From d16faa73757ade6a8a0150abb86abda67d4e3f0f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 28 Feb 2026 23:56:59 +0000
Subject: [PATCH 1/3] Initial plan


From 8de745f6b00defd798f50e26e3639a58be1a1a25 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 1 Mar 2026 00:03:49 +0000
Subject: [PATCH 2/3] Add staff member role and user management feature

Co-authored-by: JoeProgrammer88 <7156063+JoeProgrammer88@users.noreply.github.com>
---
 PC2/Controllers/AboutController.cs            |   2 +-
 PC2/Controllers/AgencyController.cs           |   2 +-
 PC2/Controllers/CalendarController.cs         |   2 +-
 PC2/Controllers/UserManagementController.cs   | 168 +++++++++
 PC2/Data/IdentityHelper.cs                    |   2 +
 PC2/Models/UserManagementViewModel.cs         |  12 +
 PC2/Program.cs                                |   2 +-
 PC2/Views/Shared/_Layout.cshtml               |  17 +-
 PC2/Views/UserManagement/Create.cshtml        |  34 ++
 PC2/Views/UserManagement/Index.cshtml         | 100 +++++
 .../UserManagementControllerTests.cs          | 345 ++++++++++++++++++
 11 files changed, 678 insertions(+), 8 deletions(-)
 create mode 100644 PC2/Controllers/UserManagementController.cs
 create mode 100644 PC2/Models/UserManagementViewModel.cs
 create mode 100644 PC2/Views/UserManagement/Create.cshtml
 create mode 100644 PC2/Views/UserManagement/Index.cshtml
 create mode 100644 PC2Tests/Controllers/UserManagementControllerTests.cs

diff --git a/PC2/Controllers/AboutController.cs b/PC2/Controllers/AboutController.cs
index 28729c5b..0834c31a 100644
--- a/PC2/Controllers/AboutController.cs
+++ b/PC2/Controllers/AboutController.cs
@@ -7,7 +7,7 @@
 
 namespace PC2.Controllers;
 
-[Authorize(Roles = IdentityHelper.Admin)]
+[Authorize(Roles = IdentityHelper.AdminOrStaff)]
 public class AboutController : Controller
 {
     private readonly ApplicationDbContext _context;
diff --git a/PC2/Controllers/AgencyController.cs b/PC2/Controllers/AgencyController.cs
index 2544b569..0043e47c 100644
--- a/PC2/Controllers/AgencyController.cs
+++ b/PC2/Controllers/AgencyController.cs
@@ -6,7 +6,7 @@
 
 namespace PC2.Controllers
 {
-    [Authorize(Roles = IdentityHelper.Admin)]
+    [Authorize(Roles = IdentityHelper.AdminOrStaff)]
     public class AgencyController : Controller
     {
         private readonly ApplicationDbContext _context;
diff --git a/PC2/Controllers/CalendarController.cs b/PC2/Controllers/CalendarController.cs
index 27d263af..5f9ca33a 100644
--- a/PC2/Controllers/CalendarController.cs
+++ b/PC2/Controllers/CalendarController.cs
@@ -5,7 +5,7 @@
 
 namespace PC2.Controllers;
 
