simple-module-users 0.0.12__tar.gz → 0.0.14__tar.gz

{simple_module_users-0.0.12 → simple_module_users-0.0.14}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: simple_module_users
-Version: 0.0.12
+Version: 0.0.14
 Summary: Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps
 Project-URL: Homepage, https://github.com/antosubash/simple_module_python
 Project-URL: Repository, https://github.com/antosubash/simple_module_python
@@ -24,11 +24,11 @@ Requires-Python: >=3.12
 Requires-Dist: aiosmtplib>=3.0
 Requires-Dist: cachetools>=5.3
 Requires-Dist: fastapi-users[oauth,sqlalchemy]<16,>=15
-Requires-Dist: simple-module-auth==0.0.12
-Requires-Dist: simple-module-core==0.0.12
-Requires-Dist: simple-module-db==0.0.12
-Requires-Dist: simple-module-hosting==0.0.12
-Requires-Dist: simple-module-settings==0.0.12
+Requires-Dist: simple-module-auth==0.0.14
+Requires-Dist: simple-module-core==0.0.14
+Requires-Dist: simple-module-db==0.0.14
+Requires-Dist: simple-module-hosting==0.0.14
+Requires-Dist: simple-module-settings==0.0.14
 Requires-Dist: typer>=0.12
 Description-Content-Type: text/markdown
 

{simple_module_users-0.0.12 → simple_module_users-0.0.14}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "simple_module_users"
-version = "0.0.12"
+version = "0.0.14"
 description = "Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps"
 readme = "README.md"
 license = "MIT"
@@ -21,11 +21,11 @@ classifiers = [
     "Typing :: Typed",
 ]
 dependencies = [
-    "simple_module_core==0.0.12",
-    "simple_module_db==0.0.12",
-    "simple_module_hosting==0.0.12",
-    "simple_module_settings==0.0.12",
-    "simple_module_auth==0.0.12",
+    "simple_module_core==0.0.14",
+    "simple_module_db==0.0.14",
+    "simple_module_hosting==0.0.14",
+    "simple_module_settings==0.0.14",
+    "simple_module_auth==0.0.14",
     # Pinned to a narrow range: `deps.py` relies on mutating CookieTransport
     # fields after construction (see reconfigure_cookie_transport in backend.py).
     # Bumping the major version requires re-checking those field names.

{simple_module_users-0.0.12 → simple_module_users-0.0.14}/tests/conftest.py

@@ -29,11 +29,16 @@ def _isolate_users_env(monkeypatch):
     After the env→DB migration ``UsersSettings()`` no longer reads these
     values, so this is belt-and-braces: it keeps old shell exports from
     muddying any ``SM_ENVIRONMENT`` checks or from being misread during
-    developer spelunking.
+    developer spelunking. Also stubs out
+    ``users.bootstrap._read_dotenv_bootstrap_vars`` so the developer's local
+    ``.env`` can't seed bootstrap creds into tests that exercise the resolver.
     """
+    from users import bootstrap as bootstrap_module
+
     for key in list(os.environ):
         if key.startswith("SM_USERS_"):
             monkeypatch.delenv(key, raising=False)
+    monkeypatch.setattr(bootstrap_module, "_read_dotenv_bootstrap_vars", dict)
 
 
 # ---------------------------------------------------------------------------
@@ -202,6 +207,26 @@ async def _make_admin_user(app):
     return user
 
 
+async def _make_standard_user(app, email: str = "user@example.com"):
+    """Seed a non-admin User with the standard ``user`` role.
+
+    Used by the negative-authz tests to confirm endpoints protected by
+    ``RequiresPermission(...)`` reject authenticated-but-non-admin callers.
+    """
+    from users.bootstrap import create_standard_user
+    from users.models import User
+
+    async with app.state.sm.db.session_factory() as session:
+        result = await create_standard_user(
+            session,
+            email=email,
+            password="UserPass1!",
+            full_name="Regular User",
+        )
+    user: User = result.user
+    return user
+
+
 @pytest.fixture
 async def admin_client(users_app) -> AsyncGenerator[httpx.AsyncClient, None]:
     """Client with a signed local-user session cookie (admin role)."""
@@ -219,6 +244,28 @@ async def admin_client(users_app) -> AsyncGenerator[httpx.AsyncClient, None]:
         yield c
 
