diff --git a/app/controllers/AuthController.php b/app/controllers/AuthController.php
index 40b36a3..e0309b8 100644
--- a/app/controllers/AuthController.php
+++ b/app/controllers/AuthController.php
@@ -4,6 +4,7 @@ class AuthController {
 
 
     public function showLoginForm($f3){
+
         // store session errors or messages, then clear
         $f3->set('error', $f3->get('SESSION.login_error'));
         $f3->clear('SESSION.login_error');
@@ -21,7 +22,11 @@ class AuthController {
         $db = $f3->get('DB');
         // query for user
         $result = $db->exec(
-            'SELECT id, username, password, role FROM users WHERE username =? LIMIT 1', $username
+            'SELECT u.id, u.username, u.password, u.role, r.role as role_name
+            FROM users u
+            LEFT JOIN roles r ON r.id = u.role
+            WHERE username =? 
+            LIMIT 1', $username
         );
 
         // verifiy password
@@ -31,7 +36,9 @@ class AuthController {
                 // valid
                 $f3->set('SESSION.user', [
                     'id'=> $user['id'],
-                    'username' => $user['username']
+                    'username' => $user['username'],
+                    'role' => $user['role'],
+                    'role_name' => $user['role_name']
                 ]);
 
                 $f3->reroute('/dashboard');
diff --git a/app/controllers/UserController.php b/app/controllers/UserController.php
new file mode 100644
index 0000000..e17a6c4
--- /dev/null
+++ b/app/controllers/UserController.php
@@ -0,0 +1,62 @@
+<?php
+
+class UserController {
+
+    // list all users (admin only)
+
+    protected function check_access($f3){
+        $current_user = $f3->get('SESSION.user');
+        if(!$current_user || $current_user['role_name'] !== 'admin'){
+            $f3->reroute('/login');
+        }
+    }
+
+    public function index($f3){
+
+        $this->check_access($f3);
+
+        $db = $f3->get('DB');
+        $users = $db->exec(
+            'SELECT u.*, r.role AS role_name
+            FROM users u
+            LEFT JOIN roles r ON r.id = u.role
+            ORDER BY id ASC'
+        );
+        $f3->set('users', $users);
+
+        $f3->set('content', '../ui/views/user/index.html');
+        echo \Template::instance()->render('../ui/templates/layout.html');
+    }
+
+    public function editForm($f3){
+        $this->check_access($f3);
+
+        $user_id = (int) $f3->get('PARAMS.id');
+        $db = $f3->get('DB');
+
+        $rows = $db->exec(
+            'SELECt * FROM users WHERE id = ? LIMIT 1', 
+            [$user_id]
+        );
+        if(!$rows){
+            $f3->reroute('/users');
+        }
+        $f3->set('edit_user', $rows[0]);
+        $f3->set('content', '../ui/views/user/edit.html');
+        echo \Template::instance()->render('../ui/templates/layout.html');
+    }
+
+    public function update($f3){
+        
+        $this->check_access($f3);
+
+        $user_id = (int) $f3->get('PARAMS.id');
+        $new_username = $f3->get('POST.username');
+        // $new_role = $f3->get('POST.role_name')
+        $db = $f3->get('DB');
+        $db->exec(
+            'UPDATE users SET username = ? WHERE id =? LIMIT 1',
+            [$new_username, $user_id]);
+        $f3->reroute('/users');
+    }
+}
\ No newline at end of file
diff --git a/public/index.php b/public/index.php
index 6a51222..68579f3 100644
--- a/public/index.php
+++ b/public/index.php
@@ -72,4 +72,10 @@ $f3->route('POST /parsedown/preview', 'ParsedownPreview->view');
 // dashboard
 $f3->route('GET /dashboard', 'DashboardController->index');
 
+
+// additional routes
+$f3->route('GET /users', 'UserController->index');
+$f3->route('GET /user/@id/edit', 'UserController->editForm');
+$f3->route('POST /user/@id/update', 'UserController->update');
+
 $f3->run();
\ No newline at end of file
diff --git a/ui/views/user/edit.html b/ui/views/user/edit.html
new file mode 100644
index 0000000..8aae3f9
--- /dev/null
+++ b/ui/views/user/edit.html
@@ -0,0 +1,24 @@
+
+
+<form method="POST" action="/user/{{@edit_user.id}}/update">
+    <div class="field">
+        <label class="label">Username</label>
+        <div class="control">
+            <input class="input" name="username" type="text" value="{{ @edit_user.username}}">
+        </div>
+    </div>
+    <div class="field">
+        <label class="label">Role</label>
+        <div class="select">
+            <select class="select" name="role">
+                <option value="user">User</option>
+                <option value="admin">Admin</option>
+            </select>
+        </div>
+    </div>
+    <div class="field">
+        <div class="control">
+            <button class="button is-primary" type="submit">Edit User</button>
+        </div>
+    </div>
+</form>
\ No newline at end of file
diff --git a/ui/views/user/index.html b/ui/views/user/index.html
new file mode 100644
index 0000000..5187e5a
--- /dev/null
+++ b/ui/views/user/index.html
@@ -0,0 +1,18 @@
+<div class="block">
+    <h1 class="title">All Users</h1>
+
+    <table class="table table-bordered is-fullwidth">
+        <tr>
+            <th>ID</th><th>Username</th><th>Role</th><th>Actions</th>
+        </tr>
+
+        <repeat group="{{ @users }}" value="{{ @u }}">
+            <tr>
+                <td>{{ @u.id }}</td>
+                <td>{{ @u.username }}</td>
+                <td>{{ @u.role_name }} ( {{ @u.role }} )</td>
+            </tr>
+        </repeat>
+
+    </table>
+</div>
\ No newline at end of file