feat(backend): add email notifications for global admin role changes

Lasim · Lasim · commit 843f51aa30be · 2025-12-29T13:35:22.000+01:00
diff --git a/services/backend/src/email/templates/global-admin-demoted.pug b/services/backend/src/email/templates/global-admin-demoted.pug
@@ -0,0 +1,34 @@
+//- @description Email notification when a user's global administrator role is removed
+//- @variables userName, newRoleName, changedByName, supportEmail
+extends layouts/base.pug
+
+block content
+  h1 Your Role Has Been Updated
+
+  p Hi #{userName},
+
+  p #{changedByName} changed your role from Global Administrator to #{newRoleName}.
+
+  .role-info
+    p
+      strong Previous Role:
+      |  Global Administrator
+
+    p
+      strong New Role:
+      |  #{newRoleName}
+
+  h2 What changed
+
+  p Your access level has been adjusted. You may have reduced permissions for certain platform operations.
+
+  if supportEmail
+    p
+      | If you believe this change was made in error, please contact support at&nbsp;
+      a(href=`mailto:${supportEmail}`)= supportEmail
+      | .
+
+  p.text-muted
+    | Best regards,
+    br
+    | The DeployStack Team
diff --git a/services/backend/src/email/templates/global-admin-promoted.pug b/services/backend/src/email/templates/global-admin-promoted.pug
@@ -0,0 +1,31 @@
+//- @description Email notification when a user is promoted to global administrator
+//- @variables userName, promotedByName, dashboardUrl
+extends layouts/base.pug
+
+block content
+  h1 You're now a Global Administrator
+
+  p Hi #{userName},
+
+  p #{promotedByName} just made you a global administrator. You now have full access to manage users, teams, and all platform settings.
+
+  h2 What this means
+
+  p As a global admin, you can:
+
+  ul
+    li Manage all users and their roles
+    li Access the admin dashboard
+    li Configure platform settings
+    li View system logs and analytics
+
+  if dashboardUrl
+    .text-center
+      a.button(href=dashboardUrl) Go to Admin Dashboard
+
+  p Questions? Just reach out to your team.
+
+  p.text-muted
+    | Best regards,
+    br
+    | The DeployStack Team
diff --git a/services/backend/src/email/templates/global-admin-user-demoted-notification.pug b/services/backend/src/email/templates/global-admin-user-demoted-notification.pug
@@ -0,0 +1,38 @@
+//- @description Email notification to other admins when a user's global administrator role is removed
+//- @variables adminName, demotedUserName, newRoleName, changedByName, dashboardUrl
+extends layouts/base.pug
+
+block content
+  h1 Global Administrator Removed
+
+  p Hi #{adminName},
+
+  p #{changedByName} changed #{demotedUserName}'s role from Global Administrator to #{newRoleName}.
+
+  .admin-info
+    p
+      strong User:
+      |  #{demotedUserName}
+
+    p
+      strong Changed By:
+      |  #{changedByName}
+
+    p
+      strong Previous Role:
+      |  Global Administrator
+
+    p
+      strong New Role:
+      |  #{newRoleName}
+
+  p This user no longer has global administrator access.
+
+  if dashboardUrl
+    .text-center
+      a.button(href=dashboardUrl) View User Management
+
+  p.text-muted
+    | Best regards,
+    br
+    | The DeployStack Team
diff --git a/services/backend/src/email/templates/global-admin-user-promoted-notification.pug b/services/backend/src/email/templates/global-admin-user-promoted-notification.pug
@@ -0,0 +1,34 @@
+//- @description Email notification to other admins when a user is promoted to global administrator
+//- @variables adminName, promotedUserName, promotedByName, dashboardUrl
+extends layouts/base.pug
+
+block content
+  h1 New Global Administrator Added
+
+  p Hi #{adminName},
+
+  p #{promotedByName} just added #{promotedUserName} as a global administrator.
+
+  .admin-info
+    p
+      strong User Promoted:
+      |  #{promotedUserName}
+
+    p
+      strong Promoted By:
+      |  #{promotedByName}
+
+    p
+      strong New Role:
+      |  Global Administrator
+
+  p This user now has full access to manage users, teams, and platform settings.
+
+  if dashboardUrl
+    .text-center
+      a.button(href=dashboardUrl) View User Management
+
+  p.text-muted
+    | Best regards,
+    br
+    | The DeployStack Team
diff --git a/services/backend/src/email/types.ts b/services/backend/src/email/types.ts
@@ -163,6 +163,34 @@ export interface TeamDeletedEmailVariables {
   teamName: string;
 }
 
+export interface GlobalAdminPromotedEmailVariables {
+  userName: string;
+  promotedByName: string;
+  dashboardUrl?: string;
+}
+
+export interface GlobalAdminDemotedEmailVariables {
+  userName: string;
+  newRoleName: string;
+  changedByName: string;
+  supportEmail?: string;
+}
+
+export interface GlobalAdminUserPromotedNotificationVariables {
+  adminName: string;
+  promotedUserName: string;
+  promotedByName: string;
+  dashboardUrl?: string;
+}
+
+export interface GlobalAdminUserDemotedNotificationVariables {
+  adminName: string;
+  demotedUserName: string;
+  newRoleName: string;
+  changedByName: string;
+  dashboardUrl?: string;
+}
+
 // Template registry for type safety
 export interface TemplateVariableMap {
   welcome: WelcomeEmailVariables;
@@ -175,6 +203,10 @@ export interface TemplateVariableMap {
   'mcp-installation-deleted': McpInstallationDeletedEmailVariables;
   'team-created': TeamCreatedEmailVariables;
   'team-deleted': TeamDeletedEmailVariables;
+  'global-admin-promoted': GlobalAdminPromotedEmailVariables;
+  'global-admin-demoted': GlobalAdminDemotedEmailVariables;
+  'global-admin-user-promoted-notification': GlobalAdminUserPromotedNotificationVariables;
+  'global-admin-user-demoted-notification': GlobalAdminUserDemotedNotificationVariables;
 }
 
