Overview The Administrador (Administrator) role has unrestricted access to all platform features. Administrators can manage users, create and modify destinations, upload multimedia content, and perform all operations available to editors and visitors.
The administrator role is identified as "administrador" in the database and code.
Core Capabilities User Management Administrators have complete control over user accounts:
View All Users List and view details of all registered users
Assign Roles Change user roles between visitante, editor, and administrador
Delete Users Permanently remove user accounts from the system
View Any Profile Access any user’s profile information
List All Users @router.get ( "/listar" , dependencies = [Depends(require_admin)]) def listar_usuarios ( db = Depends(get_database)): repo = UsuarioRepositoryImpl(db) uc = ListarUsuarios(repo) return [u. __dict__ for u in uc.ejecutar()]
Endpoint: GET /usuarios/listarSource: src/infrastructure/api/routers/usuario_router.py:83-87Assign User Roles @router.patch ( "/ {user_id} /rol" , dependencies = [Depends(require_admin)]) def asignar_rol ( user_id : str , data : dict , db = Depends(get_database)): nuevo_rol = data.get( "rol" ) repo = UsuarioRepositoryImpl(db) use_case = AsignarRol(repo) usuario = use_case.ejecutar(user_id, nuevo_rol) return { "message" : "Rol actualizado correctamente" , "nuevo_rol" : usuario.rol}
Endpoint: PATCH /usuarios/{user_id}/rolSource: src/infrastructure/api/routers/usuario_router.py:202-220Role changes take effect immediately. Ensure you understand the implications before modifying user roles.
Delete Users @router.delete ( "/borrar/ {user_id} " , dependencies = [Depends(require_admin)]) def eliminar_usuario ( user_id : str , db = Depends(get_database)): repo = UsuarioRepositoryImpl(db) uc = EliminarUsuario(repo) usuario = uc.ejecutar(user_id) return { "message" : "Usuario eliminado" , "usuario" : usuario. __dict__ }
Endpoint: DELETE /usuarios/borrar/{user_id}Source: src/infrastructure/api/routers/usuario_router.py:104-114Destination Management Administrators have full CRUD access to destinations:
Create Destinations @router.post ( "/" ) def crear_destino ( data : dict , db = Depends(get_database), admin = Depends(require_admin)): repo = DestinoRepositoryImpl(db) use_case = AgregarDestinoUseCase(repo) destino_id = use_case.ejecutar(data) return { "message" : "Destino creado correctamente" , "id" : destino_id}
Endpoint: POST /destinos/Source: src/infrastructure/api/routers/destinos_router.py:20-28Edit Destinations @router.put ( "/ {id} " ) def editar_destino ( id : str , data : dict , db = Depends(get_database), admin = Depends(require_admin)): repo = DestinoRepositoryImpl(db) use_case = EditarDestinoUseCase(repo) use_case.ejecutar( id , data) return { "message" : "Destino actualizado correctamente" }
Endpoint: PUT /destinos/{id}Source: src/infrastructure/api/routers/destinos_router.py:36-44Delete Destinations Administrators can permanently delete destinations after removing all multimedia:
@router.delete ( "/ {destino_id} /force" ) def eliminar_destino_fisico ( destino_id : str , db = Depends(get_database), admin = Depends(require_admin)): repo = DestinoRepositoryImpl(db) destino = repo.obtener_por_id(destino_id) # Validate no multimedia attached multimedia_actual = destino.get( "multimedia" , []) if multimedia_actual: raise HTTPException( status_code = 400 , detail = "Este destino tiene archivos multimedia. Elimínelos primero." ) # Delete from database and Cloudinary use_case = EliminarDestinoUseCase(repo) eliminado = use_case.eliminar_fisico(destino_id) cloudinary.api.delete_folder( f "destinations/ { destino_id } " )
Endpoint: DELETE /destinos/{destino_id}/forceSource: src/infrastructure/api/routers/destinos_router.py:56-91Destinations must have all multimedia removed before deletion. The system enforces this validation.
Administrators control multimedia uploads to Cloudinary:
@router.post ( "/ {id} /multimedia" ) async def subir_multimedia_destino ( id : str , files : List[UploadFile] = File( ... ), db = Depends(get_database), admin = Depends(require_admin) ): # Validates 1-3 files per request # Maximum 10 files per destination # Uploads to cloudinary.com/destinations/{id}/
Endpoint: POST /destinos/{id}/multimediaSource: src/infrastructure/api/routers/destinos_router.py:96-201Constraints:
1-3 files per request
Maximum 10 files per destination
Supports images and videos
Automatic Cloudinary organization
@router.delete ( "/ {id} /multimedia" ) async def eliminar_multimedia_destino ( id : str , public_id : str , db = Depends(get_database), admin = Depends(require_admin) ): # Removes from both MongoDB and Cloudinary use_case = EliminarMultimediaDestinoUseCase(repo) eliminado_db = await use_case.execute( id , public_id) cloudinary.uploader.destroy(public_id, resource_type = tipo_cloudinary)
Endpoint: DELETE /destinos/{id}/multimedia?public_id={public_id}Source: src/infrastructure/api/routers/destinos_router.py:205-254Route Management Administrators inherit all editor permissions for route management. See the Editor Role documentation for route operations.
Self-Management Privileges Administrators can update any user profile, including their own:
@router.put ( "/actualizar/ {user_id} " ) def actualizar_usuario ( user_id : str , data : dict , token_data = Depends(get_current_user)): # Admin can update any user if token_data.id != user_id and token_data.rol != "admin" : raise HTTPException( status_code = 403 , detail = "No tienes permisos" ) # Admin can change roles if token_data.rol == "admin" : rol = data.get( "rol" )
Endpoint: PUT /usuarios/actualizar/{user_id}Source: src/infrastructure/api/routers/usuario_router.py:34-78Permission Enforcement The require_admin dependency ensures only administrators can access protected endpoints:
def require_admin ( request : Request): """ Acceso total. """ return _require_role(request, [ "administrador" ])
Source: src/infrastructure/security/jwt_utils.py:102-106Usage Example @router.delete ( "/borrar/ {user_id} " , dependencies = [Depends(require_admin)]) def eliminar_usuario ( user_id : str , db = Depends(get_database)): # Only administrators can execute this endpoint
Admin-Only Endpoints The following endpoints require administrator privileges:
Endpoint Method Purpose /usuarios/listarGET List all users /usuarios/borrar/{user_id}DELETE Delete user account /usuarios/{user_id}/rolPATCH Assign user role /destinos/POST Create destination /destinos/{id}PUT Update destination /destinos/{destino_id}/forceDELETE Delete destination /destinos/{id}/multimediaPOST Upload multimedia /destinos/{id}/multimediaDELETE Delete multimedia
Inherited Permissions Administrators automatically inherit all permissions from:
Editor Permissions Route creation, updates, and status management
Visitor Permissions Browsing, favorites, and tracking features
Best Practices Security Considerations:
Limit the number of administrator accounts
Regularly audit admin actions
Use role assignment carefully
Ensure multimedia is removed before deleting destinations
Administrators should use the visitor and editor interfaces for routine tasks to minimize the risk of accidental modifications.