From ffa2c1541f802e74b5b42b04bb8041a52bb7d62a Mon Sep 17 00:00:00 2001
From: Tom Udding <tomudding@users.noreply.github.com>
Date: Wed, 4 Sep 2024 17:38:30 +0200
Subject: [PATCH 1/3] chore: simplify admin access to modules by introducing
 admin resources

This only handles top-level access, all sub-permissions/acls have to be manually
defined in their respective resources.
---
 .../src/Controller/AdminController.php        |  2 +-
 module/Activity/src/Service/AclService.php    | 20 +++--
 module/Application/view/partial/admin.phtml   | 75 +++++++------------
 .../Application/view/partial/main-nav.phtml   | 14 +++-
 module/Company/src/Service/AclService.php     | 19 +++--
 module/Decision/src/Service/AclService.php    | 23 +++---
 module/Education/src/Service/AclService.php   | 10 ++-
 module/Frontpage/src/Service/AclService.php   | 13 ++--
 module/Photo/src/Service/AclService.php       | 11 ++-
 module/User/src/Service/AclService.php        |  5 +-
 10 files changed, 105 insertions(+), 87 deletions(-)

diff --git a/module/Activity/src/Controller/AdminController.php b/module/Activity/src/Controller/AdminController.php
index 9535ac7a55..ad38b2201b 100644
--- a/module/Activity/src/Controller/AdminController.php
+++ b/module/Activity/src/Controller/AdminController.php
@@ -441,7 +441,7 @@ public function externalSignoffAction(): Response|ViewModel
      */
     public function viewAction(): ViewModel
     {
-        if (!$this->aclService->isAllowed('viewAdmin', 'activity')) {
+        if (!$this->aclService->isAllowed('view', 'activity_admin')) {
             throw new NotAllowedException($this->translator->translate('You are not allowed to administer activities'));
         }
 
diff --git a/module/Activity/src/Service/AclService.php b/module/Activity/src/Service/AclService.php
index 76f731f755..3d97075afa 100644
--- a/module/Activity/src/Service/AclService.php
+++ b/module/Activity/src/Service/AclService.php
@@ -4,6 +4,7 @@
 
 namespace Activity\Service;
 
+use Laminas\Permissions\Acl\Resource\GenericResource as Resource;
 use User\Permissions\Assertion\IsCreatorOrOrganMember;
 
 class AclService extends \User\Service\AclService
@@ -12,13 +13,15 @@ protected function createAcl(): void
     {
         parent::createAcl();
 
-        $this->acl->addResource('activity');
-        $this->acl->addResource('activityApi');
-        $this->acl->addResource('myActivities');
-        $this->acl->addResource('model');
-        $this->acl->addResource('activity_calendar_period');
-        $this->acl->addResource('activity_calendar_proposal');
-        $this->acl->addResource('signupList');
+        $this->acl->addResource(new Resource('activity'));
+        $this->acl->addResource(new Resource('activityApi'));
+        $this->acl->addResource(new Resource('myActivities'));
+        $this->acl->addResource(new Resource('model'));
+        $this->acl->addResource(new Resource('activity_calendar_period'));
+        $this->acl->addResource(new Resource('activity_calendar_proposal'));
+        $this->acl->addResource(new Resource('signupList'));
+        // Define administration part of this module, however, sub-permissions must be manually configured.
+        $this->acl->addResource(new Resource('activity_admin'));
 
         $this->acl->allow('guest', 'activity', ['view', 'viewCategory']);
         $this->acl->allow('guest', 'signupList', ['view', 'externalSignup']);
@@ -35,7 +38,7 @@ protected function createAcl(): void
             ['view', 'viewDetails', 'signup', 'signoff', 'checkUserSignedUp'],
         );
 
-        $this->acl->allow('active_member', 'activity', ['create', 'viewAdmin', 'listCategories']);
+        $this->acl->allow('active_member', 'activity', ['create', 'listCategories']);
         $this->acl->allow(
             'active_member',
             'activity',
@@ -48,6 +51,7 @@ protected function createAcl(): void
             ['adminSignup', 'viewParticipants', 'exportParticipants'],
             new IsCreatorOrOrganMember(),
         );
+        $this->acl->allow('active_member', 'activity_admin', 'view');
 
