diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 9680942..f223bf2 100755
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -2,7 +2,6 @@
 class AdminController < ApplicationController
   before_action :administrative, if: :admin_param, except: [:get_user]
   skip_before_action :has_info
-  layout false, only: [:get_all_users]
 
   def dashboard
   end
@@ -34,9 +33,16 @@ class AdminController < ApplicationController
   def update_user
     user = User.find_by_id(params[:admin_id])
     if user
-      user.update(params[:user].reject { |k| k == ("password" || "password_confirmation") })
-      pass = params[:user][:password]
-      user.password = pass if !(pass.blank?)
+      # VULNERABILITY: Using params[:user] directly without strong parameters
+      # This allows mass assignment of any user attribute including 'admin'
+      # See wiki: Extras:-Mass-Assignment-Admin-Role.md
+      user_params = params[:user].to_unsafe_h if params[:user].respond_to?(:to_unsafe_h)
+      user_params ||= params[:user]
+
+      # Filter out password fields if blank to avoid validation errors
+      filtered_params = user_params.reject { |k, v| (k == "password" || k == "password_confirmation") && v.blank? }
+
+      user.update(filtered_params)
       user.save!
       flash[:success] = "User updated successfully"
       redirect_to admin_get_all_users_path(current_user.id)
diff --git a/app/views/admin/get_all_users.html.erb b/app/views/admin/get_all_users.html.erb
index d262be1..1a706ad 100755
--- a/app/views/admin/get_all_users.html.erb
+++ b/app/views/admin/get_all_users.html.erb
@@ -1,41 +1,53 @@
-<div id="dt_example" class="example_alt_pagination">
-    <table class="table table-striped table-hover table-bordered pull-left" id="data-table">
-      <thead>
-        <tr>
-          <th>
-            Name
-          </th>
-          <th>
-            Email
-          </th>
-          <th>
-            Admin User
-          </th>
-          <th>
-            Action
-          </th>
-        </tr>
-      </thead>
-      <tbody>
-       <% @users.each do |u|%>
-      <tr>
-            <td style="word-wrap:break-word;">
-              <%= "#{u.first_name} #{u.last_name}"%>
-            </td>
-            <td>
-              <%= u.email%>
-            </td>
-            <td>
-              <%= u.admin ? %{<span class="fs1" aria-label="check" data-icon="&#xe0fe;"}.html_safe : nil %>
-            </td>
-            <td>
-              <%= link_to "Edit", admin_get_user_path(u.id), {:style => "width:70px", :class => "btn btn-inverse"}%>
-            </td>
-          </tr>
-     <% end %>
-      </tbody>
-    </table>
-    <div class="clearfix">
+<div class="container-fluid">
+  <!-- Header -->
+  <div class="row mb-4">
+    <div class="col-12">
+      <h2 class="mb-3">
+        <i class="bi bi-people-fill text-primary"></i> Manage Users
+      </h2>
+      <p class="text-muted">View and manage all system users</p>
+    </div>
+  </div>
+
+  <!-- Users Table -->
+  <div class="row">
+    <div class="col-12">
+      <div class="card shadow-sm">
+        <div class="card-body">
+          <div id="dt_example" class="example_alt_pagination">
+            <table class="table table-striped table-hover table-bordered" id="data-table">
+              <thead>
+                <tr>
+                  <th>Name</th>
+                  <th>Email</th>
+                  <th>Admin User</th>
+                  <th>Action</th>
+                </tr>
+              </thead>
+              <tbody>
+                <% @users.each do |u| %>
+                  <tr>
+                    <td style="word-wrap:break-word;">
+                      <%= "#{u.first_name} #{u.last_name}" %>
+                    </td>
+                    <td>
+                      <%= u.email %>
+                    </td>
+                    <td class="text-center">
+                      <%= u.admin ? '<i class="bi bi-check-circle-fill text-success" title="Admin"></i>'.html_safe : '<i class="bi bi-dash-circle text-muted" title="Not Admin"></i>'.html_safe %>
+                    </td>
+                    <td>
+                      <%= link_to admin_get_user_path(u.id), class: "btn btn-sm btn-outline-primary" do %>
+                        <i class="bi bi-pencil"></i> Edit
+                      <% end %>
+                    </td>
+                  </tr>
+                <% end %>
+              </tbody>
+            </table>
+          </div>
+        </div>
+      </div>
     </div>
   </div>
 </div>