-[Authorize(Roles = IdentityHelper.Admin)]
+[Authorize(Roles = IdentityHelper.AdminOrStaff)]
 public class CalendarController : Controller
 {
     private readonly ApplicationDbContext _context;
diff --git a/PC2/Controllers/UserManagementController.cs b/PC2/Controllers/UserManagementController.cs
new file mode 100644
index 00000000..01f76a7b
--- /dev/null
+++ b/PC2/Controllers/UserManagementController.cs
@@ -0,0 +1,168 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
+using PC2.Data;
+using PC2.Models;
+
+namespace PC2.Controllers;
+
+/// <summary>
+/// Controller for admin-only user management: add/remove staff users and promote/demote roles.
+/// </summary>
+[Authorize(Roles = IdentityHelper.Admin)]
+public class UserManagementController : Controller
+{
+    private readonly UserManager<IdentityUser> _userManager;
+
+    public UserManagementController(UserManager<IdentityUser> userManager)
+    {
+        _userManager = userManager;
+    }
+
+    /// <summary>
+    /// Displays a list of all staff and admin users.
+    /// </summary>
+    public async Task<IActionResult> Index()
+    {
+        var users = _userManager.Users.ToList();
+        var viewModels = new List<UserManagementViewModel>();
+
+        foreach (var user in users)
+        {
+            viewModels.Add(new UserManagementViewModel
+            {
+                UserId = user.Id,
+                Email = user.Email ?? string.Empty,
+                IsAdmin = await _userManager.IsInRoleAsync(user, IdentityHelper.Admin),
+                IsStaff = await _userManager.IsInRoleAsync(user, IdentityHelper.Staff)
+            });
+        }
+
+        return View(viewModels);
+    }
+
+    /// <summary>
+    /// Displays the form to create a new staff user.
+    /// </summary>
+    public IActionResult Create()
+    {
+        return View();
+    }
+
+    /// <summary>
+    /// Creates a new staff user account.
+    /// </summary>
+    [HttpPost]
+    [ValidateAntiForgeryToken]
+    public async Task<IActionResult> Create(string email, string password)
+    {
+        if (string.IsNullOrWhiteSpace(email) || string.IsNullOrWhiteSpace(password))
+        {
+            ModelState.AddModelError(string.Empty, "Email and password are required.");
+            return View();
+        }
+
+        var user = new IdentityUser { UserName = email, Email = email };
+        var result = await _userManager.CreateAsync(user, password);
+
+        if (result.Succeeded)
+        {
+            await _userManager.AddToRoleAsync(user, IdentityHelper.Staff);
+            TempData["SuccessMessage"] = $"Staff user '{email}' created successfully.";
+            return RedirectToAction(nameof(Index));
+        }
+
+        foreach (var error in result.Errors)
+        {
+            ModelState.AddModelError(string.Empty, error.Description);
+        }
+
+        return View();
+    }
+
+    /// <summary>
+    /// Promotes a staff user to the admin role.
+    /// </summary>
+    [HttpPost]
+    [ValidateAntiForgeryToken]
+    public async Task<IActionResult> Promote(string userId)
+    {
+        var user = await _userManager.FindByIdAsync(userId);
+        if (user == null)
+        {
+            return NotFound();
+        }
+
+        if (!await _userManager.IsInRoleAsync(user, IdentityHelper.Admin))
+        {
+            await _userManager.AddToRoleAsync(user, IdentityHelper.Admin);
+        }
+        if (await _userManager.IsInRoleAsync(user, IdentityHelper.Staff))
+        {
+            await _userManager.RemoveFromRoleAsync(user, IdentityHelper.Staff);
+        }
+
+        TempData["SuccessMessage"] = $"User '{user.Email}' has been promoted to Admin.";
+        return RedirectToAction(nameof(Index));
+    }
+
+    /// <summary>
+    /// Demotes an admin user back to the staff role.
+    /// </summary>
+    [HttpPost]
+    [ValidateAntiForgeryToken]
+    public async Task<IActionResult> Demote(string userId)
+    {
+        var user = await _userManager.FindByIdAsync(userId);
+        if (user == null)
+        {
+            return NotFound();
+        }
+
+        // Prevent demoting yourself
+        var currentUser = await _userManager.GetUserAsync(User);
+        if (currentUser != null && currentUser.Id == userId)
+        {
+            TempData["ErrorMessage"] = "You cannot demote your own account.";
+            return RedirectToAction(nameof(Index));
+        }
+
+        if (await _userManager.IsInRoleAsync(user, IdentityHelper.Admin))
+        {
+            await _userManager.RemoveFromRoleAsync(user, IdentityHelper.Admin);
+        }
+        if (!await _userManager.IsInRoleAsync(user, IdentityHelper.Staff))
+        {
+            await _userManager.AddToRoleAsync(user, IdentityHelper.Staff);
+        }
+
+        TempData["SuccessMessage"] = $"User '{user.Email}' has been demoted to Staff.";
+        return RedirectToAction(nameof(Index));
+    }
+
+    /// <summary>
+    /// Deletes a staff user account. Admins cannot delete their own account.
+    /// </summary>
+    [HttpPost]
+    [ValidateAntiForgeryToken]
+    public async Task<IActionResult> Delete(string userId)
+    {
+        var user = await _userManager.FindByIdAsync(userId);
+        if (user == null)
+        {
+            return NotFound();
+        }
+
+        // Prevent deleting yourself
+        var currentUser = await _userManager.GetUserAsync(User);
+        if (currentUser != null && currentUser.Id == userId)
+        {
+            TempData["ErrorMessage"] = "You cannot delete your own account.";
+            return RedirectToAction(nameof(Index));
+        }
+
+        await _userManager.DeleteAsync(user);
+        TempData["SuccessMessage"] = $"User '{user.Email}' has been deleted.";
+        return RedirectToAction(nameof(Index));
+    }
+}
diff --git a/PC2/Data/IdentityHelper.cs b/PC2/Data/IdentityHelper.cs
index 157aaf4e..4c24bc19 100644
--- a/PC2/Data/IdentityHelper.cs
+++ b/PC2/Data/IdentityHelper.cs
@@ -5,6 +5,8 @@ namespace PC2.Data
     public static class IdentityHelper
     {
         public const string Admin = "Admin";
+        public const string Staff = "Staff";
+        public const string AdminOrStaff = Admin + "," + Staff;
 