         $this->acl->allow('admin', 'activity', 'viewParticipantDetails');
         $this->acl->allow('admin', 'activity', 'approve');
diff --git a/module/Application/view/partial/admin.phtml b/module/Application/view/partial/admin.phtml
index 9f5b916ed4..18ca02115f 100644
--- a/module/Application/view/partial/admin.phtml
+++ b/module/Application/view/partial/admin.phtml
@@ -21,8 +21,7 @@ use Laminas\View\Renderer\PhpRenderer;
             </div>
             <div id="navbar-admin" class="navbar-collapse collapse width" aria-expanded="false">
                 <ul class="nav navbar-nav">
-                    <?php
-                    if (null === $this->identity()): ?>
+                    <?php if (null === $this->identity()): ?>
                         <li>
                             <a href="<?= $this->url(
                                 'user/login',
@@ -32,10 +31,8 @@ use Laminas\View\Renderer\PhpRenderer;
                                 <?= $this->translate('Login') ?>
                             </a>
                         </li>
-                    <?php
-                    endif; ?>
-                    <?php
-                    if ($this->acl('activity_service_acl')->isAllowed('activity', 'viewAdmin')): ?>
+                    <?php endif; ?>
+                    <?php if ($this->acl('activity_service_acl')->isAllowed('activity_admin', 'view')): ?>
                         <li class="dropdown <?= $this->moduleIsActive(['activity']) ? 'active' : '' ?>">
                             <a href="<?= $this->url('activity_admin') ?>" class="dropdown-toggle" data-toggle="dropdown"
                                role="button" aria-haspopup="true" aria-expanded="false">
@@ -70,10 +67,8 @@ use Laminas\View\Renderer\PhpRenderer;
                                 endif; ?>
                             </ul>
                         </li>
-                    <?php
-                    endif; ?>
-                    <?php
-                    if ($this->acl('company_service_acl')->isAllowed('company', 'listAll')): ?>
+                    <?php endif; ?>
+                    <?php if ($this->acl('company_service_acl')->isAllowed('company_admin', 'view')): ?>
                         <li class="dropdown <?= $this->moduleIsActive(['company']) ? 'active' : '' ?>">
                             <a href="<?= $this->url('company_admin') ?>" class="dropdown-toggle" data-toggle="dropdown"
                                role="button" aria-haspopup="true" aria-expanded="false">
@@ -122,10 +117,8 @@ use Laminas\View\Renderer\PhpRenderer;
                                 endif; ?>
                             </ul>
                         </li>
-                    <?php
-                    endif; ?>
-                    <?php
-                    if ($this->acl('education_service_acl')->isAllowed('course_document', 'upload')): ?>
+                    <?php endif; ?>
+                    <?php if ($this->acl('education_service_acl')->isAllowed('education_admin', 'view')): ?>
                         <li class="dropdown <?= $this->moduleIsActive(['frontpage', 'exam']) ? 'active' : '' ?>">
                             <a href="<?= $this->hashUrl() ?>" class="dropdown-toggle" data-toggle="dropdown" role="button"
                                aria-haspopup="true" aria-expanded="false">
@@ -149,10 +142,8 @@ use Laminas\View\Renderer\PhpRenderer;
                                 </li>
                             </ul>
                         </li>
-                    <?php
-                    endif; ?>
-                    <?php
-                    if ($this->acl('decision_service_acl')->isAllowed('meeting', 'upload_minutes')): ?>
+                    <?php endif; ?>
+                    <?php if ($this->acl('decision_service_acl')->isAllowed('decision_admin', 'view')): ?>
                         <li class="dropdown">
                             <a href="<?= $this->hashUrl() ?>" class="dropdown-toggle" data-toggle="dropdown"
                                role="button" aria-haspopup="true" aria-expanded="false">
@@ -176,62 +167,52 @@ use Laminas\View\Renderer\PhpRenderer;
                                 </li>
                             </ul>
                         </li>
-                    <?php
-                    endif; ?>
-                    <?php
-                    if ($this->acl('decision_service_acl')->isAllowed('organ', 'viewAdmin')): ?>
+                    <?php endif; ?>
+                    <?php if ($this->acl('decision_service_acl')->isAllowed('decision_admin', 'view')): ?>
                         <li>
                             <a href="<?= $this->url('admin_organ') ?>">
                                 <?= $this->translate('Organs') ?>
                             </a>
                         </li>
-                    <?php
-                    endif; ?>
-                    <?php
-                    if ($this->acl('frontpage_service_acl')->isAllowed('news_item', 'create')): ?>
+                    <?php endif; ?>
+                    <?php if ($this->acl('frontpage_service_acl')->isAllowed('news_item', 'create')): ?>
                         <li class="<?= $this->moduleIsActive(['frontpage', 'news']) ? 'active' : '' ?>">
                             <a href="<?= $this->url('admin_news') ?>"><?= $this->translate('News') ?></a>
                         </li>
                     <?php
                     endif; ?>
-                    <?php
-                    if ($this->acl('frontpage_service_acl')->isAllowed('page', 'create')): ?>
+                    <?php if ($this->acl('frontpage_service_acl')->isAllowed('page', 'create')): ?>
                         <li class="<?= $this->moduleIsActive(['frontpage', 'page']) ? 'active' : '' ?>">
                             <a href="<?= $this->url('admin_page') ?>"><?= $this->translate('Pages') ?></a>
                         </li>
-                    <?php
-                    endif; ?>
-                    <?php
-                    if ($this->acl('photo_service_acl')->isAllowed('album', 'nodate')): ?>
+                    <?php endif; ?>
+                    <?php if ($this->acl('photo_service_acl')->isAllowed('photo_admin', 'view')): ?>
                         <li>
                             <a href="<?= $this->url('admin_photo') ?>"><?= $this->translate('Photos') ?></a>
                         </li>
-                    <?php
-                    endif; ?>
-                    <?php
-                    if ($this->acl('frontpage_service_acl')->isAllowed('poll', 'approve')): ?>
+                    <?php endif; ?>
+                    <?php if ($this->acl('frontpage_service_acl')->isAllowed('poll', 'approve')): ?>
                         <li class="<?= $this->moduleIsActive(['frontpage', 'poll']) ? 'active' : '' ?>">
                             <a href="<?= $this->url('admin_poll') ?>"><?= $this->translate('Polls') ?></a>
                         </li>
-                    <?php
-                    endif; ?>
-                    <?php
-                    if ($this->acl('user_service_acl')->isAllowed('apiuser', 'add')): ?>
+                    <?php endif; ?>
+                    <?php if ($this->acl('user_service_acl')->isAllowed('user_admin', 'view')): ?>
                         <li class="dropdown <?= $this->moduleIsActive(['user']) ? 'active' : '' ?>">
                             <a href="<?= $this->hashUrl() ?>" class="dropdown-toggle" data-toggle="dropdown" role="button"
                                aria-haspopup="true" aria-expanded="false">
                                 <?= $this->translate('Users') ?> <span class="caret"></span>
                             </a>
                             <ul class="dropdown-menu">
-                                <li>
-                                    <a href="<?= $this->url('user_admin/api') ?>">
-                                        <?= $this->translate('API Users') ?>
-                                    </a>
-                                </li>
+                                <?php if ($this->acl('user_service_acl')->isAllowed('apiuser', 'add')): ?>
+                                    <li>
+                                        <a href="<?= $this->url('user_admin/api') ?>">
+                                            <?= $this->translate('API Users') ?>
+                                        </a>
+                                    </li>
+                                <?php endif; ?>
                             </ul>
                         </li>
-                    <?php
-                    endif; ?>
+                    <?php endif; ?>
                     <li class="stick-to-bottom">
                         <a href="https://github.com/gewis/gewisweb">
                             <span class="fab fa-github"></span> <?= getenv('GIT_COMMIT') ?>
diff --git a/module/Application/view/partial/main-nav.phtml b/module/Application/view/partial/main-nav.phtml
index 5cf06ee9d4..df8d114d6b 100644
--- a/module/Application/view/partial/main-nav.phtml
+++ b/module/Application/view/partial/main-nav.phtml
@@ -193,15 +193,21 @@ endif; ?>
                                     <?= $this->translate('Change password') ?>
                                 </a>
                             </li>
-                            <?php
-                            if ($this->acl('decision_service_acl')->isAllowed('organ', 'edit')): ?>
+                            <?php if (
+                                $this->acl('activity_service_acl')->isAllowed('activity_admin', 'view')
+                                || $this->acl('company_service_acl')->isAllowed('company_admin', 'view')
+                                || $this->acl('decision_service_acl')->isAllowed('decision_admin', 'view')
+                                || $this->acl('education_service_acl')->isAllowed('education_admin', 'view')
+                                || $this->acl('frontpage_service_acl')->isAllowed('frontpage_admin', 'view')
+                                || $this->acl('photo_service_acl')->isAllowed('photo_admin', 'view')
+                                || $this->acl('user_service_acl')->isAllowed('user_admin', 'view')
+                            ): ?>
                                 <li>
                                     <a href="<?= $this->url('admin') ?>">
                                         <?= $this->translate('Admin') ?>
                                     </a>
                                 </li>
-                            <?php
-                            endif; ?>
+                            <?php endif; ?>
                             <li>
                                 <a href="<?= $this->url('user/logout') ?>">
                                     <?= $this->translate('Logout') ?>
diff --git a/module/Company/src/Service/AclService.php b/module/Company/src/Service/AclService.php
index cd14708f46..db8cc5059f 100644
--- a/module/Company/src/Service/AclService.php
+++ b/module/Company/src/Service/AclService.php
@@ -4,6 +4,8 @@
 
