# Admin Portal Backend — Progress

## Status: COMPLETE (initial implementation)

## Decisions Made

- Used `get_current_superuser` dependency (already existed in `src/apps/auth/utils/auth.py`) to guard all admin endpoints.
- `AdminAuditLog.log()` is a classmethod that flush-then-returns so callers can commit at the right time.
- `impersonated_merchant_id` added to `AuthSession` — migration `d4e5f6a7b8c9` handles schema change.
- `get_current_merchant()` updated to honor impersonation: checks the active session for `impersonated_merchant_id` before falling back to the normal MerchantUsers join.
- Transactions model uses `ocurred_at` (typo column) and `txn_amount` (not `amount` / `created_at`) — services.py uses these correct names.
- `MerchantUsers` has no `deleted_at` column — soft-delete of merchant_users on merchant delete was intentionally skipped.
- User model uses `hashed_password` field and `is_active`/`is_verified` (not `is_user_active`/`is_user_verified` which are hybrid properties).
- Used `src.core.utils.password.encrypt_password` for password hashing (bcrypt, same as rest of codebase).
- Used `_model_to_dict()` helper in router.py instead of `._asdict()` (which is not available on all SQLAlchemy models).

## Blockers

None. All dependencies were existing.