         internal static async Task CreateRoles(IServiceProvider provider, params string[] roles)
         {
diff --git a/PC2/Models/UserManagementViewModel.cs b/PC2/Models/UserManagementViewModel.cs
new file mode 100644
index 00000000..7805e499
--- /dev/null
+++ b/PC2/Models/UserManagementViewModel.cs
@@ -0,0 +1,12 @@
+namespace PC2.Models;
+
+/// <summary>
+/// View model representing an application user and their roles for the user management page.
+/// </summary>
+public class UserManagementViewModel
+{
+    public string UserId { get; set; } = string.Empty;
+    public string Email { get; set; } = string.Empty;
+    public bool IsAdmin { get; set; }
+    public bool IsStaff { get; set; }
+}
diff --git a/PC2/Program.cs b/PC2/Program.cs
index 73fe07d3..4731cde1 100644
--- a/PC2/Program.cs
+++ b/PC2/Program.cs
@@ -90,7 +90,7 @@
 
 #if DEBUG
 var serviceProvider = app.Services.GetRequiredService<IServiceProvider>().CreateScope();
-IdentityHelper.CreateRoles(serviceProvider.ServiceProvider, IdentityHelper.Admin)
+IdentityHelper.CreateRoles(serviceProvider.ServiceProvider, IdentityHelper.Admin, IdentityHelper.Staff)
               .Wait();
 IdentityHelper.CreateDefaultAdmin(serviceProvider.ServiceProvider, IdentityHelper.Admin)
               .Wait();
diff --git a/PC2/Views/Shared/_Layout.cshtml b/PC2/Views/Shared/_Layout.cshtml
index 5a24769c..988a09f1 100644
--- a/PC2/Views/Shared/_Layout.cshtml
+++ b/PC2/Views/Shared/_Layout.cshtml
@@ -77,7 +77,7 @@
                 <div id="right-ribbon" class="ribbon"></div>
                 <div class="navbar-collapse collapse d-lg-inline-flex flex-lg-row-reverse" id="navbarSupportedContent">
                     <ul class="navbar-nav flex-grow-1">
-                        @if (User.IsInRole(IdentityHelper.Admin))
+                        @if (User.IsInRole(IdentityHelper.Admin) || User.IsInRole(IdentityHelper.Staff))
                         {
                             <li class="nav-item menu-item">
                                 <a class="nav-link" asp-controller="Agency" asp-action="Index">Agencies</a>
@@ -85,9 +85,12 @@
                             <li class="nav-item menu-item">
                                 <a class="nav-link" asp-controller="About" asp-action="HousingProgramData">Housing Program Data</a>
                             </li>
-                            <li class="nav-item menu-item">
-                                <a class="nav-link" asp-controller="Admin" asp-action="Analytics">Analytics</a>
-                            </li>
+                            @if (User.IsInRole(IdentityHelper.Admin))
+                            {
+                                <li class="nav-item menu-item">
+                                    <a class="nav-link" asp-controller="Admin" asp-action="Analytics">Analytics</a>
+                                </li>
+                            }
                             <li id="Calendar-Index" class="nav-item menu-item dropdown">
                                 <a class="nav-link dropdown-toggle" href="#" id="calendarDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false">
                                     Calendar and Events
@@ -111,6 +114,12 @@
                                     <li><a class="dropdown-item" asp-controller="About" asp-action="UploadNewsletter">Upload Newsletter</a></li>
                                 </ul>
                             </li>
+                            @if (User.IsInRole(IdentityHelper.Admin))
+                            {
+                                <li class="nav-item menu-item">
+                                    <a class="nav-link" asp-controller="UserManagement" asp-action="Index">Manage Users</a>
+                                </li>
+                            }
                         }
                         else
                         {                    
diff --git a/PC2/Views/UserManagement/Create.cshtml b/PC2/Views/UserManagement/Create.cshtml
new file mode 100644
index 00000000..d5248ab8
--- /dev/null
+++ b/PC2/Views/UserManagement/Create.cshtml
@@ -0,0 +1,34 @@
+@{
+    ViewData["Title"] = "Add Staff User";
+}
+
+<h1>@ViewData["Title"]</h1>
+<div class="divider"></div>
+<br />
+
+<div asp-validation-summary="All" class="text-danger"></div>
+
+<div class="row">
+    <div class="col-md-5">
+        <form asp-action="Create" method="post">
+            @Html.AntiForgeryToken()
+            <div class="mb-3">
+                <label for="email" class="form-label">Email</label>
+                <input type="email" class="form-control" id="email" name="email" required />
+            </div>
+            <div class="mb-3">
+                <label for="password" class="form-label">Password</label>
+                <input type="password" class="form-control" id="password" name="password" required />
+                <div class="form-text">
+                    Password must be at least 8 characters and contain uppercase, lowercase, digit, and special character.
+                </div>
+            </div>
+            <div class="d-flex gap-2">
+                <button type="submit" class="btn btn-primary">
+                    <i class="bi bi-person-plus-fill me-2"></i>Create Staff User
+                </button>
+                <a asp-action="Index" class="btn btn-secondary">Cancel</a>
+            </div>
+        </form>
+    </div>
+</div>
diff --git a/PC2/Views/UserManagement/Index.cshtml b/PC2/Views/UserManagement/Index.cshtml
new file mode 100644
index 00000000..bae1dffe
--- /dev/null
+++ b/PC2/Views/UserManagement/Index.cshtml
@@ -0,0 +1,100 @@
+@model IEnumerable<PC2.Models.UserManagementViewModel>
+
+@{
+    ViewData["Title"] = "Manage Users";
+}
