The patch route just takes a list of updates and applies them to the database - you need extra validation that admin access levels cannot be modified.
3 edge cases to take care of here
An admin applies a user update to demote themselves to a standard user - this is completely non-reversible since they lose access completely from their end.
An admin promotes another user to admin on accident - the other account can now mess up all portal event and store data
2 admins trying to demote the access level of each other, who's access level should take precedence in this case? there should be logic so it's not just whoever acts faster gets to stay an admin
Since this is a very flexible role with full API usage, I would continue making manual DB edits to promote or demote admins which doesn't expose these edge cases to any board member with the acm portal account login credentials
The patch route just takes a list of updates and applies them to the database - you need extra validation that admin access levels cannot be modified.
3 edge cases to take care of here
Since this is a very flexible role with full API usage, I would continue making manual DB edits to promote or demote admins which doesn't expose these edge cases to any board member with the acm portal account login credentials