Add styling to admin user management page and fix form submission

This commit improves the admin user management interface while preserving
the intentional mass assignment vulnerability for educational purposes.

Changes:
1. Removed layout false from admin controller to enable full styling
2. Modernized admin users table view with Bootstrap components:
   - Added page header with icon and description
   - Wrapped table in card component for better visual hierarchy
   - Updated admin indicator to use Bootstrap icons
   - Modernized Edit button styling

3. Fixed admin update_user action form submission error:
   - Previous code caused ForbiddenAttributesError in Rails
   - Used to_unsafe_h to explicitly bypass strong parameters
   - VULNERABILITY PRESERVED: This intentionally allows mass assignment
   - See wiki: Extras:-Mass-Assignment-Admin-Role.md
   - Fixed password field filtering to handle blank passwords correctly

The mass assignment vulnerability is maintained as a teaching example per
the OWASP RailsGoat mission. Students can learn about privilege escalation
attacks through the admin parameter.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

app/controllers/admin_controller.rb

@@ -2,7 +2,6 @@
 class AdminController < ApplicationController
   before_action :administrative, if: :admin_param, except: [:get_user]
   skip_before_action :has_info
-  layout false, only: [:get_all_users]
 
   def dashboard
   end
@@ -34,9 +33,16 @@ class AdminController < ApplicationController
   def update_user
     user = User.find_by_id(params[:admin_id])
     if user
-      user.update(params[:user].reject { |k| k == ("password" || "password_confirmation") })
-      pass = params[:user][:password]
-      user.password = pass if !(pass.blank?)
+      # VULNERABILITY: Using params[:user] directly without strong parameters
+      # This allows mass assignment of any user attribute including 'admin'
+      # See wiki: Extras:-Mass-Assignment-Admin-Role.md
+      user_params = params[:user].to_unsafe_h if params[:user].respond_to?(:to_unsafe_h)
+      user_params ||= params[:user]
+
+      # Filter out password fields if blank to avoid validation errors
+      filtered_params = user_params.reject { |k, v| (k == "password" || k == "password_confirmation") && v.blank? }
+
+      user.update(filtered_params)
       user.save!
       flash[:success] = "User updated successfully"
       redirect_to admin_get_all_users_path(current_user.id)

app/views/admin/get_all_users.html.erb

@@ -1,41 +1,53 @@
-<div id="dt_example" class="example_alt_pagination">
-    <table class="table table-striped table-hover table-bordered pull-left" id="data-table">
-      <thead>
-        <tr>
-          <th>
-            Name
-          </th>
-          <th>
-            Email
-          </th>
-          <th>
-            Admin User
-          </th>
-          <th>
-            Action
-          </th>
-        </tr>
-      </thead>
-      <tbody>
-       <% @users.each do |u|%>
-      <tr>
-            <td style="word-wrap:break-word;">
-              <%= "#{u.first_name} #{u.last_name}"%>
-            </td>
-            <td>
-              <%= u.email%>
-            </td>
-            <td>
-              <%= u.admin ? %{<span class="fs1" aria-label="check" data-icon="&#xe0fe;"}.html_safe : nil %>
-            </td>
-            <td>
-              <%= link_to "Edit", admin_get_user_path(u.id), {:style => "width:70px", :class => "btn btn-inverse"}%>
-            </td>
-          </tr>
-     <% end %>
-      </tbody>
-    </table>
-    <div class="clearfix">
+<div class="container-fluid">
+  <!-- Header -->
+  <div class="row mb-4">
+    <div class="col-12">
+      <h2 class="mb-3">
+        <i class="bi bi-people-fill text-primary"></i> Manage Users
+      </h2>
+      <p class="text-muted">View and manage all system users</p>
+    </div>
+  </div>
+
+  <!-- Users Table -->
+  <div class="row">
+    <div class="col-12">
+      <div class="card shadow-sm">
+        <div class="card-body">
+          <div id="dt_example" class="example_alt_pagination">
+            <table class="table table-striped table-hover table-bordered" id="data-table">
+              <thead>
+                <tr>
+                  <th>Name</th>
+                  <th>Email</th>
+                  <th>Admin User</th>
+                  <th>Action</th>
+                </tr>
+              </thead>
+              <tbody>
+                <% @users.each do |u| %>
+                  <tr>
+                    <td style="word-wrap:break-word;">
+                      <%= "#{u.first_name} #{u.last_name}" %>
+                    </td>
+                    <td>
+                      <%= u.email %>
+                    </td>
+                    <td class="text-center">
+                      <%= u.admin ? '<i class="bi bi-check-circle-fill text-success" title="Admin"></i>'.html_safe : '<i class="bi bi-dash-circle text-muted" title="Not Admin"></i>'.html_safe %>
+                    </td>
+                    <td>
+                      <%= link_to admin_get_user_path(u.id), class: "btn btn-sm btn-outline-primary" do %>
+                        <i class="bi bi-pencil"></i> Edit
+                      <% end %>
+                    </td>
+                  </tr>
+                <% end %>
+              </tbody>
+            </table>
+          </div>
+        </div>
+      </div>
     </div>
   </div>
 </div>