 
+@pytest.fixture
+async def user_client(users_app) -> AsyncGenerator[httpx.AsyncClient, None]:
+    """Client with a signed session cookie for an authenticated non-admin user.
+
+    Counterpart to ``admin_client`` — every endpoint behind
+    ``RequiresPermission(...)`` should answer with 403 for this caller, since
+    the default role map only grants the wildcard to ``admin``.
+    """
+    user = await _make_standard_user(users_app)
+    cookie = forge_session_cookie(
+        str(users_app.state.sm.settings.secret_key),
+        {"user_id": str(user.id)},
+    )
+    transport = httpx.ASGITransport(app=users_app)
+    async with httpx.AsyncClient(
+        transport=transport,
+        base_url="http://testserver",
+        cookies={"session": cookie},
+    ) as c:
+        yield c
+
+
 # ---------------------------------------------------------------------------
 # DB session fixture scoped to users_app
 # ---------------------------------------------------------------------------

{simple_module_users-0.0.12 → simple_module_users-0.0.14}/tests/test_api_auth.py

@@ -198,7 +198,7 @@ class TestAuthThroughputLimit:
         self, anon_client, users_app, users_db
     ):
         """After the configured attempt budget, /forgot-password returns 429."""
-        from users.rate_limit import ThroughputLimiter
+        from users.auth_local.rate_limit import ThroughputLimiter
 
         # Tighten the limit for the test so we don't need to hit 10 real endpoints
         users_app.state.users.auth_throughput_limiter = ThroughputLimiter(

{simple_module_users-0.0.12 → simple_module_users-0.0.14}/tests/test_bootstrap.py

@@ -8,9 +8,7 @@ import pytest
 from fastapi_users.password import PasswordHelper
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
-from users import bootstrap as bootstrap_module
 from users.bootstrap import (
-    BOOTSTRAP_ENV_KEYS,
     CreateAdminResult,
     bootstrap_admin_from_env,
     create_admin,
@@ -19,15 +17,6 @@ from users.constants import ADMIN_ROLE_ID
 from users.models import Role, User, UserRole
 from users.settings import UsersSettings
 
-
-@pytest.fixture(autouse=True)
-def _isolate_from_repo_dotenv(monkeypatch: pytest.MonkeyPatch) -> None:
-    """Prevent the developer's ``.env`` from leaking bootstrap vars into tests."""
-    monkeypatch.setattr(bootstrap_module, "_read_dotenv_bootstrap_vars", dict)
-    for key in BOOTSTRAP_ENV_KEYS.values():
-        monkeypatch.delenv(key, raising=False)
-
-
 # ---------------------------------------------------------------------------
 # Helpers
 # ---------------------------------------------------------------------------

simple_module_users-0.0.14/tests/test_bootstrap_resolution.py

@@ -0,0 +1,72 @@
+"""Tests for ``resolve_bootstrap_credentials`` — the three-tier resolver shared
+between the boot-time admin seeder and the login-page dev-quick-fill UI.
+
+Regression coverage for issue #159: previously the login page only consulted
+``UsersSettings`` + ``os.environ``, so an admin seeded via the ``.env``
+fallback was created but the dev-quick-login button never showed.
+"""
+
+from __future__ import annotations
+
+import pytest
+from users import bootstrap as bootstrap_module
+from users.bootstrap import BOOTSTRAP_ENV_KEYS, resolve_bootstrap_credentials
+from users.settings import UsersSettings
+
+
+def _bare_users_settings(**overrides: str) -> UsersSettings:
+    """UsersSettings with all required-field defaults filled in."""
+    defaults = {
+        "reset_password_token_secret": "test-secret",
+        "verification_token_secret": "test-secret",
+    }
+    defaults.update(overrides)
+    return UsersSettings(**defaults)
+
+
+def test_prefers_settings_over_environ(monkeypatch: pytest.MonkeyPatch) -> None:
+    """A non-empty UsersSettings field beats the same key on ``os.environ``."""
+    monkeypatch.setenv("SM_USERS_BOOTSTRAP_EMAIL", "env@example.com")
+    settings = _bare_users_settings(bootstrap_email="settings@example.com")
+
+    resolved = resolve_bootstrap_credentials(settings)
+
+    assert resolved["bootstrap_email"] == "settings@example.com"
+
+
+def test_falls_back_to_environ(monkeypatch: pytest.MonkeyPatch) -> None:
+    """An empty UsersSettings field falls through to ``os.environ``."""
+    monkeypatch.setenv("SM_USERS_BOOTSTRAP_EMAIL", "env@example.com")
+    settings = _bare_users_settings()
+
+    resolved = resolve_bootstrap_credentials(settings)
+
+    assert resolved["bootstrap_email"] == "env@example.com"
+
+
+def test_falls_back_to_dotenv(monkeypatch: pytest.MonkeyPatch) -> None:
+    """When settings + ``os.environ`` are empty, ``.env`` is consulted last."""
+    monkeypatch.setattr(
+        bootstrap_module,
+        "_read_dotenv_bootstrap_vars",
+        lambda: {
+            "SM_USERS_BOOTSTRAP_EMAIL": "dotenv@example.com",
+            "SM_USERS_BOOTSTRAP_PASSWORD": "DotenvPass1!",
+        },
+    )
+    settings = _bare_users_settings()
+
+    resolved = resolve_bootstrap_credentials(settings)
+
+    assert resolved["bootstrap_email"] == "dotenv@example.com"
+    assert resolved["bootstrap_password"] == "DotenvPass1!"
+
+
+def test_returns_empty_strings_when_nothing_set() -> None:
+    """All four keys are present in the result even when unresolved."""
+    settings = _bare_users_settings()
+
+    resolved = resolve_bootstrap_credentials(settings)
+
+    assert set(resolved) == set(BOOTSTRAP_ENV_KEYS)
+    assert all(v == "" for v in resolved.values())