+
+<h1>@ViewData["Title"]</h1>
+<div class="divider"></div>
+<br />
+
+@if (TempData["SuccessMessage"] != null)
+{
+    <div class="alert alert-success alert-dismissible fade show" role="alert">
+        <i class="bi bi-check-circle-fill me-2"></i>@TempData["SuccessMessage"]
+        <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
+    </div>
+}
+
+@if (TempData["ErrorMessage"] != null)
+{
+    <div class="alert alert-danger alert-dismissible fade show" role="alert">
+        <i class="bi bi-exclamation-triangle-fill me-2"></i>@TempData["ErrorMessage"]
+        <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
+    </div>
+}
+
+<div class="mb-3">
+    <a asp-action="Create" class="btn btn-primary">
+        <i class="bi bi-person-plus-fill me-2"></i>Add Staff User
+    </a>
+</div>
+
+<div class="table-responsive">
+    <table class="table table-striped table-hover">
+        <thead>
+            <tr>
+                <th>Email</th>
+                <th>Role</th>
+                <th>Actions</th>
+            </tr>
+        </thead>
+        <tbody>
+            @foreach (var user in Model)
+            {
+                <tr>
+                    <td>@user.Email</td>
+                    <td>
+                        @if (user.IsAdmin)
+                        {
+                            <span class="badge bg-danger">Admin</span>
+                        }
+                        else if (user.IsStaff)
+                        {
+                            <span class="badge bg-secondary">Staff</span>
+                        }
+                        else
+                        {
+                            <span class="badge bg-light text-dark">No Role</span>
+                        }
+                    </td>
+                    <td>
+                        @if (user.IsStaff && !user.IsAdmin)
+                        {
+                            <form asp-action="Promote" method="post" class="d-inline">
+                                <input type="hidden" name="userId" value="@user.UserId" />
+                                @Html.AntiForgeryToken()
+                                <button type="submit" class="btn btn-sm btn-success me-1"
+                                        onclick="return confirm('Promote @user.Email to Admin?')">
+                                    <i class="bi bi-arrow-up-circle me-1"></i>Promote to Admin
+                                </button>
+                            </form>
+                        }
+                        @if (user.IsAdmin)
+                        {
+                            <form asp-action="Demote" method="post" class="d-inline">
+                                <input type="hidden" name="userId" value="@user.UserId" />
+                                @Html.AntiForgeryToken()
+                                <button type="submit" class="btn btn-sm btn-warning me-1"
+                                        onclick="return confirm('Demote @user.Email to Staff?')">
+                                    <i class="bi bi-arrow-down-circle me-1"></i>Demote to Staff
+                                </button>
+                            </form>
+                        }
+                        @if (!user.IsAdmin)
+                        {
+                            <form asp-action="Delete" method="post" class="d-inline">
+                                <input type="hidden" name="userId" value="@user.UserId" />
+                                @Html.AntiForgeryToken()
+                                <button type="submit" class="btn btn-sm btn-danger"
+                                        onclick="return confirm('Delete user @user.Email? This cannot be undone.')">
+                                    <i class="bi bi-trash-fill me-1"></i>Delete
+                                </button>
+                            </form>
+                        }
+                    </td>
+                </tr>
+            }
+        </tbody>
+    </table>
+</div>
diff --git a/PC2Tests/Controllers/UserManagementControllerTests.cs b/PC2Tests/Controllers/UserManagementControllerTests.cs
new file mode 100644
index 00000000..7f19760a
--- /dev/null
+++ b/PC2Tests/Controllers/UserManagementControllerTests.cs
@@ -0,0 +1,345 @@
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.ViewFeatures;
+using Moq;
+using PC2.Controllers;
+using PC2.Data;
+using PC2.Models;
+using System.Security.Claims;
+
+namespace PC2Tests.Controllers;
+
+[TestClass]
+public class UserManagementControllerTests
+{
+    private Mock<UserManager<IdentityUser>> _userManagerMock = null!;
+    private UserManagementController _controller = null!;
+
+    [TestInitialize]
+    public void Setup()
+    {
+        var store = new Mock<IUserStore<IdentityUser>>();
+        _userManagerMock = new Mock<UserManager<IdentityUser>>(
+            store.Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        _controller = new UserManagementController(_userManagerMock.Object);
+
+        // Setup mock admin user
+        var claims = new List<Claim>
+        {
+            new Claim(ClaimTypes.NameIdentifier, "admin-id"),
+            new Claim(ClaimTypes.Name, "admin@pc2online.org"),
+            new Claim(ClaimTypes.Role, IdentityHelper.Admin)
+        };
+        var identity = new ClaimsIdentity(claims, "TestAuthType");
+        var claimsPrincipal = new ClaimsPrincipal(identity);
+
+        _controller.ControllerContext = new ControllerContext
+        {
+            HttpContext = new DefaultHttpContext { User = claimsPrincipal }
+        };
+
+        // Setup TempData
+        _controller.TempData = new TempDataDictionary(
+            _controller.ControllerContext.HttpContext,
