Easy to disable admin users immediately

Severity: Recommended

Check automatically:

1. Find disable/suspend functionality:

# Look for disable/suspend functions
grep -riE "(disable|suspend|deactivate|revoke|block).*(user|admin|account)" --include="*.ts" --include="*.js" | head -10

# Find active/disabled flags
grep -riE "is_active|isActive|is_disabled|isDisabled|suspended|blocked|status" --include="*.prisma" --include="*.ts" | head -10

2. Check for session invalidation:

# Look for session invalidation on disable
grep -riE "invalidate.*(session|token)|revoke.*(session|token)|logout.*all" --include="*.ts" --include="*.js" | head -10

# Find session management
grep -riE "destroySession|clearSession|revokeTokens" --include="*.ts" --include="*.js" | head -10

3. Check admin UI for user management:

# Look for admin user management UI
find . -type f \( -name "*.tsx" -o -name "*.jsx" \) -exec grep -l -iE "disable.*user|suspend.*user|block.*user" {} \; | head -5

Ask user:

• If an admin account is compromised, how quickly can you disable it?
• Does disabling immediately invalidate active sessions?
• Can this be done without deploying code or direct DB access?

Pass criteria:

• Admin users can be disabled via admin UI (not just DB)
• Disable takes effect immediately (active sessions invalidated)
• No code deploy required
• Can be done in under 5 minutes from decision

Fail criteria:

• Must edit database directly to disable admin
• Disabled admins can continue using existing sessions
• Requires code deploy to remove access

Evidence to capture:

• How to disable an admin user (steps)
• Whether sessions are immediately invalidated
• Time from decision to effective disable (estimate)

---