 namespace Company\Service;
 
+use Laminas\Permissions\Acl\Resource\GenericResource as Resource;
+
 class AclService extends \User\Service\AclService
 {
     protected function createAcl(): void
@@ -11,11 +13,13 @@ protected function createAcl(): void
         parent::createAcl();
 
         // Add resources
-        $this->acl->addResource('company');
-        $this->acl->addResource('job');
-        $this->acl->addResource('jobCategory');
-        $this->acl->addResource('jobLabel');
-        $this->acl->addResource('package');
+        $this->acl->addResource(new Resource('company'));
+        $this->acl->addResource(new Resource('job'));
+        $this->acl->addResource(new Resource('jobCategory'));
+        $this->acl->addResource(new Resource('jobLabel'));
+        $this->acl->addResource(new Resource('package'));
+        // Define administration part of this module, however, sub-permissions must be manually configured.
+        $this->acl->addResource(new Resource('company_admin'));
 
         // Guests can view banners and featured companies. They can also view and list only visible companies and
         // (their) jobs. Additionally, they can list (see) any visible categories and/or labels on jobs.
@@ -39,6 +43,11 @@ protected function createAcl(): void
         // jobs, job categories, job labels, and packages. Furthermore, they can delete companies, jobs, and packages.
         // Additionally, they may approve edits to companies and jobs. Finally, they can list all categories and labels
         // (even invisible ones).
+        $this->acl->allow(
+            roles: 'company_admin',
+            resources: 'company_admin',
+            privileges: 'view',
+        );
         $this->acl->allow(
             roles: 'company_admin',
             resources: 'company',
diff --git a/module/Decision/src/Service/AclService.php b/module/Decision/src/Service/AclService.php
index b4ce6651f1..3782bb5758 100644
--- a/module/Decision/src/Service/AclService.php
+++ b/module/Decision/src/Service/AclService.php
@@ -4,6 +4,8 @@
 
 namespace Decision\Service;
 
+use Laminas\Permissions\Acl\Resource\GenericResource as Resource;
+
 class AclService extends \User\Service\AclService
 {
     protected function createAcl(): void
@@ -11,21 +13,24 @@ protected function createAcl(): void
         parent::createAcl();
 
         // add resources for this module
-        $this->acl->addResource('organ');
-        $this->acl->addResource('member');
-        $this->acl->addResource('decision');
-        $this->acl->addResource('meeting');
-        $this->acl->addResource('authorization');
-        $this->acl->addResource('files');
-        $this->acl->addResource('regulations');
-        $this->acl->addResource('gdpr');
+        $this->acl->addResource(new Resource('organ'));
+        $this->acl->addResource(new Resource('member'));
+        $this->acl->addResource(new Resource('decision'));
+        $this->acl->addResource(new Resource('meeting'));
+        $this->acl->addResource(new Resource('authorization'));
+        $this->acl->addResource(new Resource('files'));
+        $this->acl->addResource(new Resource('regulations'));
+        $this->acl->addResource(new Resource('gdpr'));
+        // Define administration part of this module, however, sub-permissions must be manually configured.
+        $this->acl->addResource(new Resource('decision_admin'));
 
         // users are allowed to view the organs
         $this->acl->allow('guest', 'organ', 'list');
         $this->acl->allow('user', 'organ', 'view');
 
         // Organ members are allowed to edit organ information of their own organs
-        $this->acl->allow('active_member', 'organ', ['edit', 'viewAdmin']);
+        $this->acl->allow('active_member', 'organ', 'edit');
+        $this->acl->allow('active_member', 'decision_admin', 'view');
 
