We need another ban type which prevents the user from doing ANYTHING. Although, this supersedes the public and private flags, so perhaps just another flag that prevents users from doing user related things (such as logging in. changing user data, etc). Yes, perhaps that's best. So with that setup, we'd have something like:
For all user service endpoints, we'd now need to pull the latest ban and check to see if they're allowed to perform the task in question
For the db writer endpoint, we already have that ban data. We'll need to check it when general user data is being updated. This should prevent the user from doing ANY user related things, even if they're admin.
We need another ban type which prevents the user from doing ANYTHING. Although, this supersedes the public and private flags, so perhaps just another flag that prevents users from doing user related things (such as logging in. changing user data, etc). Yes, perhaps that's best. So with that setup, we'd have something like: