Return to Interface</p>
</div>
]
Step6B --> AdminInterface
UpdateUserDB --- Step6C[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #cc66cc !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>6C</span>
<p style='margin-top: 8px'>Return to Interface</p>
</div>
]
Step6C --> AdminInterface
UpdateStatusDB --- Step5D[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #cc9966 !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>5D</span>
<p style='margin-top: 8px'>Return to Interface</p>
</div>
]
Step5D --> AdminInterface
DeleteUserDB --- Step5E[
<div style='text-align: center'>
<span style='display: inline-block; background-color: #cc6666 !important; color:white; width: 28px; height: 28px; line-height: 28px; border-radius: 50%; font-weight: bold'>5E</span>
<p style='margin-top: 8px'>Return to Interface</p>
</div>
]
Step5E --> AdminInterface
ValidateCreate -.->|Invalid| CreateForm
ValidateEdit -.->|Invalid| EditForm
DeleteConfirm -.->|Cancel| AdminInterface
%% Styling
style AdminUser fill:#e6f3ff,stroke:#0066cc,stroke-width:2px
style AdminInterface fill:#e6f3ff,stroke:#0066cc,stroke-width:2px
style ActionSelect fill:#f5f0ff,stroke:#9966cc,stroke-width:2px
style ViewUsers fill:#f0f8e6,stroke:#339933,stroke-width:2px
style CreateForm fill:#f0f8e6,stroke:#339933,stroke-width:2px
style EditForm fill:#f0f8e6,stroke:#339933,stroke-width:2px
style ToggleStatus fill:#f0f8e6,stroke:#339933,stroke-width:2px
style DeleteConfirm fill:#f5f0ff,stroke:#9966cc,stroke-width:2px
style FilterSort fill:#fff0f5,stroke:#cc6699,stroke-width:2px
style ValidateCreate fill:#f5f0ff,stroke:#9966cc,stroke-width:2px
style ValidateEdit fill:#f5f0ff,stroke:#9966cc,stroke-width:2px
style UpdateStatusDB fill:#ffe6cc,stroke:#ff9900,stroke-width:2px
style DeleteUserDB fill:#ffe6cc,stroke:#ff9900,stroke-width:2px
style CreateUserDB fill:#ffe6cc,stroke:#ff9900,stroke-width:2px
style UpdateUserDB fill:#ffe6cc,stroke:#ff9900,stroke-width:2px
style Step1 fill:transparent,stroke:transparent,stroke-width:1px
style Step2 fill:transparent,stroke:transparent,stroke-width:1px
style Step3A fill:transparent,stroke:transparent,stroke-width:1px
style Step3B fill:transparent,stroke:transparent,stroke-width:1px
style Step3C fill:transparent,stroke:transparent,stroke-width:1px
style Step3D fill:transparent,stroke:transparent,stroke-width:1px
style Step3E fill:transparent,stroke:transparent,stroke-width:1px
style Step4A fill:transparent,stroke:transparent,stroke-width:1px
style Step4B fill:transparent,stroke:transparent,stroke-width:1px
style Step4C fill:transparent,stroke:transparent,stroke-width:1px
style Step4D fill:transparent,stroke:transparent,stroke-width:1px
style Step4E fill:transparent,stroke:transparent,stroke-width:1px
style Step5A fill:transparent,stroke:transparent,stroke-width:1px
style Step5B1 fill:transparent,stroke:transparent,stroke-width:1px
style Step5C1 fill:transparent,stroke:transparent,stroke-width:1px
style Step5D fill:transparent,stroke:transparent,stroke-width:1px
style Step5E fill:transparent,stroke:transparent,stroke-width:1px
style Step6B fill:transparent,stroke:transparent,stroke-width:1px
style Step6C fill:transparent,stroke:transparent,stroke-width:1px
API: User Management API
Case Documentation
Case 1: Listing Users
Description
Administrator retrieves a paginated list of users with optional filtering and sorting.
Sequence Diagram
sequenceDiagram
participant Admin
participant API as UserController
participant Auth as AuthService
participant UserService as UserService
participant UserRepository as UserRepository
participant DB as Database
Note over Admin,DB: User Listing Flow
rect rgb(200, 255, 200)
Note right of Admin: Happy Case Flow
Admin->>API: GET /api/admin/users (with query params)
rect rgb(255, 255, 200)
Note right of API: Authentication & Authorization
API->>Auth: verifyAdminAccess()
Auth-->>API: Return verification result
end
rect rgb(200, 230, 255)
Note right of API: Input Validation
API->>API: validateRequest()
end
rect rgb(200, 255, 255)
Note right of API: Business Logic Processing
API->>UserService: getUsers(params)
UserService->>UserRepository: list(params)
UserRepository->>DB: SELECT * FROM users WHERE status = ? AND name LIKE ? ORDER BY ? LIMIT ? OFFSET ?