         // users are allowed to view and search members
         $this->acl->allow('user', 'member', ['view', 'view_self', 'search', 'birthdays']);
diff --git a/module/Education/src/Service/AclService.php b/module/Education/src/Service/AclService.php
index 03ac84dad0..e346c5dd81 100644
--- a/module/Education/src/Service/AclService.php
+++ b/module/Education/src/Service/AclService.php
@@ -4,6 +4,8 @@
 
 namespace Education\Service;
 
+use Laminas\Permissions\Acl\Resource\GenericResource as Resource;
+
 class AclService extends \User\Service\AclService
 {
     protected function createAcl(): void
@@ -11,9 +13,11 @@ protected function createAcl(): void
         parent::createAcl();
 
         // add resource
-        $this->acl->addResource('education');
-        $this->acl->addResource('course_document');
-        $this->acl->addResource('course');
+        $this->acl->addResource(new Resource('education'));
+        $this->acl->addResource(new Resource('course_document'));
+        $this->acl->addResource(new Resource('course'));
+        // Define administration part of this module, however, sub-permissions must be manually configured.
+        $this->acl->addResource(new Resource('education_admin'));
 
         // users (logged in GEWIS members) are allowed to view
         // exams besides users, also people on the TU/e network are
diff --git a/module/Frontpage/src/Service/AclService.php b/module/Frontpage/src/Service/AclService.php
index 23662ac8f6..7f609e918e 100644
--- a/module/Frontpage/src/Service/AclService.php
+++ b/module/Frontpage/src/Service/AclService.php
@@ -5,6 +5,7 @@
 namespace Frontpage\Service;
 
 use Frontpage\Model\Page as PageModel;
+use Laminas\Permissions\Acl\Resource\GenericResource as Resource;
 
 class AclService extends \User\Service\AclService
 {
@@ -24,11 +25,13 @@ protected function createAcl(): void
     {
         parent::createAcl();
 
-        $this->acl->addResource('page');
-        $this->acl->addResource('poll');
-        $this->acl->addResource('poll_comment');
-        $this->acl->addResource('news_item');
-        $this->acl->addResource('infimum');
+        $this->acl->addResource(new Resource('page'));
+        $this->acl->addResource(new Resource('poll'));
+        $this->acl->addResource(new Resource('poll_comment'));
+        $this->acl->addResource(new Resource('news_item'));
+        $this->acl->addResource(new Resource('infimum'));
+        // Define administration part of this module, however, sub-permissions must be manually configured.
+        $this->acl->addResource(new Resource('frontpage_admin'));
 
         $this->acl->allow('user', 'infimum', 'view');
         $this->acl->allow('user', 'poll', ['vote', 'request']);
diff --git a/module/Photo/src/Service/AclService.php b/module/Photo/src/Service/AclService.php
index c45ae69ec3..646c91ff98 100644
--- a/module/Photo/src/Service/AclService.php
+++ b/module/Photo/src/Service/AclService.php
@@ -4,6 +4,7 @@
 
 namespace Photo\Service;
 
+use Laminas\Permissions\Acl\Resource\GenericResource as Resource;
 use User\Permissions\Assertion\IsAfterMembershipEndedAndNotTagged;
 
 class AclService extends \User\Service\AclService
@@ -13,10 +14,12 @@ protected function createAcl(): void
         parent::createAcl();
 
         // add resources for this module
-        $this->acl->addResource('photo');
-        $this->acl->addResource('album');
-        $this->acl->addResource('tag');
-        $this->acl->addResource('vote');
+        $this->acl->addResource(new Resource('photo'));
+        $this->acl->addResource(new Resource('album'));
+        $this->acl->addResource(new Resource('tag'));
+        $this->acl->addResource(new Resource('vote'));
+        // Define administration part of this module, however, sub-permissions must be manually configured.
+        $this->acl->addResource(new Resource('photo_admin'));
 
         // Only users and 'the screen' are allowed to view photos (and its details) and albums
         $this->acl->allow('user', 'album', 'view');
diff --git a/module/User/src/Service/AclService.php b/module/User/src/Service/AclService.php
index 785588ba20..5f96784bf2 100644
--- a/module/User/src/Service/AclService.php
+++ b/module/User/src/Service/AclService.php
@@ -87,8 +87,11 @@ protected function createAcl(): void
         // configure the user ACL
         $this->acl->addResource(new Resource('apiuser'));
         $this->acl->addResource(new Resource('user'));
+        // Define administration part of this module, however, sub-permissions must be manually configured.
+        $this->acl->addResource(new Resource('user_admin'));
 
-        // Do not allow the board to touch API tokens
+        // Do not allow the board to touch user administration / API tokens
+        $this->acl->deny(UserRoles::Board->value, 'user_admin');
         $this->acl->deny(UserRoles::Board->value, 'apiuser');
 
         $this->acl->allow(UserRoles::User->value, 'user', ['password_change']);

From abeeb8c00f126dbedb6d317cbdb24d20f6959e3e Mon Sep 17 00:00:00 2001
From: Tom Udding <tomudding@users.noreply.github.com>
Date: Wed, 11 Sep 2024 11:44:08 +0200
Subject: [PATCH 2/3] fix: trailing slash for admin route

Do not know how I did not catch this during GH-1885.
---
 module/Frontpage/config/module.config.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/module/Frontpage/config/module.config.php b/module/Frontpage/config/module.config.php
index 0b6cf6076b..302df6f944 100644
--- a/module/Frontpage/config/module.config.php
+++ b/module/Frontpage/config/module.config.php
@@ -345,7 +345,7 @@
             'admin' => [
                 'type' => Segment::class,
                 'options' => [
-                    'route' => '/admin[/]',
+                    'route' => '/admin',
                     'defaults' => [
                         'controller' => AdminController::class,
                         'action' => 'index',

From 1a7115efe361e22fd08f8fbc1e809d149b0d4a90 Mon Sep 17 00:00:00 2001
From: Tom Udding <tomudding@users.noreply.github.com>
Date: Wed, 11 Sep 2024 14:51:49 +0200
Subject: [PATCH 3/3] feat: add member + user overview table

