u.name and u.email are stored user input and were interpolated raw into
tbody.innerHTML. Added esc() helper and applied to name, email, and role
display string.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add AdminUserController: CRUD users, assign role, reset password,
self-delete guard (403 on own account)
- Add admin route group under role:administrator middleware
(GET/POST/PUT/DELETE /api/admin/users, PUT /api/admin/users/{id}/password)
- Add resources/views/admin/users.blade.php: DaisyUI table + 4 modals
(create, edit, reset password, delete confirm), stats grid, toast
- Add Admin nav link (administrator-only) to map and data navbars
- 9 new tests covering page access, API CRUD, self-delete guard, password reset
- Mark Plan 3 complete in missing_features.md; update README page list
- Save plan3 to docs/ for reference
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add user_id FK (nullable) to rumah_ibadah for ownership tracking
- IbadahController: set user_id on store; enforce ownership on update/destroy
- Add edit modals to map and data views (ibadah + miskin)
- Popup and table row Edit buttons with per-record ownership check
- 7 new tests covering ownership and full-field updates
- Fix ExampleTest for auth-protected routes
- Fix UserFactory missing email_verified_at column
- Mark Plan 2 complete in missing_features.md; update README
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>