simple_module_users-0.0.14/tests/test_invite_reuse.py

@@ -0,0 +1,135 @@
+"""Invite + password-reset token-lifecycle regressions.
+
+The existing ``test_invite_flow`` covers the golden path and rejects a junk
+token; these tests add:
+
+* Reusing a verified invite token must be rejected (single-use).
+* Generating a reset link for a user produces a token that survives one
+  consume cycle and is rejected after the password has been changed (the
+  token's hash incorporates ``user.hashed_password``).
+* Acceptance for an already-disabled user does not log them in.
+
+If any of these regressed, a stolen invite/reset link could be reused
+arbitrarily — exactly the scenario the audit flagged.
+"""
+
+from __future__ import annotations
+
+import logging
+
+import pytest
+
+
+async def _send_invite_and_grab_token(admin_client, anon_client, caplog, email: str) -> str:
+    """Issue an invite and pull the token out of the ConsoleMailer log line."""
+    with caplog.at_level(logging.INFO, logger="users.mailer"):
+        resp = await admin_client.post(
+            "/api/users/admin/invite",
+            json={"email": email, "role_names": ["user"]},
+        )
+    assert resp.status_code == 201, resp.text
+    records = [r for r in caplog.records if r.getMessage() == "users.invite.email"]
+    assert records, "ConsoleMailer didn't log an invite.email record"
+    link = records[-1].link  # type: ignore[attr-defined]
+    return link.split("token=", 1)[1]
+
+
+@pytest.mark.anyio
+async def test_invite_token_is_single_use(admin_client, anon_client, caplog):
+    """Accepting the same invite token twice must fail the second time.
+
+    Verify tokens in fastapi-users flip ``is_verified`` on the user; the
+    re-use attempt raises ``UserAlreadyVerified``, which the endpoint maps
+    to 400 INVITE_BAD_TOKEN. A regression that re-issued the same JWT or
+    forgot to re-check state would let a stolen link be replayed.
+    """
+    token = await _send_invite_and_grab_token(
+        admin_client, anon_client, caplog, "single@example.com"
+    )
+
+    first = await anon_client.post(
+        "/api/users/auth/accept-invite",
+        json={"token": token, "password": "FirstUseSecret1!"},
+    )
+    assert first.status_code == 204, first.text
+
+    # Same token, same user, but already verified.
+    second = await anon_client.post(
+        "/api/users/auth/accept-invite",
+        json={"token": token, "password": "DifferentSecret2!"},
+    )
+    assert second.status_code == 400, second.text
+    assert second.json()["detail"] == "INVITE_BAD_TOKEN"
+
+
+@pytest.mark.anyio
+async def test_reset_token_invalidated_after_password_change(admin_client, anon_client, caplog):
+    """A reset-password token must no longer work once the user's hash changes.
+
+    fastapi-users binds reset tokens to ``user.hashed_password`` so any change
+    (including the reset itself, or a manual password update) revokes every
+    outstanding reset token. Without this, a leaked link would stay live
+    forever.
+    """
+    # Step 1: create a user via invite, log them in with a known password.
+    token = await _send_invite_and_grab_token(
+        admin_client, anon_client, caplog, "resetme@example.com"
+    )
+    await anon_client.post(
+        "/api/users/auth/accept-invite",
+        json={"token": token, "password": "InitialPass1!"},
+    )
+
+    # Step 2: admin mints a reset link.
+    listing = await admin_client.get("/api/users/admin")
+    target = next(u for u in listing.json() if u["email"] == "resetme@example.com")
+    reset = await admin_client.post(f"/api/users/admin/{target['id']}/reset-password-link")
+    assert reset.status_code == 200
+    reset_token = reset.json()["link"].split("token=", 1)[1]
+
+    # Step 3: user changes password via that token (consumes it).
+    used = await anon_client.post(
+        "/api/users/auth/reset-password",
+        json={"token": reset_token, "password": "PostResetPass1!"},
+    )
+    assert used.status_code in (200, 204), used.text
+
+    # Step 4: reuse the SAME reset token after password rotated — must fail.
+    replay = await anon_client.post(
+        "/api/users/auth/reset-password",
+        json={"token": reset_token, "password": "ReplayedPass1!"},
+    )
+    assert replay.status_code in (400, 401), (
+        f"Replayed reset token returned {replay.status_code}, expected 4xx. Body: {replay.text!r}"
+    )
+
+
+@pytest.mark.anyio
+async def test_disabled_user_cannot_accept_their_invite(admin_client, anon_client, caplog):
+    """Inviting + disabling before acceptance must keep the user out."""
+    token = await _send_invite_and_grab_token(
+        admin_client, anon_client, caplog, "blocked@example.com"
+    )
+
+    # Admin disables the freshly-invited user before they accept.
+    listing = await admin_client.get("/api/users/admin")
+    target = next(u for u in listing.json() if u["email"] == "blocked@example.com")
+    disable = await admin_client.patch(f"/api/users/admin/{target['id']}/disable")
+    assert disable.status_code == 200
+    assert disable.json()["is_active"] is False
+
+    # Token verifies the email but the user is inactive — fastapi-users'
+    # subsequent login step (or the session middleware's user-load) must
+    # refuse to issue a valid session.
+    resp = await anon_client.post(
+        "/api/users/auth/accept-invite",
+        json={"token": token, "password": "ShouldNotMatter1!"},
+    )
+    # Either the verify path itself refuses, or the subsequent login does;
+    # in both cases the user must not be authenticated afterwards. Probe
+    # /me with the post-response cookies to confirm.
+    me = await anon_client.get("/api/users/me", follow_redirects=False)
+    assert me.status_code in (302, 401), (
+        f"Disabled user appears authenticated after accept-invite "
+        f"(status={resp.status_code}, /me status={me.status_code})"
+    )

simple_module_users-0.0.14/tests/test_negative_authz.py

@@ -0,0 +1,84 @@
+"""Negative-authorization sweep across every endpoint behind RequiresPermission.
+
+Every endpoint guarded by ``RequiresPermission(...)`` must answer 403 when the
+caller is authenticated but not an admin. The decorator presence alone isn't
+enough — even one missing ``Depends(...)`` would leak admin-only data to
+ordinary users.
+
+The matrix below is exhaustive across the modules that ship with the framework
+(users, permissions, settings, feature_flags, background_tasks, file_storage).
+A new protected endpoint should be added here at the same time as it gains its
+``RequiresPermission`` dependency.
+"""
+
+from __future__ import annotations
+
+import uuid
+
+import pytest
+
+_FAKE_ID = uuid.uuid4()
+_PROTECTED_ENDPOINTS: tuple[tuple[str, str, dict | None], ...] = (
+    # users — admin sub-router
+    ("GET", "/api/users/admin", None),
+    ("POST", "/api/users/admin/invite", {"email": "x@y.test", "role_names": []}),
+    ("PATCH", f"/api/users/admin/{_FAKE_ID}/disable", None),
+    ("PATCH", f"/api/users/admin/{_FAKE_ID}/enable", None),
+    ("PUT", f"/api/users/admin/{_FAKE_ID}/roles", {"role_names": []}),
+    ("PATCH", f"/api/users/admin/{_FAKE_ID}/verify", None),
+    ("POST", f"/api/users/admin/{_FAKE_ID}/reset-password-link", None),
+    # permissions — root GET lists registered groups (PERM_VIEW)
+    ("GET", "/api/permissions/", None),
+    ("GET", f"/api/permissions/roles/{_FAKE_ID}", None),
+    ("PUT", f"/api/permissions/roles/{_FAKE_ID}", {"permissions": []}),
+    ("GET", f"/api/permissions/users/{_FAKE_ID}", None),
+    ("PUT", f"/api/permissions/users/{_FAKE_ID}", {"permissions": []}),
+    # settings — both the scoped CRUD and the module-config endpoints
+    ("GET", "/api/settings/", None),
+    ("POST", "/api/settings/", {"key": "x", "value": "1", "value_type": "string"}),
+    ("PUT", "/api/settings/system/anykey", {"value": "1", "value_type": "string"}),
+    ("DELETE", "/api/settings/system/anykey", None),
+    ("GET", "/api/settings/modules", None),
+    ("PUT", "/api/settings/modules/users", {}),
+    ("DELETE", "/api/settings/modules/users/allow_signup", None),
+    # feature flags
+    ("GET", "/api/feature_flags/", None),
+    ("PUT", "/api/feature_flags/anyflag", {"enabled": True}),
+    ("DELETE", "/api/feature_flags/anyflag", None),
+    # background tasks (admin router under /admin)
+    ("GET", "/api/background_tasks/admin/executions", None),
+    ("GET", "/api/background_tasks/admin/workers", None),
+    ("POST", f"/api/background_tasks/admin/executions/{_FAKE_ID}/retry", None),
+    # file_storage's list/upload/download/delete are deliberately granted to
+    # the standard `user` role, so they're NOT in the negative-authz matrix.
+)
+
+
+@pytest.mark.anyio
+@pytest.mark.parametrize(("method", "path", "json_body"), _PROTECTED_ENDPOINTS)
+async def test_protected_endpoint_rejects_non_admin(
+    user_client, method: str, path: str, json_body: dict | None