Contains all information from members (and their associated users) for debugging
purposes.
---
 module/Application/language/en.po             | 27 +++++++-
 module/Application/language/gewisweb.pot      | 25 ++++++-
 module/Application/language/nl.po             | 27 +++++++-
 module/Application/view/partial/admin.phtml   | 25 +++----
 module/Decision/src/Mapper/Member.php         | 27 ++++++++
 module/User/config/module.config.php          | 13 ++++
 .../Factory/UserAdminControllerFactory.php    | 28 ++++++++
 .../src/Controller/UserAdminController.php    | 35 ++++++++++
 module/User/src/Model/User.php                |  1 +
 module/User/src/Service/AclService.php        |  3 +
 module/User/view/user/user-admin/index.phtml  | 68 +++++++++++++++++++
 phpcs.xml.dist                                |  1 +
 12 files changed, 260 insertions(+), 20 deletions(-)
 create mode 100644 module/User/src/Controller/Factory/UserAdminControllerFactory.php
 create mode 100644 module/User/src/Controller/UserAdminController.php
 create mode 100644 module/User/view/user/user-admin/index.phtml

diff --git a/module/Application/language/en.po b/module/Application/language/en.po
index 786336aee3..23b0fb8418 100644
--- a/module/Application/language/en.po
+++ b/module/Application/language/en.po
@@ -8,8 +8,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: GEWISweb 0.1.0-dev\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-24 21:14+0200\n"
-"PO-Revision-Date: 2024-08-24 21:16+0200\n"
+"POT-Creation-Date: 2024-09-11 14:50+0200\n"
+"PO-Revision-Date: 2024-09-11 14:51+0200\n"
 "Last-Translator: Tom Udding <web@gewis.nl>\n"
 "Language-Team: English <kde-i18n-doc@kde.org>\n"
 "Language: en\n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Poedit 3.4.4\n"
+"X-Generator: Poedit 3.5\n"
 
 msgid " <strong>has a limited capacity</strong> and "
 msgstr " <strong>has a limited capacity</strong> and "
@@ -118,6 +118,9 @@ msgstr "Actions"
 msgid "Activate"
 msgstr "Activate"
 
+msgid "Activated"
+msgstr "Activated"
+
 msgid "Active"
 msgstr "Active"
 
@@ -939,6 +942,9 @@ msgstr "Delete this news item"
 msgid "Delete this page"
 msgstr "Delete this page"
 
+msgid "Deleted"
+msgstr "Deleted"
+
 msgid "Description"
 msgstr "Description"
 
@@ -1219,6 +1225,9 @@ msgstr "Expiration date for the poll"
 msgid "Expired packages"
 msgstr "Expired packages"
 
+msgid "Expires On"
+msgstr "Expires On"
+
 msgid "Exposure time"
 msgstr "Exposure time"
 
@@ -1826,6 +1835,9 @@ msgstr "Member number"
 msgid "Members"
 msgstr "Members"
 
+msgid "Membership Ends On"
+msgstr "Membership Ends On"
+
 msgid "Membership number"
 msgstr "Membership number"
 
@@ -2203,6 +2215,9 @@ msgstr "Participants"
 msgid "Password"
 msgstr "Password"
 
+msgid "Password Changed On"
+msgstr "Password Changed On"
+
 msgid "Password changed successfully"
 msgstr "Password changed successfully"
 
@@ -2473,6 +2488,9 @@ msgstr "Revoked"
 msgid "Revoked authorizations for GMM %d"
 msgstr "Revoked authorizations for GMM %d"
 
+msgid "Role(s)"
+msgstr "Role(s)"
+
 msgid "Root"
 msgstr "Root"
 
@@ -3671,6 +3689,9 @@ msgstr "You are not allowed to administer option calendar periods"
 msgid "You are not allowed to administer polls"
 msgstr "You are not allowed to administer polls"
 
+msgid "You are not allowed to administer users"
+msgstr "You are not allowed to administer users"
+
 msgid "You are not allowed to approve polls"
 msgstr "You are not allowed to approve polls"
 
diff --git a/module/Application/language/gewisweb.pot b/module/Application/language/gewisweb.pot
index 81bfc02e3d..cfb259224b 100644
--- a/module/Application/language/gewisweb.pot
+++ b/module/Application/language/gewisweb.pot
@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: GEWISweb v2.8.6-747-ge3d122d45-dirty\n"
+"Project-Id-Version: GEWISweb v2.8.6-764-gabeeb8c00-dirty\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-24 21:14+0200\n"
+"POT-Creation-Date: 2024-09-11 14:50+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -117,6 +117,9 @@ msgstr ""
 msgid "Activate"
 msgstr ""
 
+msgid "Activated"
+msgstr ""
+
 msgid "Active"
 msgstr ""
 
@@ -893,6 +896,9 @@ msgstr ""
 msgid "Delete this page"
 msgstr ""
 
+msgid "Deleted"
+msgstr ""
+
 msgid "Description"
 msgstr ""
 
@@ -1163,6 +1169,9 @@ msgstr ""
 msgid "Expired packages"
 msgstr ""
 
+msgid "Expires On"
+msgstr ""
+
 msgid "Exposure time"
 msgstr ""
 
@@ -1719,6 +1728,9 @@ msgstr ""
 msgid "Members"
 msgstr ""
 
+msgid "Membership Ends On"
+msgstr ""
+
 msgid "Membership number"
 msgstr ""
 
@@ -2090,6 +2102,9 @@ msgstr ""
 msgid "Password"
 msgstr ""
 
+msgid "Password Changed On"
+msgstr ""
+
 msgid "Password changed successfully"
 msgstr ""
 
@@ -2343,6 +2358,9 @@ msgstr ""
 msgid "Revoked authorizations for GMM %d"
 msgstr ""
 
