diff --git a/srcs/auth/src/controllers/admin.controller.ts b/srcs/auth/src/controllers/admin.controller.ts
index 8570be56..358ddb16 100644
--- a/srcs/auth/src/controllers/admin.controller.ts
+++ b/srcs/auth/src/controllers/admin.controller.ts
@@ -77,7 +77,8 @@ export async function updateUserHandler(
     });
   }
 
-  if (role !== UserRole.USER && role !== UserRole.ADMIN) {
+  const validRoles = Object.values(UserRole);
+  if (!validRoles.includes(role)) {
     return reply.code(HTTP_STATUS.BAD_REQUEST).send({
       error: {
         message: ERROR_MESSAGES.INVALID_ROLE,
@@ -170,15 +171,15 @@ export async function deleteUserHandler(
   req: FastifyRequest,
   reply: FastifyReply,
 ) {
-  // Récupérer les informations admin déjà validées par verifyAdminRole
-  const adminUserId = (req as any).adminUserId;
-  const adminUsername = (req as any).adminUsername;
+  // Récupérer les informations verifyAdminRole
+  const authUser = (req as any).authUser;
   const targetUserId = Number((req.params as any).id);
 
   logger.info({
     event: 'admin_delete_user_attempt',
-    admin: adminUsername,
-    adminUserId,
+    actor: authUser.username,
+    actorId: authUser.id,
+    actorRole: authUser.role,
     targetUserId,
   });
 
@@ -192,7 +193,7 @@ export async function deleteUserHandler(
   }
 
   // Empêcher l'auto-suppression
-  if (targetUserId === adminUserId) {
+  if (targetUserId === authUser.id) {
     return reply.code(HTTP_STATUS.BAD_REQUEST).send({
       error: {
         message: ERROR_MESSAGES.SELF_DELETION_FORBIDDEN,
@@ -218,7 +219,8 @@ export async function deleteUserHandler(
 
     logger.info({
       event: 'admin_delete_user_success',
-      admin: adminUsername,
+      actor: authUser.username,
+      actorRole: authUser.role,
       targetUserId,
       targetUsername,
     });
@@ -229,7 +231,7 @@ export async function deleteUserHandler(
   } catch (err: any) {
     logger.error({
       event: 'admin_delete_user_error',
-      admin: adminUsername,
+      actor: authUser.username,
       targetUserId,
       err: err?.message || err,
     });
@@ -244,22 +246,22 @@ export async function deleteUserHandler(
 }
 
 /**
- * ADMIN ONLY - Désactiver la 2FA d'un utilisateur
+ * MODERATOR or ADMIN - Désactiver la 2FA d'un utilisateur
  */
 export async function adminDisable2FAHandler(
   this: FastifyInstance,
   req: FastifyRequest,
   reply: FastifyReply,
 ) {
-  // Récupérer les informations admin déjà validées par verifyAdminRole
-  const adminUserId = (req as any).adminUserId;
-  const adminUsername = (req as any).adminUsername;
+  // Récupérer les informations verifyModeratorRole
+  const authUser = (req as any).authUser;
   const targetUserId = Number((req.params as any).id);
 
   logger.info({
     event: 'admin_disable_2fa_attempt',
-    admin: adminUsername,
-    adminUserId,
+    actor: authUser.username,
+    actorId: authUser.id,
+    actorRole: authUser.role,
     targetUserId,
   });
 
