fix: resolve P0 stub/false-positive issues found in SENIOR_DEV_REVIEW audit

- Remove dead stub UploadAvatar in user_handler.go (real impl in avatar_handler.go)
- Fix GetAuthCapabilities to call service (was returning hardcoded static JSON, missing admin_bootstrap_required)
- Replace AdminRoleID=1 hardcoded constant with getAdminRoleID(ctx) dynamic lookup by code="admin"
- Fix double Argon2id hash computation in ChangePassword (hash once, reuse)
- Add PredefinedRoles seed to newIsolatedDB test infrastructure (fixes broken ADMIN_* tests)

internal/api/handler/user_handler.go

@@ -249,6 +249,22 @@ func (h *UserHandler) GetUserRoles(c *gin.Context) {
 		return
 	}
 
+	// Authorization: only self or admin can view user roles
+	currentUserID := c.GetInt64("user_id")
+	isAdmin := false
+	if roles, ok := c.Get("user_roles"); ok {
+		for _, role := range roles.([]*domain.Role) {
+			if role.Code == "admin" {
+				isAdmin = true
+				break
+			}
+		}
+	}
+	if currentUserID != id && !isAdmin {
+		c.JSON(http.StatusForbidden, gin.H{"code": 403, "message": "permission denied"})
+		return
+	}
+
 	roles, err := h.userService.GetUserRoles(c.Request.Context(), id)
 	if err != nil {
 		handleError(c, err)
@@ -318,10 +334,6 @@ func (h *UserHandler) BatchDelete(c *gin.Context) {
 	c.JSON(http.StatusOK, gin.H{"code": 0, "message": "删除成功", "data": gin.H{"count": count}})
 }
 
-func (h *UserHandler) UploadAvatar(c *gin.Context) {
-	c.JSON(http.StatusOK, gin.H{"message": "avatar upload not implemented"})
-}
-
 func (h *UserHandler) ListAdmins(c *gin.Context) {
 	admins, err := h.userService.ListAdmins(c.Request.Context())
 	if err != nil {
@@ -373,7 +385,8 @@ func (h *UserHandler) DeleteAdmin(c *gin.Context) {
 		return
 	}
 
-	if err := h.userService.DeleteAdmin(c.Request.Context(), id); err != nil {
+	currentUserID := c.GetInt64("user_id")
+	if err := h.userService.DeleteAdmin(c.Request.Context(), id, currentUserID); err != nil {
 		handleError(c, err)
 		return
 	}