+) -> None:
+    """A logged-in non-admin user must be answered 403 by every protected route.
+
+    A regression here means the ``Depends(RequiresPermission(...))`` was dropped
+    or a non-admin role gained a wildcard mapping it shouldn't have.
+    """
+    resp = await user_client.request(method, path, json=json_body, follow_redirects=False)
+    assert resp.status_code == 403, (
+        f"{method} {path} returned {resp.status_code}, "
+        f"expected 403 for non-admin caller (body: {resp.text!r})"
+    )
+
+
+@pytest.mark.anyio
+async def test_admin_endpoints_still_pass_for_admin(admin_client) -> None:
+    """Sanity check: the same routes work for an admin caller.
+
+    Without this anchor a global regression that returned 403 for everyone
+    would still satisfy the parametrized 403 assertion above.
+    """
+    resp = await admin_client.get("/api/users/admin")
+    assert resp.status_code == 200
+    resp = await admin_client.get("/api/feature_flags/")
+    assert resp.status_code == 200

{simple_module_users-0.0.12 → simple_module_users-0.0.14}/tests/test_rate_limit.py

@@ -3,7 +3,7 @@
 from __future__ import annotations
 
 import pytest
-from users.rate_limit import LoginRateLimiter, ThroughputLimiter
+from users.auth_local.rate_limit import LoginRateLimiter, ThroughputLimiter
 
 
 @pytest.fixture

{simple_module_users-0.0.12 → simple_module_users-0.0.14}/tests/test_service_admin.py

@@ -10,10 +10,10 @@ import pytest
 
 def _build_service(session, users_app):
     """Build a UserService directly (bypass FastAPI Depends)."""
+    from users.admin.service import UserService
     from users.db_adapter import UserDatabaseWithRoles
     from users.manager import UserManager
     from users.models import User
-    from users.service import UserService
 
     user_db = UserDatabaseWithRoles(session, User)
     manager = UserManager(

{simple_module_users-0.0.12 → simple_module_users-0.0.14}/tests/test_user_service.py

@@ -9,10 +9,10 @@ import pytest
 
 def _build_service(session, users_app):
     """Build a UserService directly (bypass FastAPI Depends)."""
+    from users.admin.service import UserService
     from users.db_adapter import UserDatabaseWithRoles
     from users.manager import UserManager
     from users.models import User
-    from users.service import UserService
 
     user_db = UserDatabaseWithRoles(session, User)
     manager = UserManager(
@@ -77,10 +77,10 @@ async def test_get_list_item_unknown_user_raises_user_not_found(users_app):
 async def test_to_list_item_includes_created_at(users_app):
     """`UserListItem` carries `created_at` sourced from AuditMixin."""
     from fastapi_users.password import PasswordHelper
+    from users.admin.service import UserService
     from users.db_adapter import UserDatabaseWithRoles
     from users.manager import UserManager
     from users.models import User
-    from users.service import UserService
 
     async with users_app.state.sm.db.session_factory() as session:
         user = User(