DB-->>UserRepository: Return matching users
UserRepository-->>UserService: Return results
UserService-->>API: Return paginated results
end
API-->>Admin: 200 OK with users collection
end
rect rgb(255, 200, 200)
Note right of Admin: Error Handling
rect rgb(255, 230, 230)
alt Authentication Error
Auth-->>API: 401 Unauthorized
API-->>Admin: 401 Unauthorized
else Authorization Error
Auth-->>API: 403 Forbidden
API-->>Admin: 403 Forbidden
else Validation Error
API-->>Admin: 422 Unprocessable Entity
else Database Error
DB-->>UserRepository: Database error
UserRepository-->>UserService: Error result
UserService-->>API: Error result
API-->>Admin: 500 Internal Server Error
end
end
end
Steps
Step 1: Request User List
- Description: Admin requests the list of users with optional filters
- Request:
GET /api/admin/users - Query Parameters:
perpage: Number of items per pagepage: Page numbername: Filter users by nameorderBy: Field to order bysortBy: Sort direction (asc or desc)status: Filter users by status
Step 2: Check Admin Permissions
- Description: System verifies the user has admin permissions
- Action: Check if current user has admin roles
- Potential errors: Insufficient permissions
Step 3: Retrieve User Data
- Description: System fetches users from the database based on filters
- Action:
- Apply filters from query parameters
- Restrict results based on admin role level
- Paginate the results
Step 4: Return User List
- Description: Return the paginated list of users
- Response:
- Success:
200 OKwith user collection and pagination metadata - Error: Appropriate error message
- Success:
Error Handling
- Log
- User list retrieval failures logged to application log
- Error Detail:
Status Code Error Message Description 403 "ユーザーリストの取得に失敗しました。" When user does not have admin permissions 400 Generic error with exception message When unexpected errors occur
Case 2: Creating a New Admin User
Description
Super Admin creates a new administrative user account.
Sequence Diagram
sequenceDiagram
participant Admin
participant API as UserController
participant Validator as FormRequest
participant Service as UserService
participant DB as Database
Note over Admin,DB: Step 1: Submit User Creation
Admin->>API: POST /api/admin/users (user_data)
Note over API,Service: Step 2: Check Admin Permissions
API->>API: Check if SuperAdmin
Note over API,Validator: Step 3: Validate Input
API->>Validator: StoreAdminUserRequest::validate()
Validator-->>API: Return Validated Data
Note over Service,DB: Step 4: Create User
API->>Service: create(validated_data)
Service->>DB: Insert User Record
Service->>DB: Assign Admin Role
DB-->>Service: Return Created User
Note over API,Admin: Step 5: Return Response
Service-->>API: Return User Data
API-->>Admin: 200 OK (user resource)
Steps
Step 1: Submit User Creation
- Description: Admin submits form to create a new user
- Request:
POST /api/admin/users - Required fields:
- name: User's full name
- email: User's email address
- password: User's password
- role_id: Admin role ID
- status: User status (optional)
Step 2: Check Admin Permissions
- Description: System verifies the user has Super Admin permissions
- Action: Check if current user is a Super Admin
- Potential errors: Insufficient permissions (403)
Step 3: Validate Input
- Description: System validates all input data
- Action: Runs validation rules from StoreAdminUserRequest
- Validation rules:
- name: Required
- email: Required, valid email format, unique in users table
- password: Required, minimum 8 characters
- role_id: Required, must exist in roles table
- status: Optional, must be one of predefined values
Step 4: Create User
- Description: System creates the new user account
- Action:
- Hash password
- Create user record
- Assign admin role
Step 5: Return Response
- Description: Return the created user data
- Response:
- Success:
200 OKwith user data - Error: Appropriate error message with validation errors
- Success:
Error Handling
- Log
- User creation failures logged to application log
- Error Detail:
Status Code Error Message Description 403 "このリソースにアクセスする権限がありません。" When user is not a Super Admin 400 "ユーザーの作成に失敗しました。" When user creation fails 422 Validation error messages For validation rule failures 400 "メールアドレスはすでに使用されています。" For unique email constraint failures
Case 3: Updating an Existing User
Description
Super Admin updates an existing user's information.
