From 221eb6a1a19ccaa1b3ae41412f76d2ea9406c850 Mon Sep 17 00:00:00 2001
From: Jordan Ramos <jordan.ramos@spectrum.com>
Date: Wed, 24 Jun 2026 17:01:49 -0600
Subject: [PATCH] Hide admin-only actions from non-Admin activity feed

Non-Admin users should not see user management events (create, delete,
group changes, password resets), impersonation events, or admin-only
compliance operations (config reconcile, upload rollback) in the
Recent Activity panel.
---
 backend/server.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/backend/server.js b/backend/server.js
index 1bf59ff..4a9c357 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -164,7 +164,14 @@ app.get('/api/recent-activity', requireAuth(), async (req, res) => {
         // Hide impersonation events from non-Admin users
         const excludedActions = ['login', 'logout', 'login_failed'];
         if (req.user.group !== 'Admin') {
-            excludedActions.push('impersonate_start', 'impersonate_stop');
+            // Hide admin-only actions from non-Admin users
+            excludedActions.push(
+                'impersonate_start', 'impersonate_stop',
+                'create_user', 'delete_user', 'update_user',
+                'added_user', 'deleted_user', 'group_change',
+                'toggle_active', 'password_reset',
+                'compliance_config_reconcile', 'compliance_upload_rollback'
+            );
         }
         const { rows } = await pool.query(
             `SELECT username, action, entity_type, entity_id, details, created_at