+            Mock.Of<ITempDataProvider>());
+    }
+
+    [TestCleanup]
+    public void Cleanup()
+    {
+        _controller.Dispose();
+    }
+
+    #region Index Tests
+
+    [TestMethod]
+    public async Task Index_WithNoUsers_ReturnsEmptyList()
+    {
+        // Arrange
+        _userManagerMock.Setup(m => m.Users)
+            .Returns(new List<IdentityUser>().AsQueryable());
+
+        // Act
+        var result = await _controller.Index() as ViewResult;
+
+        // Assert
+        Assert.IsNotNull(result);
+        var model = result.Model as List<UserManagementViewModel>;
+        Assert.IsNotNull(model);
+        Assert.AreEqual(0, model.Count);
+    }
+
+    [TestMethod]
+    public async Task Index_WithAdminUser_ReturnsUserWithAdminRole()
+    {
+        // Arrange
+        var adminUser = new IdentityUser { Id = "1", Email = "admin@test.com" };
+        _userManagerMock.Setup(m => m.Users)
+            .Returns(new List<IdentityUser> { adminUser }.AsQueryable());
+        _userManagerMock.Setup(m => m.IsInRoleAsync(adminUser, IdentityHelper.Admin))
+            .ReturnsAsync(true);
+        _userManagerMock.Setup(m => m.IsInRoleAsync(adminUser, IdentityHelper.Staff))
+            .ReturnsAsync(false);
+
+        // Act
+        var result = await _controller.Index() as ViewResult;
+
+        // Assert
+        Assert.IsNotNull(result);
+        var model = result.Model as List<UserManagementViewModel>;
+        Assert.IsNotNull(model);
+        Assert.AreEqual(1, model.Count);
+        Assert.IsTrue(model[0].IsAdmin);
+        Assert.IsFalse(model[0].IsStaff);
+    }
+
+    [TestMethod]
+    public async Task Index_WithStaffUser_ReturnsUserWithStaffRole()
+    {
+        // Arrange
+        var staffUser = new IdentityUser { Id = "2", Email = "staff@test.com" };
+        _userManagerMock.Setup(m => m.Users)
+            .Returns(new List<IdentityUser> { staffUser }.AsQueryable());
+        _userManagerMock.Setup(m => m.IsInRoleAsync(staffUser, IdentityHelper.Admin))
+            .ReturnsAsync(false);
+        _userManagerMock.Setup(m => m.IsInRoleAsync(staffUser, IdentityHelper.Staff))
+            .ReturnsAsync(true);
+
+        // Act
+        var result = await _controller.Index() as ViewResult;
+
+        // Assert
+        Assert.IsNotNull(result);
+        var model = result.Model as List<UserManagementViewModel>;
+        Assert.IsNotNull(model);
+        Assert.AreEqual(1, model.Count);
+        Assert.IsFalse(model[0].IsAdmin);
+        Assert.IsTrue(model[0].IsStaff);
+        Assert.AreEqual("staff@test.com", model[0].Email);
+    }
+
+    #endregion
+
+    #region Create Tests
+
+    [TestMethod]
+    public void Create_Get_ReturnsView()
+    {
+        // Act
+        var result = _controller.Create() as ViewResult;
+
+        // Assert
+        Assert.IsNotNull(result);
+    }
+
+    [TestMethod]
+    public async Task Create_Post_WithValidData_CreatesStaffUserAndRedirects()
+    {
+        // Arrange
+        var newUser = new IdentityUser { Email = "newstaff@test.com" };
+        _userManagerMock.Setup(m => m.CreateAsync(It.IsAny<IdentityUser>(), "Password01#"))
+            .ReturnsAsync(IdentityResult.Success);
+        _userManagerMock.Setup(m => m.AddToRoleAsync(It.IsAny<IdentityUser>(), IdentityHelper.Staff))
+            .ReturnsAsync(IdentityResult.Success);
+
+        // Act
+        var result = await _controller.Create("newstaff@test.com", "Password01#") as RedirectToActionResult;
+
+        // Assert
+        Assert.IsNotNull(result);
+        Assert.AreEqual("Index", result.ActionName);
+        _userManagerMock.Verify(m => m.AddToRoleAsync(It.IsAny<IdentityUser>(), IdentityHelper.Staff), Times.Once);
+    }
+
+    [TestMethod]
+    public async Task Create_Post_WithEmptyEmail_ReturnsViewWithError()
+    {
+        // Act
+        var result = await _controller.Create(string.Empty, "Password01#") as ViewResult;
+
+        // Assert
+        Assert.IsNotNull(result);
+        Assert.IsFalse(_controller.ModelState.IsValid);
+    }
+
+    [TestMethod]
+    public async Task Create_Post_WithEmptyPassword_ReturnsViewWithError()
+    {
+        // Act
+        var result = await _controller.Create("staff@test.com", string.Empty) as ViewResult;
+
+        // Assert
+        Assert.IsNotNull(result);
+        Assert.IsFalse(_controller.ModelState.IsValid);
+    }
+
+    [TestMethod]
+    public async Task Create_Post_WhenCreateFails_ReturnsViewWithErrors()
+    {
+        // Arrange
+        var errors = new[] { new IdentityError { Description = "Password too weak." } };
+        _userManagerMock.Setup(m => m.CreateAsync(It.IsAny<IdentityUser>(), "weak"))
+            .ReturnsAsync(IdentityResult.Failed(errors));
+
+        // Act
+        var result = await _controller.Create("staff@test.com", "weak") as ViewResult;
+
+        // Assert
+        Assert.IsNotNull(result);
+        Assert.IsFalse(_controller.ModelState.IsValid);
+    }
+
+    #endregion
+
+    #region Promote Tests
+
+    [TestMethod]
+    public async Task Promote_WithValidStaffUser_PromotesToAdminAndRedirects()
+    {
+        // Arrange
+        var staffUser = new IdentityUser { Id = "2", Email = "staff@test.com" };
+        _userManagerMock.Setup(m => m.FindByIdAsync("2")).ReturnsAsync(staffUser);
+        _userManagerMock.Setup(m => m.IsInRoleAsync(staffUser, IdentityHelper.Admin)).ReturnsAsync(false);
+        _userManagerMock.Setup(m => m.IsInRoleAsync(staffUser, IdentityHelper.Staff)).ReturnsAsync(true);
+        _userManagerMock.Setup(m => m.AddToRoleAsync(staffUser, IdentityHelper.Admin)).ReturnsAsync(IdentityResult.Success);
+        _userManagerMock.Setup(m => m.RemoveFromRoleAsync(staffUser, IdentityHelper.Staff)).ReturnsAsync(IdentityResult.Success);