@@ -299,7 +301,8 @@ export async function adminDisable2FAHandler(
 
     logger.info({
       event: 'admin_disable_2fa_success',
-      admin: adminUsername,
+      actor: authUser.username,
+      actorRole: authUser.role,
       targetUserId,
       targetUsername: targetUser.username,
     });
@@ -310,7 +313,7 @@ export async function adminDisable2FAHandler(
   } catch (err: any) {
     logger.error({
       event: 'admin_disable_2fa_error',
-      admin: adminUsername,
+      actor: authUser.username,
       targetUserId,
       err: err?.message || err,
     });
diff --git a/srcs/auth/src/index.ts b/srcs/auth/src/index.ts
index 9ec723f6..d0045546 100644
--- a/srcs/auth/src/index.ts
+++ b/srcs/auth/src/index.ts
@@ -3,7 +3,7 @@ import fastifyCookie from '@fastify/cookie';
 import fastifyJwt from '@fastify/jwt';
 import fastifyRateLimit from '@fastify/rate-limit';
 import { authRoutes } from './routes/auth.routes.js';
-import { adminRoutes } from './routes/admin.routes.js';
+import { adminRoutes, moderatorRoutes } from './routes/admin.routes.js';
 import { initAdminUser, initInviteUser } from './utils/init-users.js';
 import * as totpService from './services/totp.service.js';
 import * as onlineService from './services/online.service.js';
@@ -141,6 +141,7 @@ app.register(fastifyRateLimit, {
 
 app.register(authRoutes, { prefix: '/' });
 app.register(adminRoutes, { prefix: '/admin' });
+app.register(moderatorRoutes, { prefix: '/admin' });
 
 (async () => {
   try {
diff --git a/srcs/auth/src/routes/admin.routes.ts b/srcs/auth/src/routes/admin.routes.ts
index 227c2fd1..446370ad 100644
--- a/srcs/auth/src/routes/admin.routes.ts
+++ b/srcs/auth/src/routes/admin.routes.ts
@@ -10,7 +10,7 @@ import { UserRole, HTTP_STATUS, ERROR_MESSAGES, ERROR_RESPONSE_CODES } from '../
 
 /**
  * Pré-handler pour vérifier si l'utilisateur est administrateur
- * Ajoute adminUserId et adminUsername a la requête
+ * Ajoute authUser (id, username, role) à la requête
  */
 export async function verifyAdminRole(req: FastifyRequest, reply: FastifyReply) {
   const idHeader = (req.headers as any)['x-user-id'];
@@ -31,8 +31,42 @@ export async function verifyAdminRole(req: FastifyRequest, reply: FastifyReply)
     });
   }
 
-  (req as any).adminUserId = userId;
-  (req as any).adminUsername = username;
+  (req as any).authUser = {
+    id: userId,
+    username,
+    role: authService.getUserRole(userId),
+  };
+}
+
+/**
+ * Pré-handler pour vérifier si l'utilisateur est modérateur ou administrateur
+ * Permet aux modérateurs de désactiver la 2FA et lister les utilisateurs
+ * Ajoute authUser (id, username, role) à la requête
+ */
+export async function verifyModeratorRole(req: FastifyRequest, reply: FastifyReply) {
+  const idHeader = (req.headers as any)['x-user-id'];
+  const userId = idHeader ? Number(idHeader) : null;
+  const username = (req.headers as any)['x-user-name'] || null;
+
+  if (!userId || !authService.hasRole(userId, UserRole.MODERATOR)) {
+    req.log.warn({
+      event: 'moderator_access_forbidden',
+      user: username,
+      userId,
+    });
+    return reply.code(HTTP_STATUS.FORBIDDEN).send({
+      error: {
+        message: ERROR_MESSAGES.FORBIDDEN,
+        code: ERROR_RESPONSE_CODES.FORBIDDEN,
+      },
+    });
+  }
+
+  (req as any).authUser = {
+    id: userId,
+    username,
+    role: authService.getUserRole(userId),
+  };
 }
 
 /**
@@ -43,20 +77,6 @@ export async function adminRoutes(app: FastifyInstance) {
   // Ajout du pré-handler pour toutes les routes admin
   app.addHook('onRequest', verifyAdminRole);
 
-  // Liste tous les utilisateurs
-  app.get(
-    '/users',
-    {
-      config: {
-        rateLimit: {
-          max: 50,
-          timeWindow: '1 minute',
-        },
-      },
-    },
-    listAllUsers,
-  );
-
   // Mettre à jour un utilisateur
   app.put(
     '/users/:id',
@@ -84,6 +104,29 @@ export async function adminRoutes(app: FastifyInstance) {
     },
     deleteUserHandler,
   );
+}
+
+/**
+ * Routes de modération
+ * Ces routes nécessitent un rôle modérateur ou supérieur
+ */
+export async function moderatorRoutes(app: FastifyInstance) {
+  // Ajout du pré-handler pour toutes les routes modérateur
+  app.addHook('onRequest', verifyModeratorRole);
+
+  // Liste tous les utilisateurs
+  app.get(
+    '/users',
+    {
+      config: {
+        rateLimit: {
+          max: 50,
+          timeWindow: '1 minute',
+        },
+      },
+    },
+    listAllUsers,
+  );
 
   // Désactiver la 2FA d'un utilisateur
   app.post(
diff --git a/srcs/auth/src/services/auth.service.ts b/srcs/auth/src/services/auth.service.ts
index 7e1162bb..07b1b6b5 100644
--- a/srcs/auth/src/services/auth.service.ts
+++ b/srcs/auth/src/services/auth.service.ts
@@ -212,10 +212,11 @@ export function hasRole(userId: number, requiredRole: UserRole): boolean {
   try {
     const userRole = getUserRole(userId);
 
-    // Hiérarchie des rôles : user < admin
+    // Hiérarchie des rôles : user < moderator < admin
     const roleHierarchy = {
       [UserRole.USER]: 0,
-      [UserRole.ADMIN]: 1,
+      [UserRole.MODERATOR]: 1,
+      [UserRole.ADMIN]: 2,
     };
 
     const userRoleLevel = roleHierarchy[userRole as UserRole] ?? 0;
diff --git a/srcs/auth/src/utils/constants.ts b/srcs/auth/src/utils/constants.ts
index 48aeeec5..d627d227 100644
--- a/srcs/auth/src/utils/constants.ts
+++ b/srcs/auth/src/utils/constants.ts
@@ -98,9 +98,13 @@ export const AUTH_CONFIG = {
 
 /**
  * Rôles utilisateur pour RBAC (Role-Based Access Control)
+ * USER: utilisateur standard
+ * MODERATOR: peut consulter la liste des utilisateurs et désactiver la 2FA
+ * ADMIN: contrôle total (view, update, delete users, disable 2FA)
  */
 export enum UserRole {
   USER = 'user',
+  MODERATOR = 'moderator',
   ADMIN = 'admin',
 }
 
@@ -135,7 +139,7 @@ export const ERROR_MESSAGES = {
   INVALID_USER_ID: 'Invalid user ID',
 
   // Role errors
-  INVALID_ROLE: 'Role must be either "user" or "admin"',
+  INVALID_ROLE: 'Role must be either "user" or "admin" or "moderator"',
 
   // Field errors
   MISSING_FIELDS: 'Username, email, and role are required',
diff --git a/srcs/nginx/src/html/admin.html b/srcs/nginx/src/html/admin.html
index 7db5377f..d34bb902 100644
--- a/srcs/nginx/src/html/admin.html
+++ b/srcs/nginx/src/html/admin.html
@@ -49,6 +49,11 @@
 			color: #92400e;
 		}
 
+		.badge.moderator {
+			background: linear-gradient(135deg, #ddd6fe, #c4b5fd);
+			color: #5b21b6;
+		}
+
 		.badge.user {
 			background: linear-gradient(135deg, #e5e7eb, #d1d5db);
 			color: #374151;
@@ -403,7 +408,7 @@ <h2 class="text-xl font-semibold text-gray-900 mb-4 flex items-center">
 		</div>
 
 		<!-- Stats Cards -->
-		<div class="grid grid-cols-1 md:grid-cols-5 gap-6 mb-8">
+		<div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-6 gap-6 mb-8">
 			<div class="stats-card">
 				<div class="flex items-center">
 					<div class="p-3 bg-blue-100 rounded-full">
@@ -449,6 +454,21 @@ <h2 class="text-xl font-semibold text-gray-900 mb-4 flex items-center">
 					</div>
 				</div>
 			</div>
+			<div class="stats-card">
+				<div class="flex items-center">
+					<div class="p-3 bg-purple-100 rounded-full">
+						<svg class="w-8 h-8 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+								d="M12 4.354a4 4 0 110 5.292M15 21H3v-1a6 6 0 0112 0v1zm0 0h6v-1a6 6 0 00-9-5.197M13 7a4 4 0 11-8 0 4 4 0 018 0z">
+							</path>
+						</svg>
+					</div>
+					<div class="ml-4">
+						<p class="text-sm font-medium text-gray-600">Modérateurs</p>
+						<p id="moderator-count" class="text-3xl font-bold text-gray-900">-</p>
+					</div>
+				</div>
+			</div>
 			<div class="stats-card">
 				<div class="flex items-center">
 					<div class="p-3 bg-indigo-100 rounded-full">
@@ -465,8 +485,8 @@ <h2 class="text-xl font-semibold text-gray-900 mb-4 flex items-center">
 			</div>
 			<div class="stats-card">
 				<div class="flex items-center">
-					<div class="p-3 bg-purple-100 rounded-full">
-						<svg class="w-8 h-8 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+					<div class="p-3 bg-slate-100 rounded-full">
+						<svg class="w-8 h-8 text-slate-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
 							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
 								d="M16 7a4 4 0 11-8 0 4 4 0 018 0zM12 14a7 7 0 00-7 7h14a7 7 0 00-7-7z"></path>
 						</svg>
@@ -506,6 +526,7 @@ <h2 class="text-xl font-bold text-gray-900 flex items-center">
 					<select id="role-filter" class="form-input" style="max-width: 200px;">
 						<option value="">Tous les rôles</option>
 						<option value="admin">Administrateurs</option>
+						<option value="moderator">Modérateurs</option>
 						<option value="user">Utilisateurs</option>
 					</select>
 					<select id="2fa-filter" class="form-input" style="max-width: 200px;">
@@ -571,7 +592,8 @@ <h2 class="text-xl font-bold text-gray-900 flex items-center">
 					<div class="flex items-center gap-2">
 						<button id="prev-page-btn" onclick="previousPage()" class="btn btn-secondary btn-sm" disabled>
 							<svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-								<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 19l-7-7 7-7"></path>
+								<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+									d="M15 19l-7-7 7-7"></path>
 							</svg>
 							Précédent
 						</button>
@@ -579,7 +601,8 @@ <h2 class="text-xl font-bold text-gray-900 flex items-center">
 						<button id="next-page-btn" onclick="nextPage()" class="btn btn-secondary btn-sm" disabled>
 							Suivant
 							<svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-								<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 5l7 7-7 7"></path>
+								<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 5l7 7-7 7">
+								</path>
 							</svg>
 						</button>
 					</div>
@@ -633,9 +656,13 @@ <h3 class="text-xl font-bold text-gray-900 flex items-center">
 						</label>
 						<select id="edit-role" required class="form-input">
 							<option value="user">Utilisateur</option>
+							<option value="moderator">Modérateur</option>
 							<option value="admin">Administrateur</option>
 						</select>
 						<div id="edit-role-error" class="field-error" style="display: none;"></div>
+						<p class="text-xs text-gray-500 mt-1">
+							<strong>Modérateur:</strong> Peut désactiver la 2FA des utilisateurs uniquement
+						</p>
 					</div>
 					<div>
 						<label class="block text-sm font-semibold text-gray-700 mb-3">
@@ -651,7 +678,7 @@ <h3 class="text-xl font-bold text-gray-900 flex items-center">
 									class="btn btn-danger btn-sm" style="display: none;">
 									<svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
 										<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-											d="M18.364 18.364A9 9 0 005.636 5.636m12.728 12.728L5.636 5.636m12.728 12.728L18 18M5.636 5.636L6 6">
+											d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16">
 										</path>
 									</svg>
 									Désactiver 2FA
@@ -865,8 +892,8 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
 				currentUser = data.user;
 
