More iteration

backend/app/api/v1/auth.py

@@ -10,9 +10,10 @@ from ...core.security import verify_password, get_password_hash, create_access_t
 from ...models.models import User, UserRole, PasswordResetToken
 from ...schemas import (
     UserCreate, UserResponse, Token, LoginRequest, MessageResponse,
-    ForgotPasswordRequest, ResetPasswordRequest
+    ForgotPasswordRequest, ResetPasswordRequest, ChangePasswordRequest
 )
 from ...services.email_service import email_service
+from ...api.dependencies import get_current_active_user
 
 router = APIRouter()
 
@@ -217,3 +218,27 @@ async def reset_password(
     db.commit()
     
     return {"message": "Password has been reset successfully. You can now log in with your new password."}
+
+
+@router.post("/change-password", response_model=MessageResponse)
+async def change_password(
+    request: ChangePasswordRequest,
+    current_user: User = Depends(get_current_active_user),
+    db: Session = Depends(get_db)
+):
+    """Change password for authenticated user"""
+    # Verify current password
+    if not verify_password(request.current_password, current_user.hashed_password):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Current password is incorrect"
+        )
+    
+    # Update password
+    hashed_password = get_password_hash(request.new_password)
+    current_user.hashed_password = hashed_password
+    current_user.updated_at = datetime.utcnow()
+    
+    db.commit()
+    
+    return {"message": "Password has been changed successfully."}

backend/app/api/v1/users.py

@@ -65,6 +65,32 @@ async def get_user(
     return user
 
 
+@router.put("/{user_id}", response_model=UserResponse)
+async def update_user(
+    user_id: int,
+    user_update: UserUpdate,
+    current_user: User = Depends(get_admin_user),
+    db: Session = Depends(get_db)
+):
+    """Update user by ID (admin only)"""
+    user = db.query(User).filter(User.id == user_id).first()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="User not found"
+        )
+    
+    update_data = user_update.model_dump(exclude_unset=True)
+    
+    for field, value in update_data.items():
+        setattr(user, field, value)
+    
+    db.commit()
+    db.refresh(user)
+    
+    return user
+
+
 @router.delete("/{user_id}", response_model=MessageResponse)
 async def delete_user(
     user_id: int,

backend/app/schemas/__init__.py

@@ -9,6 +9,7 @@ from .schemas import (
     LoginRequest,
     ForgotPasswordRequest,
     ResetPasswordRequest,
+    ChangePasswordRequest,
     MembershipTierBase,
     MembershipTierCreate,
     MembershipTierUpdate,
@@ -35,6 +36,7 @@ __all__ = [
     "LoginRequest",
     "ForgotPasswordRequest",
     "ResetPasswordRequest",
+    "ChangePasswordRequest",
     "MembershipTierBase",
     "MembershipTierCreate",
     "MembershipTierUpdate",

backend/app/schemas/schemas.py

@@ -22,6 +22,7 @@ class UserUpdate(BaseModel):
     last_name: Optional[str] = Field(None, min_length=1, max_length=100)
     phone: Optional[str] = None
     address: Optional[str] = None
+    role: Optional[UserRole] = None
 
 
 class UserResponse(UserBase):
@@ -63,6 +64,11 @@ class ResetPasswordRequest(BaseModel):
     new_password: str = Field(..., min_length=8)
 
 
+class ChangePasswordRequest(BaseModel):
+    current_password: str = Field(..., min_length=1)
+    new_password: str = Field(..., min_length=8)
+
+
 # Membership Tier Schemas
 class MembershipTierBase(BaseModel):
     name: str = Field(..., min_length=1, max_length=100)