+msgid "Role(s)"
+msgstr ""
+
 msgid "Root"
 msgstr ""
 
@@ -3433,6 +3451,9 @@ msgstr ""
 msgid "You are not allowed to administer polls"
 msgstr ""
 
+msgid "You are not allowed to administer users"
+msgstr ""
+
 msgid "You are not allowed to approve polls"
 msgstr ""
 
diff --git a/module/Application/language/nl.po b/module/Application/language/nl.po
index 1bcdb3205c..3cd3d9643e 100644
--- a/module/Application/language/nl.po
+++ b/module/Application/language/nl.po
@@ -8,8 +8,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: GEWISweb 0.1.0-dev\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-24 21:14+0200\n"
-"PO-Revision-Date: 2024-08-24 21:15+0200\n"
+"POT-Creation-Date: 2024-09-11 14:50+0200\n"
+"PO-Revision-Date: 2024-09-11 14:51+0200\n"
 "Last-Translator: Tom Udding <web@gewis.nl>\n"
 "Language-Team: English <kde-i18n-doc@kde.org>\n"
 "Language: nl\n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Poedit 3.4.4\n"
+"X-Generator: Poedit 3.5\n"
 
 msgid " <strong>has a limited capacity</strong> and "
 msgstr " <strong>heeft een beperkte capaciteit</strong> en "
@@ -118,6 +118,9 @@ msgstr "Acties"
 msgid "Activate"
 msgstr "Activeer"
 
+msgid "Activated"
+msgstr "Geactiveerd"
+
 msgid "Active"
 msgstr "Actief"
 
@@ -944,6 +947,9 @@ msgstr "Verwijder dit nieuwsitem"
 msgid "Delete this page"
 msgstr "Verwijder deze pagina"
 
+msgid "Deleted"
+msgstr "Verwijderd"
+
 msgid "Description"
 msgstr "Beschrijving"
 
@@ -1230,6 +1236,9 @@ msgstr "Verloopdatum van de poll"
 msgid "Expired packages"
 msgstr "Verlopen pakketten"
 
+msgid "Expires On"
+msgstr "Verloopt op"
+
 msgid "Exposure time"
 msgstr "Belichtingstijd"
 
@@ -1850,6 +1859,9 @@ msgstr "Lidmaatschapsnummer"
 msgid "Members"
 msgstr "Leden"
 
+msgid "Membership Ends On"
+msgstr "Lidmaatschap eindigt op"
+
 msgid "Membership number"
 msgstr "Lidmaatschapsnummer"
 
@@ -2226,6 +2238,9 @@ msgstr "Deelnemers"
 msgid "Password"
 msgstr "Wachtwoord"
 
+msgid "Password Changed On"
+msgstr "Wachtwoord gewijzigd op"
+
 msgid "Password changed successfully"
 msgstr "Wachtwoord succesvol gewijzigd"
 
@@ -2498,6 +2513,9 @@ msgstr "Ingetrokken"
 msgid "Revoked authorizations for GMM %d"
 msgstr "Ingetrokken machtigingen voor ALV %d"
 
+msgid "Role(s)"
+msgstr "Rol(len)"
+
 msgid "Root"
 msgstr "Root"
 
@@ -3713,6 +3731,9 @@ msgstr "Je hebt niet de rechten om optieperiodes te beheren"
 msgid "You are not allowed to administer polls"
 msgstr "Je hebt niet de rechten om poll-instellingen te beheren"
 
+msgid "You are not allowed to administer users"
+msgstr "Je hebt niet de rechten om gebruikers te beheren"
+
 msgid "You are not allowed to approve polls"
 msgstr "Je hebt niet de rechten om polls goed te keuren"
 
diff --git a/module/Application/view/partial/admin.phtml b/module/Application/view/partial/admin.phtml
index 18ca02115f..76f8dc62ab 100644
--- a/module/Application/view/partial/admin.phtml
+++ b/module/Application/view/partial/admin.phtml
@@ -95,26 +95,21 @@ use Laminas\View\Renderer\PhpRenderer;
                                             <?= $this->translate('Approvals') ?>
                                         </a>
                                     </li>
-                                <?php
-                                endif; ?>
-                                <?php
-                                if ($this->acl('company_service_acl')->isAllowed('jobCategory', 'listAll')): ?>
+                                <?php endif; ?>
+                                <?php if ($this->acl('company_service_acl')->isAllowed('jobCategory', 'listAll')): ?>
                                     <li>
                                         <a href="<?= $this->url('company_admin/categories') ?>">
                                             <?= $this->translate('Categories') ?>
                                         </a>
                                     </li>
-                                <?php
-                                endif; ?>
-                                <?php
-                                if ($this->acl('company_service_acl')->isAllowed('jobLabel', 'listAll')): ?>
+                                <?php endif; ?>
+                                <?php if ($this->acl('company_service_acl')->isAllowed('jobLabel', 'listAll')): ?>
                                     <li>
                                         <a href="<?= $this->url('company_admin/labels') ?>">
                                             <?= $this->translate('Labels') ?>
                                         </a>
                                     </li>
-                                <?php
-                                endif; ?>
+                                <?php endif; ?>
                             </ul>
                         </li>
                     <?php endif; ?>
@@ -179,8 +174,7 @@ use Laminas\View\Renderer\PhpRenderer;
                         <li class="<?= $this->moduleIsActive(['frontpage', 'news']) ? 'active' : '' ?>">
                             <a href="<?= $this->url('admin_news') ?>"><?= $this->translate('News') ?></a>
                         </li>
-                    <?php
-                    endif; ?>
+                    <?php endif; ?>
                     <?php if ($this->acl('frontpage_service_acl')->isAllowed('page', 'create')): ?>
                         <li class="<?= $this->moduleIsActive(['frontpage', 'page']) ? 'active' : '' ?>">
                             <a href="<?= $this->url('admin_page') ?>"><?= $this->translate('Pages') ?></a>
@@ -210,6 +204,13 @@ use Laminas\View\Renderer\PhpRenderer;
                                         </a>
                                     </li>
                                 <?php endif; ?>
+                                <?php if ($this->acl('user_service_acl')->isAllowed('user', 'view_status')): ?>
+                                    <li>
+                                        <a href="<?= $this->url('user_admin/members') ?>">
+                                            <?= $this->translate('Members') ?>
+                                        </a>
+                                    </li>
+                                <?php endif; ?>
                             </ul>
                         </li>
                     <?php endif; ?>
diff --git a/module/Decision/src/Mapper/Member.php b/module/Decision/src/Mapper/Member.php
index 95f8ff94c5..3071ba2795 100644
--- a/module/Decision/src/Mapper/Member.php
+++ b/module/Decision/src/Mapper/Member.php
@@ -10,6 +10,8 @@
 use Decision\Model\OrganMember as OrganMemberModel;
 use Doctrine\ORM\Query\ResultSetMapping;
 use Doctrine\ORM\Query\ResultSetMappingBuilder;
+use User\Model\User as UserModel;
+use User\Model\UserRole as UserRoleModel;
 