{simple_module_users-0.0.12 → simple_module_users-0.0.14}/tests/test_views.py

@@ -67,6 +67,51 @@ class TestLoginPage:
         data = resp.json()
         assert data["component"] == "Users/Login"
 
+    @pytest.mark.anyio
+    async def test_dev_accounts_empty_outside_development(self, anon_client):
+        """``dev_accounts`` MUST NOT surface bootstrap creds in non-dev envs."""
+        resp = await anon_client.get(
+            "/users/login",
+            headers={"X-Inertia": "true", "X-Inertia-Version": "1.0"},
+        )
+        assert resp.json()["props"]["dev_accounts"] == []
+
+    @pytest.mark.anyio
+    async def test_dev_accounts_resolved_via_dotenv_fallback(
+        self, anon_client, users_app, monkeypatch
+    ):
+        """Regression for #159: login_page surfaces creds seeded only via .env.
+
+        With ``environment=development`` and bootstrap vars present only in
+        ``.env`` (not on settings, not on ``os.environ``), the buttons must
+        still appear — otherwise the admin gets seeded by the boot-time hook
+        but the dev-quick-login UX silently breaks.
+        """
+        from users import bootstrap as bootstrap_module
+
+        monkeypatch.setattr(users_app.state.sm.settings, "environment", "development")
+        monkeypatch.setattr(
+            bootstrap_module,
+            "_read_dotenv_bootstrap_vars",
+            lambda: {
+                "SM_USERS_BOOTSTRAP_EMAIL": "admin@example.com",
+                "SM_USERS_BOOTSTRAP_PASSWORD": "AdminPass1!",
+                "SM_USERS_BOOTSTRAP_USER_EMAIL": "user@example.com",
+                "SM_USERS_BOOTSTRAP_USER_PASSWORD": "UserPass1!",
+            },
+        )
+
+        resp = await anon_client.get(
+            "/users/login",
+            headers={"X-Inertia": "true", "X-Inertia-Version": "1.0"},
+        )
+
+        dev_accounts = resp.json()["props"]["dev_accounts"]
+        assert dev_accounts == [
+            {"label": "Admin", "email": "admin@example.com", "password": "AdminPass1!"},
+            {"label": "User", "email": "user@example.com", "password": "UserPass1!"},
+        ]
+
 
 class TestRegisterPage:
     @pytest.mark.anyio
@@ -187,7 +232,7 @@ async def test_admin_edit_page_unknown_user_returns_404(admin_client):
 @pytest.mark.anyio
 async def test_roles_payload_returns_id_name_dicts(users_app):
     """Helper reads the roles cache and returns id/name dicts in cache order."""
-    from users.endpoints.views import _roles_payload
+    from users.admin.views import _roles_payload
 
     payload = await _roles_payload(users_app)
 

simple_module_users-0.0.14/users/admin/__init__.py

@@ -0,0 +1 @@
+"""Admin user management. Intentionally empty — import via fully-qualified paths."""

simple_module_users-0.0.12/users/endpoints/api_admin.py → simple_module_users-0.0.14/users/admin/api.py

@@ -1,8 +1,4 @@
-"""Admin REST endpoints for the users module.
-
-Split out of :mod:`.api` to keep per-file complexity manageable. Mounted
-into the main ``router`` via ``include_router`` at the bottom of ``api.py``.
-"""
+"""Admin REST endpoints for the users module."""
 
 from __future__ import annotations
 
@@ -13,6 +9,7 @@ from fastapi import status as http_status
 from simple_module_core.events import EventBus
 from simple_module_hosting.permissions import RequiresPermission
 
+from users.admin.service import UserService
 from users.constants import PERM_USERS_MANAGE, sanitize_list_filters
 from users.contracts.events import RoleAssigned, UserDisabled, UserInvited
 from users.contracts.schemas import (
@@ -23,7 +20,6 @@ from users.contracts.schemas import (
 )
 from users.deps import get_event_bus, get_mailer, get_user_service
 from users.exceptions import UserNotFoundError
-from users.service import UserService
 
 admin_router = APIRouter(
     prefix="/admin",