+
+        // Act
+        var result = await _controller.Promote("2") as RedirectToActionResult;
+
+        // Assert
+        Assert.IsNotNull(result);
+        Assert.AreEqual("Index", result.ActionName);
+        _userManagerMock.Verify(m => m.AddToRoleAsync(staffUser, IdentityHelper.Admin), Times.Once);
+        _userManagerMock.Verify(m => m.RemoveFromRoleAsync(staffUser, IdentityHelper.Staff), Times.Once);
+    }
+
+    [TestMethod]
+    public async Task Promote_WithInvalidUserId_ReturnsNotFound()
+    {
+        // Arrange
+        _userManagerMock.Setup(m => m.FindByIdAsync("nonexistent")).ReturnsAsync((IdentityUser?)null);
+
+        // Act
+        var result = await _controller.Promote("nonexistent");
+
+        // Assert
+        Assert.IsInstanceOfType(result, typeof(NotFoundResult));
+    }
+
+    #endregion
+
+    #region Demote Tests
+
+    [TestMethod]
+    public async Task Demote_WithValidAdminUser_DemotesToStaffAndRedirects()
+    {
+        // Arrange
+        var adminUser = new IdentityUser { Id = "3", Email = "otheradmin@test.com" };
+        var currentUser = new IdentityUser { Id = "admin-id", Email = "admin@pc2online.org" };
+        _userManagerMock.Setup(m => m.FindByIdAsync("3")).ReturnsAsync(adminUser);
+        _userManagerMock.Setup(m => m.GetUserAsync(It.IsAny<ClaimsPrincipal>())).ReturnsAsync(currentUser);
+        _userManagerMock.Setup(m => m.IsInRoleAsync(adminUser, IdentityHelper.Admin)).ReturnsAsync(true);
+        _userManagerMock.Setup(m => m.IsInRoleAsync(adminUser, IdentityHelper.Staff)).ReturnsAsync(false);
+        _userManagerMock.Setup(m => m.RemoveFromRoleAsync(adminUser, IdentityHelper.Admin)).ReturnsAsync(IdentityResult.Success);
+        _userManagerMock.Setup(m => m.AddToRoleAsync(adminUser, IdentityHelper.Staff)).ReturnsAsync(IdentityResult.Success);
+
+        // Act
+        var result = await _controller.Demote("3") as RedirectToActionResult;
+
+        // Assert
+        Assert.IsNotNull(result);
+        Assert.AreEqual("Index", result.ActionName);
+        _userManagerMock.Verify(m => m.RemoveFromRoleAsync(adminUser, IdentityHelper.Admin), Times.Once);
+        _userManagerMock.Verify(m => m.AddToRoleAsync(adminUser, IdentityHelper.Staff), Times.Once);
+    }
+
+    [TestMethod]
+    public async Task Demote_WithOwnAccount_ReturnsErrorAndRedirects()
+    {
+        // Arrange - current user tries to demote themselves
+        var currentUser = new IdentityUser { Id = "admin-id", Email = "admin@pc2online.org" };
+        _userManagerMock.Setup(m => m.FindByIdAsync("admin-id")).ReturnsAsync(currentUser);
+        _userManagerMock.Setup(m => m.GetUserAsync(It.IsAny<ClaimsPrincipal>())).ReturnsAsync(currentUser);
+
+        // Act
+        var result = await _controller.Demote("admin-id") as RedirectToActionResult;
+
+        // Assert
+        Assert.IsNotNull(result);
+        Assert.AreEqual("Index", result.ActionName);
+        Assert.IsNotNull(_controller.TempData["ErrorMessage"]);
+        _userManagerMock.Verify(m => m.RemoveFromRoleAsync(It.IsAny<IdentityUser>(), It.IsAny<string>()), Times.Never);
+    }
+
+    [TestMethod]
+    public async Task Demote_WithInvalidUserId_ReturnsNotFound()
+    {
+        // Arrange
+        _userManagerMock.Setup(m => m.FindByIdAsync("nonexistent")).ReturnsAsync((IdentityUser?)null);
+
+        // Act
+        var result = await _controller.Demote("nonexistent");
+
+        // Assert
+        Assert.IsInstanceOfType(result, typeof(NotFoundResult));
+    }
+
+    #endregion
+
+    #region Delete Tests
+
+    [TestMethod]
+    public async Task Delete_WithValidStaffUser_DeletesAndRedirects()
+    {
+        // Arrange
+        var staffUser = new IdentityUser { Id = "4", Email = "staff@test.com" };
+        var currentUser = new IdentityUser { Id = "admin-id", Email = "admin@pc2online.org" };
+        _userManagerMock.Setup(m => m.FindByIdAsync("4")).ReturnsAsync(staffUser);
+        _userManagerMock.Setup(m => m.GetUserAsync(It.IsAny<ClaimsPrincipal>())).ReturnsAsync(currentUser);
+        _userManagerMock.Setup(m => m.DeleteAsync(staffUser)).ReturnsAsync(IdentityResult.Success);
+
+        // Act
+        var result = await _controller.Delete("4") as RedirectToActionResult;
+
+        // Assert
+        Assert.IsNotNull(result);
+        Assert.AreEqual("Index", result.ActionName);
+        _userManagerMock.Verify(m => m.DeleteAsync(staffUser), Times.Once);
+    }
+
+    [TestMethod]
+    public async Task Delete_WithOwnAccount_ReturnsErrorAndRedirects()
+    {
+        // Arrange - current user tries to delete themselves
+        var currentUser = new IdentityUser { Id = "admin-id", Email = "admin@pc2online.org" };
+        _userManagerMock.Setup(m => m.FindByIdAsync("admin-id")).ReturnsAsync(currentUser);
+        _userManagerMock.Setup(m => m.GetUserAsync(It.IsAny<ClaimsPrincipal>())).ReturnsAsync(currentUser);
+
+        // Act
+        var result = await _controller.Delete("admin-id") as RedirectToActionResult;
+
+        // Assert
+        Assert.IsNotNull(result);
+        Assert.AreEqual("Index", result.ActionName);
+        Assert.IsNotNull(_controller.TempData["ErrorMessage"]);
+        _userManagerMock.Verify(m => m.DeleteAsync(It.IsAny<IdentityUser>()), Times.Never);
+    }
+
+    [TestMethod]
+    public async Task Delete_WithInvalidUserId_ReturnsNotFound()
+    {
+        // Arrange
+        _userManagerMock.Setup(m => m.FindByIdAsync("nonexistent")).ReturnsAsync((IdentityUser?)null);
+
+        // Act
+        var result = await _controller.Delete("nonexistent");
+
+        // Assert
+        Assert.IsInstanceOfType(result, typeof(NotFoundResult));
+    }
+
+    #endregion
+}