Sequence Diagram
sequenceDiagram
participant Admin
participant API as UserController
participant Validator as FormRequest
participant Service as UserService
participant DB as Database
Note over Admin,DB: Step 1: Submit User Update
Admin->>API: PUT /api/admin/users/{id} (updated_data)
Note over API,Service: Step 2: Check Admin Permissions
API->>API: Check if SuperAdmin
Note over API,Validator: Step 3: Validate Input
API->>Validator: UpdateAdminUserRequest::validate()
Validator-->>API: Return Validated Data
Note over Service,DB: Step 4: Update User
API->>Service: update(id, validated_data)
Service->>DB: Update User Record
Service->>DB: Update User Roles
DB-->>Service: Return Updated User
Note over API,Admin: Step 5: Return Response
Service-->>API: Return User Data
API-->>Admin: 200 OK (user resource)
Steps
Step 1: Submit User Update
- Description: Admin submits form to update user information
- Request:
PUT /api/admin/users/{id} - Updatable fields:
- name: User's full name
- email: User's email address
- role_id: Admin role ID
- status: User status
Step 2: Check Admin Permissions
- Description: System verifies the user has Super Admin permissions
- Action: Check if current user is a Super Admin
- Potential errors: Insufficient permissions (403)
Step 3: Validate Input
- Description: System validates all input data
- Action: Runs validation rules from UpdateAdminUserRequest
- Validation rules:
- name: Required
- email: Required, valid email format, unique in users table except current user
- role_id: Required, must exist in roles table
- status: Optional, must be one of predefined values
Step 4: Update User
- Description: System updates the user information
- Action:
- Update user record with new data
- Update role assignments if role_id changed
Step 5: Return Response
- Description: Return the updated user data
- Response:
- Success:
200 OKwith updated user data - Error: Appropriate error message with validation errors
- Success:
Error Handling
- Log
- User update failures logged to application log
- Error Detail:
Status Code Error Message Description 403 "このリソースにアクセスする権限がありません。" When user is not a Super Admin 400 "ユーザーデータの更新に失敗しました。" When user update fails 422 Validation error messages For validation rule failures 404 "指定されたユーザーが見つかりません。" When user ID doesn't exist
Case 4: Changing User Status
Description
Super Admin activates or deactivates a user account.
Sequence Diagram
sequenceDiagram
participant Admin
participant API as UserController
participant Service as UserService
participant DB as Database
Note over Admin,DB: Step 1: Request Status Change
Admin->>API: POST /api/admin/users/{id}/change-status
Note over API,Service: Step 2: Check Admin Permissions
API->>API: Check if SuperAdmin
Note over Service,DB: Step 3: Toggle User Status
API->>Service: updateStatusById(id)
Service->>DB: Fetch Current Status
DB-->>Service: Return User
Service->>DB: Update with Toggled Status
DB-->>Service: Return Updated User
Note over API,Admin: Step 4: Return Response
Service-->>API: Return User Data
API-->>Admin: 200 OK (user resource)
Steps
Step 1: Request Status Change
- Description: Admin requests to change a user's active status
- Request:
POST /api/admin/users/{id}/change-status
Step 2: Check Admin Permissions
- Description: System verifies the user has Super Admin permissions
- Action: Check if current user is a Super Admin
- Potential errors: Insufficient permissions (403)
Step 3: Toggle User Status
- Description: System toggles the user's active status
- Action:
- Retrieve current status
- Update to opposite status (active to inactive or vice versa)
- Record status change timestamp
Step 4: Return Response
- Description: Return the updated user data
- Response:
- Success:
200 OKwith updated user data including new status - Error: Appropriate error message
- Success:
Error Handling
- Log
- Status change failures logged to application log
- Error Detail:
Status Code Error Message Description 403 "このリソースにアクセスする権限がありません。" When user is not a Super Admin 400 "ユーザーデータの更新に失敗しました。" When status update fails 404 "指定されたユーザーが見つかりません。" When user ID doesn't exist
Case 5: Deleting a User
Description
Super Admin removes a user from the system.
Sequence Diagram
sequenceDiagram
participant Admin
participant API as UserController
participant Service as UserService
participant DB as Database
Note over Admin,DB: Step 1: Request User Deletion
Admin->>API: DELETE /api/admin/users/{id}
Note over API,Service: Step 2: Check Admin Permissions
API->>API: Check if SuperAdmin
Note over API,Service: Step 3: Verify Not Self-Deletion
API->>API: Check if Not Deleting Self
Note over Service,DB: Step 4: Delete User
API->>Service: delete(id)
Service->>DB: Begin Transaction
Service->>DB: Delete Role Associations
Service->>DB: Delete User Record
Service->>DB: Commit Transaction
DB-->>Service: Confirm Deletion
Note over API,Admin: Step 5: Return Response
Service-->>API: Deletion Status
API-->>Admin: 200 OK (success message)
Steps
Step 1: Request User Deletion
- Description: Admin requests to delete a user
- Request:
DELETE /api/admin/users/{id}
Step 2: Check Admin Permissions
- Description: System verifies the user has Super Admin permissions
- Action: Check if current user is a Super Admin
- Potential errors: Insufficient permissions (403)
Step 3: Verify Not Self-Deletion
- Description: System prevents administrators from deleting their own accounts
- Action: Compare requested ID with current user ID
- Potential errors: Cannot delete own account (403)
Step 4: Delete User
- Description: System removes the user from the database
- Action:
- Begin database transaction
- Delete user roles and associations
- Delete user record
- Commit transaction
Step 5: Return Response
- Description: Confirm successful deletion
- Response:
- Success:
200 OKwith success message - Error: Appropriate error message
- Success:
Error Handling
- Log
- User deletion failures logged to application log
- Error Detail:
Status Code Error Message Description 403 "このリソースにアクセスする権限がありません。" When user is not a Super Admin 403 "自分自身のアカウントを削除することはできません。" When attempting to delete own account 400 "ユーザーデータの削除に失敗しました。" When deletion fails for other reasons 404 "指定されたユーザーが見つかりません。" When user ID doesn't exist
Case 6: Retrieving Current User Profile
Description
Admin user retrieves their own profile information.
