admin: deactivate/activate/delete endpoints for /admin/users

Three new POST endpoints on the existing admin blueprint, all guarded
by @require_admin and CSRF (per the global before_request hook):

  /admin/users/<id>/deactivate  flips active=False (refuses self)
  /admin/users/<id>/activate    flips active=True
  /admin/users/<id>/delete      hard delete with safeties:
    - refuses self-delete
    - refuses delete-of-the-last-admin
    - refuses if the user owns Servers, Blueprints, or custom
      Overlays (operator deletes those first via existing UIs)
    - nulls out Job.user_id (jobs stay as audit trail; FK is nullable)

admin_users.html grows an Active column + an Actions column with the
appropriate button per row (none for self, Deactivate/Activate
toggle, Delete-with-confirmation modal). Modal pattern mirrors
blueprint_detail.html (same modal-close/modal-open data attrs,
csrf_token hidden field).

Refusal responses are 409 with a plain-text body (matches the
blueprint-in-use refusal at blueprint_routes.py:182). No flash
infrastructure introduced; consistent with the rest of the codebase.

All 367 existing tests still pass.

l4d2web/routes/page_routes.py

@@ -1,7 +1,7 @@
 import json
 
 from flask import Blueprint, Response, redirect, render_template, request
-from sqlalchemy import select
+from sqlalchemy import func, select, update
 
 from l4d2web.auth import current_user, require_admin, require_login
 from l4d2web.db import session_scope
@@ -55,6 +55,76 @@ def admin_users() -> str:
     return render_template("admin_users.html", users=users)
 
 
+@bp.post("/admin/users/<int:user_id>/deactivate")
+@require_admin
+def admin_users_deactivate(user_id: int) -> Response:
+    actor = current_user()
+    assert actor is not None
+    if actor.id == user_id:
+        return Response("cannot deactivate yourself", status=409)
+    with session_scope() as db:
+        target = db.scalar(select(User).where(User.id == user_id))
+        if target is None:
+            return Response(status=404)
+        target.active = False
+    return redirect("/admin/users")
+
+
+@bp.post("/admin/users/<int:user_id>/activate")
+@require_admin
+def admin_users_activate(user_id: int) -> Response:
+    with session_scope() as db:
+        target = db.scalar(select(User).where(User.id == user_id))
+        if target is None:
+            return Response(status=404)
+        target.active = True
+    return redirect("/admin/users")
+
+
+@bp.post("/admin/users/<int:user_id>/delete")
+@require_admin
+def admin_users_delete(user_id: int) -> Response:
+    actor = current_user()
+    assert actor is not None
+    if actor.id == user_id:
+        return Response("cannot delete yourself", status=409)
+
+    with session_scope() as db:
+        target = db.scalar(select(User).where(User.id == user_id))
+        if target is None:
+            return Response(status=404)
+
+        if target.admin:
+            other_admins = db.scalar(
+                select(func.count(User.id)).where(User.admin.is_(True), User.id != user_id)
+            ) or 0
+            if other_admins == 0:
+                return Response("cannot delete the last admin", status=409)
+
+        owned_servers = db.scalar(
+            select(func.count(Server.id)).where(Server.user_id == user_id)
+        ) or 0
+        owned_blueprints = db.scalar(
+            select(func.count(BlueprintModel.id)).where(BlueprintModel.user_id == user_id)
+        ) or 0
+        owned_overlays = db.scalar(
+            select(func.count(Overlay.id)).where(Overlay.user_id == user_id)
+        ) or 0
+        if owned_servers or owned_blueprints or owned_overlays:
+            return Response(
+                f"user owns content: {owned_servers} server(s), "
+                f"{owned_blueprints} blueprint(s), {owned_overlays} overlay(s) — "
+                "delete those first",
+                status=409,
+            )
+
+        # Job rows have nullable user_id — keep them as audit trail with the FK nulled out.
+        db.execute(update(Job).where(Job.user_id == user_id).values(user_id=None))
+        db.delete(target)
+
+    return redirect("/admin/users")
+
+
 @bp.get("/admin/jobs")
 @require_admin
 def admin_jobs() -> str:

l4d2web/templates/admin_users.html

@@ -6,14 +6,70 @@
 <section class="panel">
   <h1>Users</h1>
   <table class="table">
-    <thead><tr><th>Username</th><th>Admin</th><th>Created</th><th>Updated</th></tr></thead>
+    <thead>
+      <tr>
+        <th>Username</th>
+        <th>Admin</th>
+        <th>Active</th>
+        <th>Created</th>
+        <th>Updated</th>
+        <th>Actions</th>
+      </tr>
+    </thead>
     <tbody>
       {% for user in users %}
-      <tr><td>{{ user.username }}</td><td>{{ "yes" if user.admin else "no" }}</td><td>{{ user.created_at }}</td><td>{{ user.updated_at }}</td></tr>
+      <tr>
+        <td>{{ user.username }}</td>
+        <td>{{ "yes" if user.admin else "no" }}</td>
+        <td>{{ "yes" if user.active else "no" }}</td>
+        <td>{{ user.created_at }}</td>
+        <td>{{ user.updated_at }}</td>
+        <td>
+          {% if user.id == g.user.id %}
+            <span class="muted">you</span>
+          {% else %}
+            {% if user.active %}
+              <form method="post" action="/admin/users/{{ user.id }}/deactivate" class="inline-form">
+                <input type="hidden" name="csrf_token" value="{{ session.get('csrf_token', '') }}">
+                <button type="submit" class="button-secondary">Deactivate</button>
+              </form>
+            {% else %}
+              <form method="post" action="/admin/users/{{ user.id }}/activate" class="inline-form">
+                <input type="hidden" name="csrf_token" value="{{ session.get('csrf_token', '') }}">
+                <button type="submit" class="button-secondary">Activate</button>
+              </form>
+            {% endif %}
+            <button type="button" class="danger-outline" data-modal-open="delete-user-{{ user.id }}-modal">Delete</button>
+          {% endif %}
+        </td>
+      </tr>
       {% else %}
-      <tr><td colspan="4" class="muted">No users found.</td></tr>
+      <tr><td colspan="6" class="muted">No users found.</td></tr>
       {% endfor %}
     </tbody>
   </table>
 </section>
+
+{% for user in users %}
+{% if user.id != g.user.id %}
+<dialog id="delete-user-{{ user.id }}-modal" class="modal" aria-labelledby="delete-user-{{ user.id }}-title">
+  <div class="modal-header">
+    <h2 id="delete-user-{{ user.id }}-title">Delete user "{{ user.username }}"?</h2>
+    <button type="button" class="modal-close" data-modal-close aria-label="Close">&times;</button>
+  </div>
+  <div class="modal-body">
+    <p>This cannot be undone. Refused if the user owns servers, blueprints,
+       or custom overlays — delete those first.</p>
+    <p>For a reversible block, prefer Deactivate.</p>
+  </div>
+  <div class="modal-footer">
+    <button type="button" class="button-secondary" data-modal-close>Cancel</button>
+    <form method="post" action="/admin/users/{{ user.id }}/delete" class="inline-form">
+      <input type="hidden" name="csrf_token" value="{{ session.get('csrf_token', '') }}">
+      <button class="danger" type="submit">Delete</button>
+    </form>
+  </div>
+</dialog>
+{% endif %}
+{% endfor %}
 {% endblock %}