 export type TemplateNames = keyof TemplateVariableMap;
diff --git a/services/backend/src/routes/admin/users/assign-role.ts b/services/backend/src/routes/admin/users/assign-role.ts
@@ -96,6 +96,21 @@ export default async function assignRoleAdminRoute(server: FastifyInstance) {
       const { id } = request.params as ParamsWithId;
       const { role_id } = request.body as AssignRoleRequest;
 
+      // Get user's current role before making changes
+      const userBeforeChange = await userService.getUserById(id);
+      if (!userBeforeChange) {
+        const errorResponse: ErrorResponse = {
+          success: false,
+          error: 'User not found'
+        };
+        const jsonString = JSON.stringify(errorResponse);
+        return reply.status(404).type('application/json').send(jsonString);
+      }
+
+      const oldRoleId = userBeforeChange.role_id;
+      const isPromotionToGlobalAdmin = role_id === 'global_admin' && oldRoleId !== 'global_admin';
+      const isDemotionFromGlobalAdmin = oldRoleId === 'global_admin' && role_id !== 'global_admin';
+
       // Prevent users from changing their own role
       if (request.user?.id === id) {
         const errorResponse: ErrorResponse = {
@@ -120,6 +135,96 @@ export default async function assignRoleAdminRoute(server: FastifyInstance) {
       // Get updated user data
       const user = await userService.getUserById(id);
 
+      // Send email notifications for global_admin role changes
+      if (isPromotionToGlobalAdmin || isDemotionFromGlobalAdmin) {
+        try {
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          const jobQueueService = (server as any).jobQueueService;
+          if (jobQueueService && userBeforeChange.email && request.user) {
+            const currentUser = request.user as { id: string; username?: string; email?: string };
+            const actorName = currentUser.username || currentUser.email || 'Administrator';
+            const targetUserName = userBeforeChange.username || userBeforeChange.email;
+
+            // Email 1: Notify the user whose role changed
+            if (isPromotionToGlobalAdmin) {
+              await jobQueueService.createJob('send_email', {
+                to: userBeforeChange.email,
+                subject: 'You\'ve been promoted to Global Administrator',
+                template: 'global-admin-promoted',
+                variables: {
+                  userName: targetUserName,
+                  promotedByName: actorName,
+                  dashboardUrl: process.env.FRONTEND_URL || undefined
+                }
+              });
+              server.log.info({ operation: 'global_admin_promoted', userId: id }, 'Global admin promotion email queued');
+            } else if (isDemotionFromGlobalAdmin) {
+              const newRole = await userService.getUserById(id);
+              const newRoleName = newRole?.role?.name || 'Standard User';
+
+              await jobQueueService.createJob('send_email', {
+                to: userBeforeChange.email,
+                subject: 'Your role has been updated',
+                template: 'global-admin-demoted',
+                variables: {
+                  userName: targetUserName,
+                  newRoleName: newRoleName,
+                  changedByName: actorName,
+                  supportEmail: process.env.SUPPORT_EMAIL || undefined
+                }
+              });
+              server.log.info({ operation: 'global_admin_demoted', userId: id }, 'Global admin demotion email queued');
+            }
+
+            // Email 2: Notify OTHER global admins (exclude actor and target user)
+            const allGlobalAdmins = await userService.getUsersByRole('global_admin');
+            const otherAdmins = allGlobalAdmins.filter(admin =>
+              admin.id !== request.user!.id && admin.email && admin.id !== id
+            );
+
+            if (otherAdmins.length > 0) {
+              for (const admin of otherAdmins) {
+                const adminDisplayName = admin.username || admin.email;
+
+                if (isPromotionToGlobalAdmin) {
+                  await jobQueueService.createJob('send_email', {
+                    to: admin.email,
+                    subject: 'New Global Administrator Added',
+                    template: 'global-admin-user-promoted-notification',
+                    variables: {
+                      adminName: adminDisplayName,
+                      promotedUserName: targetUserName,
+                      promotedByName: actorName,
+                      dashboardUrl: process.env.FRONTEND_URL || undefined
+                    }
+                  });
+                } else if (isDemotionFromGlobalAdmin) {
+                  const newRole = await userService.getUserById(id);
+                  const newRoleName = newRole?.role?.name || 'Standard User';
+
+                  await jobQueueService.createJob('send_email', {
+                    to: admin.email,
+                    subject: 'Global Administrator Removed',
+                    template: 'global-admin-user-demoted-notification',
+                    variables: {
+                      adminName: adminDisplayName,
+                      demotedUserName: targetUserName,
+                      newRoleName: newRoleName,
+                      changedByName: actorName,
+                      dashboardUrl: process.env.FRONTEND_URL || undefined
+                    }
+                  });
+                }
+              }
+              server.log.info({ notifiedCount: otherAdmins.length }, 'Notified other global admins');
+            }
+          }
+        } catch (emailError) {
+          server.log.error(emailError, 'Failed to queue emails - role change succeeded');
+          // Don't fail role assignment if email queueing fails
+        }
+      }
+
       const successResponse: AssignRoleSuccessResponse = {
         success: true,
         data: user,