 				// Check admin role
-				if (currentUser.role !== 'admin') {
-					showAlert('Accès refusé. Vous devez être administrateur.', 'error');
+				if (currentUser.role !== 'admin' && currentUser.role !== 'moderator') {
+					showAlert('Accès refusé. Permissions insuffisantes.', 'error');
 					setTimeout(() => window.location.href = '/', 3000);
 					return;
 				}
@@ -922,6 +949,7 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
 		function updateStats() {
 			const totalUsers = users.length;
 			const adminCount = users.filter(user => user.role === 'admin').length;
+			const moderatorCount = users.filter(user => user.role === 'moderator').length;
 			const userCount = users.filter(user => user.role === 'user').length;
 			const twoFaCount = users.filter(user => user.is2FAEnabled).length;
 			const onlineCount = users.filter(user => user.online).length;
@@ -929,6 +957,7 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
 			document.getElementById('total-users').textContent = totalUsers;
 			document.getElementById('online-count').textContent = onlineCount;
 			document.getElementById('admin-count').textContent = adminCount;
+			document.getElementById('moderator-count').textContent = moderatorCount;
 			document.getElementById('user-count').textContent = userCount;
 			document.getElementById('2fa-count').textContent = twoFaCount;
 		}
@@ -974,8 +1003,19 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
 
 			tbody.innerHTML = paginatedUsers.map(user => {
 				const isProtected = isProtectedAccount(user.username);
-				const canDelete = user.id !== currentUser.id && !isProtected;
-				const canModify = !isProtected;
+				// Permissions basées sur le rôle
+				const canDelete = canDeleteUsers() && user.id !== currentUser.id && !isProtected;
+				const canModify = canModifyUsers() && !isProtected;
+				const showModifyButton = canModifyUsers(); // Admin seulement
+				const showDeleteButton = canDeleteUsers(); // Admin seulement
+
+				// Traduction des rôles
+				const roleLabels = {
+					'user': 'Utilisateur',
+					'moderator': 'Modérateur',
+					'admin': 'Administrateur'
+				};
+				const roleLabel = roleLabels[user.role] || user.role;
 
 				return `
                 <tr class="hover:bg-gray-50">
@@ -988,7 +1028,7 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
                     </td>
                     <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-900">${user.email}</td>
                     <td class="px-6 py-4 whitespace-nowrap">
-                        <span class="badge ${user.role}">${user.role}</span>
+                        <span class="badge ${user.role}">${roleLabel}</span>
                     </td>
                     <td class="px-6 py-4 whitespace-nowrap">
                         <span class="badge ${user.is2FAEnabled ? 'enabled' : 'disabled'}">
@@ -1002,7 +1042,7 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
                     </td>
                     <td class="px-6 py-4 whitespace-nowrap text-sm font-medium">
                         <div class="table-actions">
-                            ${canModify ? `
+                            ${showModifyButton ? (canModify ? `
                                 <button onclick="editUser(${user.id})"
                                         class="btn btn-primary btn-sm"
                                         title="Modifier l'utilisateur">
@@ -1011,13 +1051,13 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
                                     </svg>
                                 </button>
                             ` : `
-                                <button class="btn btn-secondary btn-sm" disabled title="Modification non autorisée">
+                                <button class="btn btn-secondary btn-sm" disabled title="Compte protégé">
                                     <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                                         <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z"></path>
                                     </svg>
                                 </button>
-                            `}
-                            ${canDelete ? `
+                            `) : ''}
+                            ${showDeleteButton ? (canDelete ? `
                                 <button onclick="deleteUser(${user.id}, '${user.username}')"
                                         class="btn btn-danger btn-sm"
                                         title="Supprimer l'utilisateur">
@@ -1026,12 +1066,23 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
                                     </svg>
                                 </button>
                             ` : `
-                                <button class="btn btn-secondary btn-sm" disabled title="Suppression non autorisée">
+                                <button class="btn btn-secondary btn-sm" disabled title="${user.id === currentUser.id ? 'Impossible de se supprimer soi-même' : 'Compte protégé'}">
                                     <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                                         <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16"></path>
                                     </svg>
                                 </button>
-                            `}
+                            `) : ''}
+                            ${user.is2FAEnabled && canDisable2FA() ? `
+                                <button onclick="quickDisable2FA(${user.id}, '${user.username}')"
+                                        class="btn btn-danger btn-sm"
+                                        title="Désactiver la 2FA">
+                                    <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                            d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z">
+                                        </path>
+                                    </svg>
+                                </button>
+                            ` : ''}
                         </div>
                     </td>
                 </tr>
@@ -1054,25 +1105,56 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
 
 
 		async function editUser(userId) {
+			// Seuls les admins peuvent modifier
+			if (!canModifyUsers()) {
+				showAlert('Vous n\'avez pas les permissions pour modifier les utilisateurs', 'error');
+				return;
+			}
+
 			const user = users.find(u => u.id === userId);
 			if (!user) return;
 
