eerrrrrr

docs/03-auth-and-users.md

@@ -7,10 +7,24 @@
 
 ## Roles
 - `ROLE_USER`: default for registered users.
-- `ROLE_ADMIN`: promoted via console `app:promote-admin`.
+- `ROLE_MODERATOR`: promoted via console `app:promote-moderator`, or via webUI; can manage users and all reviews/albums but not site settings.
+- `ROLE_ADMIN`: promoted via console `app:promote-admin`; includes moderator abilities plus site settings access.
+
+### Access flow
+- Visiting `/admin/dashboard`, `/admin/users`, or `/admin/settings` while unauthenticated forces a redirect through `/login`, which re-opens the modal automatically.
+- Moderators inherit all `ROLE_USER` permissions; admins inherit both moderator and user permissions via the role hierarchy.
+- Admin-only actions (site settings, moderator toggling, deleting other admins) are additionally guarded in controllers/templates to avoid accidental misuse.
+
+### User management UI
+- `/admin/users` (moderator+) lists every account along with album/review counts.
+ - Moderators can create new accounts (without affecting their own login session.. ).
+- Delete buttons are disabled (with tooltip hints) for protected rows such as the current user or any admin.
+- Admins see a Promote/Demote toggle: promoting grants `ROLE_MODERATOR`; demoting removes that role unless the target is an admin (admins always outrank moderators).
+- Admins can disable public registration from `/admin/settings`; when disabled, the “Sign up” button in the auth modal is replaced with a tooltip explaining that registration is closed, but `/admin/users` remains fully functional.
+- Registration can also be enforced via `APP_ALLOW_REGISTRATION=0/1` in the environment; the DB setting syncs on each Symfony boot, so flips take effect after the next restart.
 
 ## Password changes
-- On `/dashboard`, users can change email/display name.
+- On `/profile`, users can change email/display name.
 - To set a new password, the current password must be provided.
 
 ## Logout