 use function strtolower;
 
@@ -173,6 +175,31 @@ public function findHistoricalInstallations(MemberModel $member): array
         return $qb->getQuery()->getResult();
     }
 
+    /**
+     * Fetch all members including their associated user.
+     *
+     * NOTE: The ordering of the return array is not as you might expect. The actual result will be like:
+     *
+     * array{
+     *     0: MemberModel,
+     *     1: ?UserModel,
+     *     2: MemberModel,
+     *     3: ... (repeat pattern)
+     * }
+     *
+     * In other words, every 2 rows represent a single `Member`.
+     *
+     * @return array<array-key, MemberModel|UserModel|UserRoleModel|null>
+     */
+    public function findAllWithUserDetails(): array
+    {
+        $qb = $this->getRepository()->createQueryBuilder('m');
+        $qb->leftJoin(UserModel::class, 'u', 'WITH', 'm.lidnr = u.lidnr')
+            ->addSelect('u');
+
+        return $qb->getQuery()->getResult();
+    }
+
     protected function getRepositoryName(): string
     {
         return MemberModel::class;
diff --git a/module/User/config/module.config.php b/module/User/config/module.config.php
index c79b931eb4..9f2124d64f 100644
--- a/module/User/config/module.config.php
+++ b/module/User/config/module.config.php
@@ -12,7 +12,9 @@
 use User\Controller\ApiAuthenticationController;
 use User\Controller\Factory\ApiAdminControllerFactory;
 use User\Controller\Factory\ApiAuthenticationControllerFactory;
+use User\Controller\Factory\UserAdminControllerFactory;
 use User\Controller\Factory\UserControllerFactory;
+use User\Controller\UserAdminController;
 use User\Controller\UserController;
 
 return [
@@ -155,6 +157,16 @@
                             ],
                         ],
                     ],
+                    'members' => [
+                        'type' => Literal::class,
+                        'options' => [
+                            'route' => '/members',
+                            'defaults' => [
+                                'controller' => UserAdminController::class,
+                                'action' => 'index',
+                            ],
+                        ],
+                    ],
                 ],
                 'priority' => 100,
             ],
@@ -175,6 +187,7 @@
         'factories' => [
             ApiAdminController::class => ApiAdminControllerFactory::class,
             ApiAuthenticationController::class => ApiAuthenticationControllerFactory::class,
+            UserAdminController::class => UserAdminControllerFactory::class,
             UserController::class => UserControllerFactory::class,
         ],
     ],
diff --git a/module/User/src/Controller/Factory/UserAdminControllerFactory.php b/module/User/src/Controller/Factory/UserAdminControllerFactory.php
new file mode 100644
index 0000000000..88471936dc
--- /dev/null
+++ b/module/User/src/Controller/Factory/UserAdminControllerFactory.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace User\Controller\Factory;
+
+use Laminas\Mvc\I18n\Translator as MvcTranslator;
+use Laminas\ServiceManager\Factory\FactoryInterface;
+use Psr\Container\ContainerInterface;
+use User\Controller\UserAdminController;
+
+class UserAdminControllerFactory implements FactoryInterface
+{
+    /**
+     * @param string $requestedName
+     */
+    public function __invoke(
+        ContainerInterface $container,
+        $requestedName,
+        ?array $options = null,
+    ): UserAdminController {
+        return new UserAdminController(
+            $container->get('user_service_acl'),
+            $container->get(MvcTranslator::class),
+            $container->get('decision_mapper_member'),
+        );
+    }
+}
diff --git a/module/User/src/Controller/UserAdminController.php b/module/User/src/Controller/UserAdminController.php
new file mode 100644
index 0000000000..696538bac1
--- /dev/null
+++ b/module/User/src/Controller/UserAdminController.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace User\Controller;
+
+use Decision\Mapper\Member as MemberMapper;
+use Laminas\Mvc\Controller\AbstractActionController;
+use Laminas\Mvc\I18n\Translator;
+use Laminas\View\Model\ViewModel;
+use User\Permissions\NotAllowedException;
+use User\Service\AclService;
+
+class UserAdminController extends AbstractActionController
+{
+    public function __construct(
+        private readonly AclService $aclService,
+        private readonly Translator $translator,
+        private readonly MemberMapper $memberMapper,
+    ) {
+    }
+
+    public function indexAction(): ViewModel
+    {
+        if (!$this->aclService->isAllowed('view_status', 'user')) {
+            throw new NotAllowedException(
+                $this->translator->translate('You are not allowed to administer users'),
+            );
+        }
+
+        return new ViewModel([
+            'members' => $this->memberMapper->findAllWithUserDetails(),
+        ]);
+    }
+}
diff --git a/module/User/src/Model/User.php b/module/User/src/Model/User.php
index 96d0aaa315..9fe842f286 100644
--- a/module/User/src/Model/User.php
+++ b/module/User/src/Model/User.php
@@ -57,6 +57,7 @@ class User implements IdentityInterface
     #[OneToMany(
         targetEntity: UserRole::class,
         mappedBy: 'lidnr',
+        fetch: 'EAGER',
     )]
     protected Collection $roles;
 