From 6b421c55f8eabe42cfef50d1d42b0f3eb34c70e2 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 12 Mar 2026 16:20:57 +0000
Subject: [PATCH 3/3] Update remaining controllers to use AdminOrStaff role

Co-authored-by: JoeProgrammer88 <7156063+JoeProgrammer88@users.noreply.github.com>
---
 PC2/Controllers/AdminController.cs         | 4 ++--
 PC2/Controllers/PeopleController.cs        | 2 +-
 PC2/Controllers/ProgramVideosController.cs | 2 +-
 PC2/Views/Shared/_Layout.cshtml            | 9 +++------
 4 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/PC2/Controllers/AdminController.cs b/PC2/Controllers/AdminController.cs
index 5a0853e3..2d23d87e 100644
--- a/PC2/Controllers/AdminController.cs
+++ b/PC2/Controllers/AdminController.cs
@@ -7,9 +7,9 @@
 namespace PC2.Controllers;
 
 /// <summary>
-/// Controller for admin-only features including analytics dashboard
+/// Controller for analytics dashboard, accessible by admins and staff.
 /// </summary>
-[Authorize(Roles = IdentityHelper.Admin)]
+[Authorize(Roles = IdentityHelper.AdminOrStaff)]
 public class AdminController : Controller
 {
     private readonly AnalyticsService _analyticsService;
diff --git a/PC2/Controllers/PeopleController.cs b/PC2/Controllers/PeopleController.cs
index c717d936..ac33b4ef 100644
--- a/PC2/Controllers/PeopleController.cs
+++ b/PC2/Controllers/PeopleController.cs
@@ -7,7 +7,7 @@
 
