fix(ui): show toast notification when user deletion returns an error

[crivetimihai]

Note: This PR was re-created from #3021 due to repository maintenance. Your code and branch are intact. @omorros please verify everything looks good.

🔗 Related Issue

Closes #3015

---

📝 Summary

When deleting a user returns a 4xx error (e.g. self-deletion, last
admin, or DB error), the error HTML was silently discarded by HTMX
because the global htmx:beforeSwap handler does not allow swaps
for user delete responses. The error was never shown to the admin.

This fix attaches hx-on::after-request to the delete button in
both the Jinja template (users_partial.html) and the
Python-generated card (admin.py). On any non-2xx response it
parses the error HTML, extracts the plain text, and calls the
already-existing showErrorMessage() function to display a toast.
No backend changes required.

---

🏷️ Type of Change

• Bug fix

---

🧪 Verification

Check	Command	Status
Lint suite	make lint	⏳
Unit tests	make test	⏳
Coverage ≥ 80%	make coverage	⏳

---

✅ Checklist

• Code formatted (make black isort pre-commit)
• Tests added/updated for changes
• Documentation updated (if applicable)
• No secrets or credentials committed

---

📓 Notes

Frontend-only fix. The admin_delete_user endpoint already returns
correct 400/403 responses with descriptive messages, this PR only
ensures those messages are surfaced to the user via the existing
toast system.

[omorros]

Hi @crivetimihai thanks for reopening this! I've verified the code, everything looks good, intact and matching my original changes. Ready for review whenever you get the chance. Thanks!

[marekdano]

Already approved on #3012

LGTM 🚀

[crivetimihai]

Review Summary

Rebased onto main (clean, no conflicts) and added test coverage.

Code Review

Correctness: The fix is sound. The global htmx:beforeSwap handler suppresses 4xx responses for elements without data-team-validation="true", which caused user delete errors to be silently swallowed. Adding hx-on::after-request on the delete button correctly intercepts the response after HTMX processes it, and only acts on !event.detail.successful — successful deletions (200 empty response + hx-swap="outerHTML" card removal) are unaffected.

Security: No XSS risk. Triple defense-in-depth:

1. Server-side: html.escape(str(e)) on exception text
2. Client-side: d.innerHTML → .textContent extraction strips all HTML
3. showErrorMessage() uses .textContent assignment (not innerHTML)

Consistency: This is the only hx-delete operation in the templates — other entity deletes use RedirectResponse with error query params. The showErrorMessage() toast pattern is already used elsewhere.

Performance: Frontend-only change, no new requests or DOM overhead.

Commits added

• test(ui): add test for delete button error handler attribute — verifies _render_user_card_html includes hx-on::after-request with handleDeleteUserError
• test(ui): add JS tests for handleDeleteUserError function — 3 JSDOM tests covering: text extraction from error HTML, empty responseText fallback, and no-op on success

Note

The PR includes some unrelated formatting changes in admin.py (SQL string collapsing, password requirements HTML). These are cosmetic and don't affect behavior.