diff --git a/module/User/src/Service/AclService.php b/module/User/src/Service/AclService.php
index 5f96784bf2..7b769d6e93 100644
--- a/module/User/src/Service/AclService.php
+++ b/module/User/src/Service/AclService.php
@@ -94,6 +94,9 @@ protected function createAcl(): void
         $this->acl->deny(UserRoles::Board->value, 'user_admin');
         $this->acl->deny(UserRoles::Board->value, 'apiuser');
 
+        // Do not allow the board to see activation status
+        $this->acl->deny(UserRoles::Board->value, 'user', ['view_status']);
+
         $this->acl->allow(UserRoles::User->value, 'user', ['password_change']);
         $this->acl->allow(UserRoles::Company->value, 'user', ['password_change']);
     }
diff --git a/module/User/view/user/user-admin/index.phtml b/module/User/view/user/user-admin/index.phtml
new file mode 100644
index 0000000000..28c41295bb
--- /dev/null
+++ b/module/User/view/user/user-admin/index.phtml
@@ -0,0 +1,68 @@
+<?php
+
+declare(strict_types=1);
+
+use Application\View\HelperTrait;
+use Decision\Model\Member as MemberModel;
+use Laminas\View\Renderer\PhpRenderer;
+use User\Model\User as UserModel;
+
+/**
+ * @var PhpRenderer|HelperTrait $this
+ * @var array $members
+ */
+
+$this->breadcrumbs()
+    ->addBreadcrumb($this->translate('Members'));
+?>
+<h1><?= $this->translate('Members') ?></h1>
+<div class="table-responsive">
+    <table class="table table-hover">
+        <thead>
+            <tr>
+                <th>#</th>
+                <th><?= $this->translate('Name') ?></th>
+                <th><?= $this->translate('Type') ?></th>
+                <th><?= $this->translate('Activated') ?></th>
+                <th><?= $this->translate('Hidden') ?></th>
+                <th><?= $this->translate('Deleted') ?></th>
+                <th><?= $this->translate('Password Changed On') ?></th>
+                <th><?= $this->translate('Role(s)') ?></th>
+                <th><?= $this->translate('Membership Ends On') ?></th>
+                <th><?= $this->translate('Expires On') ?></th>
+            <tr>
+        </thead>
+        <tbody>
+            <?php for ($i = 0; $i < count($members); $i += 2): ?>
+                <?php
+                /** @var MemberModel $member */
+                $member = $members[$i];
+                /** @var UserModel|null $user */
+                $user = $members[$i + 1] ?? null;
+                $activated = null !== $user;
+                $deleted = $member->getDeleted();
+                ?>
+                <tr class="<?= !$activated ? 'info' : '' ?> <?= $member->isExpired() ? 'warning' : '' ?> <?= $deleted ? 'danger' : '' ?>">
+                    <td><?= $member->getLidnr() ?></td>
+                    <td><?= $this->escapeHtml($member->getFullName()) ?></td>
+                    <td><?= $member->getType()->getName($this->plugin('translate')->getTranslator()) ?></td>
+                    <td><span class="fas fa-circle-<?= $activated ? 'check' : 'xmark' ?>"></span></td>
+                    <td><span class="fas fa-circle-<?= $member->getHidden() ? 'check' : 'xmark' ?>"></span></td>
+                    <td><span class="fas fa-circle-<?= $member->getDeleted() ? 'check' : 'xmark' ?>"></span></td>
+                    <td><?= $activated ? ($user->getPasswordChangedOn()?->format(DateTimeInterface::ATOM) ?? '-') : $this->translate('N/A') ?></td>
+                    <td>
+                        <?php if ($activated && 0 !== $user->getRoles()->count()): ?>
+                            <?php foreach ($user->getRoles() as $role): ?>
+                                <?= $role->getRole()->value . ' (' . ($role->getExpiration()?->format(DateTimeInterface::ATOM) ?? '-') . ')'?>
+                            <?php endforeach; ?>
+                        <?php else: ?>
+                            -
+                        <?php endif; ?>
+                    </td>
+                    <td><?= $member->getMembershipEndsOn()?->format(DateTimeInterface::ATOM) ?? $this->translate('N/A') ?></td>
+                    <td><?= $member->getExpiration()->format(DateTimeInterface::ATOM) ?></td>
+                </tr>
+            <?php endfor; ?>
+        </tbody>
+    </table>
+</div>
diff --git a/phpcs.xml.dist b/phpcs.xml.dist
index 9c80888934..6ee29c0bf5 100644
--- a/phpcs.xml.dist
+++ b/phpcs.xml.dist
@@ -73,6 +73,7 @@
         <exclude-pattern>module/User/src/Command/Factory/DeleteOldLoginAttemptsFactory.php</exclude-pattern>
         <exclude-pattern>module/User/src/Controller/Factory/ApiAuthenticationControllerFactory.php</exclude-pattern>
         <exclude-pattern>module/User/src/Controller/Factory/UserControllerFactory.php</exclude-pattern>
+        <exclude-pattern>module/User/src/Controller/Factory/UserAdminControllerFactory.php</exclude-pattern>
         <exclude-pattern>module/User/src/Controller/Factory/ApiAdminControllerFactory.php</exclude-pattern>
         <exclude-pattern>module/User/src/Mapper/Factory/ApiAppFactory.php</exclude-pattern>
         <exclude-pattern>module/User/src/Service/Factory/PwnedPasswordsFactory.php</exclude-pattern>