Sequence Diagram
sequenceDiagram
participant Admin
participant API as UserController
participant Service as AuthService
participant DB as Database
Note over Admin,DB: Step 1: Request Profile
Admin->>API: GET /api/admin/profile
Note over API,Service: Step 2: Get Authenticated User
API->>Service: getProfile()
Service->>DB: Fetch User Data
Service->>DB: Fetch User Roles
DB-->>Service: Return User Data with Roles
Note over API,Admin: Step 3: Return Profile
Service-->>API: Return User Profile
API-->>Admin: 200 OK (user resource)
Steps
Step 1: Request Profile
- Description: Admin requests their own profile information
- Request:
GET /api/admin/profile
Step 2: Get Authenticated User
- Description: System retrieves the authenticated user's information
- Action:
- Get user data for the authenticated session
- Include role information
- Load necessary related data
Step 3: Return Profile
- Description: Return the user's profile information
- Response:
- Success:
200 OKwith user profile data including role - Error: Appropriate error message if profile retrieval fails
- Success:
Error Handling
- Log
- Profile retrieval failures logged to application log
- Error Detail:
Status Code Error Message Description 401 "認証に失敗しました。" When user is not authenticated 400 "プロフィールの取得に失敗しました。" When profile retrieval fails
Additional Notes
- The User Management module includes role-based access control where certain actions (create, update, delete, change status) are restricted to Super Admin users only.
- The system prevents administrators from deleting their own accounts to prevent accidental loss of access.
- User filtering and sorting capabilities are provided to help manage large user lists effectively.
- All sensitive operations (user creation, updates, deletion) are logged to maintain an audit trail.
- Password management follows security best practices with proper hashing and validation.
- Email uniqueness is enforced at both application and database levels.
Database Related Tables & Fields
erDiagram
groups {
bigint id PK "Primary key"
string name "Group name"
bigint created_by FK "Reference to users table"
integer status "0: Inactive, 1: Active"
timestamp created_at "Record creation timestamp"
timestamp updated_at "Last update timestamp"
}
users {
bigint id PK "Primary key"
string name "User's full name"
string email "User's email address (unique)"
string uid "Unique identifier (50 chars)"
string payment_provider_customer_id "Stripe customer ID (nullable)"
integer status "0: Inactive, 1: Active"
integer is_first_login "1: logged in, 0: not yet"
string remember_token "Remember me token"
timestamp created_at "Account creation timestamp"
timestamp updated_at "Last update timestamp"
timestamp deleted_at "Soft delete timestamp"
}
group_members {
bigint id PK "Primary key"
bigint group_id FK "Reference to groups table"
bigint user_id FK "Reference to users table"
bigint group_role_id FK "Reference to group_roles table"
boolean is_creator "Whether user is group creator"
timestamp joined_at "When user joined the group"
timestamp created_at "Record creation timestamp"
timestamp updated_at "Last update timestamp"
}
group_roles {
bigint id PK "Primary key"
string name "Role name (50 chars)"
string slug "Role slug (50 chars, unique)"
timestamp created_at "Record creation timestamp"
timestamp updated_at "Last update timestamp"
}
admin_roles {
bigint id PK
string name "Role display name"
string slug "Role identifier for permissions (unique)"
timestamp created_at
timestamp updated_at
}
admin_role_user {
bigint user_id FK "Reference to users table"
bigint role_id FK "Reference to roles table"
timestamp created_at
timestamp updated_at
}
groups }|--|| users : created_by
groups ||--o{ group_members : has
users ||--o{ group_members : has
group_roles ||--o{ group_members : has
users ||--o{ admin_role_user : has
admin_roles ||--o{ admin_role_user : has