 namespace PC2.Controllers;
 
-[Authorize(Roles = IdentityHelper.Admin)]
+[Authorize(Roles = IdentityHelper.AdminOrStaff)]
 public class PeopleController : Controller
 {
     private readonly ApplicationDbContext _context;
diff --git a/PC2/Controllers/ProgramVideosController.cs b/PC2/Controllers/ProgramVideosController.cs
index fd46ba35..37474ef8 100644
--- a/PC2/Controllers/ProgramVideosController.cs
+++ b/PC2/Controllers/ProgramVideosController.cs
@@ -5,7 +5,7 @@
 
 namespace PC2.Controllers
 {
-    [Authorize(Roles = IdentityHelper.Admin)]
+    [Authorize(Roles = IdentityHelper.AdminOrStaff)]
     public class ProgramVideosController : Controller
     {
         private readonly ApplicationDbContext _context;
diff --git a/PC2/Views/Shared/_Layout.cshtml b/PC2/Views/Shared/_Layout.cshtml
index 9759a2b2..ee3e5058 100644
--- a/PC2/Views/Shared/_Layout.cshtml
+++ b/PC2/Views/Shared/_Layout.cshtml
@@ -85,12 +85,9 @@
                             <li class="nav-item menu-item">
                                 <a class="nav-link" asp-controller="About" asp-action="HousingProgramData">Housing Program Data</a>
                             </li>
-                            @if (User.IsInRole(IdentityHelper.Admin))
-                            {
-                                <li class="nav-item menu-item">
-                                    <a class="nav-link" asp-controller="Admin" asp-action="Analytics">Analytics</a>
-                                </li>
-                            }
+                            <li class="nav-item menu-item">
+                                <a class="nav-link" asp-controller="Admin" asp-action="Analytics">Analytics</a>
+                            </li>
                             <li id="Calendar-Index" class="nav-item menu-item dropdown">
                                 <a class="nav-link dropdown-toggle" href="#" id="calendarDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false">
                                     Calendar and Events