+			const isProtected = isProtectedAccount(user.username);
+
 			document.getElementById('edit-user-id').value = user.id;
 			document.getElementById('edit-username').value = user.username;
 			document.getElementById('edit-email').value = user.email;
 			document.getElementById('edit-role').value = user.role;
 
+			// Désactiver les champs pour les comptes protégés
+			const usernameField = document.getElementById('edit-username');
+			const emailField = document.getElementById('edit-email');
+			const roleField = document.getElementById('edit-role');
+			const submitBtn = document.getElementById('edit-user-btn');
+
+			if (isProtected) {
+				usernameField.disabled = true;
+				emailField.disabled = true;
+				roleField.disabled = true;
+				submitBtn.disabled = true;
+				showAlert('Ce compte est protégé et ne peut pas être modifié', 'warning');
+			} else {
+				usernameField.disabled = false;
+				emailField.disabled = false;
+				roleField.disabled = false;
+				submitBtn.disabled = false;
+			}
+
 			// Update 2FA status
 			const twoFaStatus = document.getElementById('2fa-status');
 			const disable2FABtn = document.getElementById('disable-2fa-btn');
 
-			if (user.is2FAEnabled) {
+			if (user.is2FAEnabled && canDisable2FA()) {
+				twoFaStatus.textContent = '2FA activée';
+				twoFaStatus.className = 'badge enabled';
+				disable2FABtn.style.display = 'inline-flex';
+			} else if (user.is2FAEnabled) {
 				twoFaStatus.textContent = '2FA activée';
-				twoFaStatus.className = 'text-sm text-green-600';
-				disable2FABtn.style.display = 'inline-block';
+				twoFaStatus.className = 'badge enabled';
+				disable2FABtn.style.display = 'none';
 			} else {
 				twoFaStatus.textContent = '2FA désactivée';
-				twoFaStatus.className = 'text-sm text-gray-600';
+				twoFaStatus.className = 'badge disabled';
 				disable2FABtn.style.display = 'none';
 			}
 
@@ -1082,6 +1164,12 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
 		async function updateUser(event) {
 			event.preventDefault();
 
+			// Vérifier les permissions
+			if (!canModifyUsers()) {
+				showAlert('Vous n\'avez pas les permissions pour modifier les utilisateurs', 'error');
+				return;
+			}
+
 			const userId = parseInt(document.getElementById('edit-user-id').value);
 			const username = document.getElementById('edit-username').value.trim();
 			const email = document.getElementById('edit-email').value.trim();
@@ -1092,6 +1180,12 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
 			const currentEditUser = users.find(u => u.id === userId);
 			const isProtected = currentEditUser && isProtectedAccount(currentEditUser.username);
 
+			// Bloquer la modification des comptes protégés
+			if (isProtected) {
+				showAlert('Les comptes protégés ne peuvent pas être modifiés', 'error');
+				return;
+			}
+
 			// Validate form
 			if (!validateEditForm()) {
 				return;
@@ -1130,6 +1224,12 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
 		}
 
 		async function deleteUser(userId, username) {
+			// Vérifier les permissions
+			if (!canDeleteUsers()) {
+				showAlert('Vous n\'avez pas les permissions pour supprimer les utilisateurs', 'error');
+				return;
+			}
+
 			// Check if it's the current user
 			if (userId === currentUser.id) {
 				showAlert('Vous ne pouvez pas supprimer votre propre compte', 'error');
@@ -1166,6 +1266,11 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
 		}
 
 		async function disable2FA() {
+			if (!canDisable2FA()) {
+				showAlert('Vous n\'avez pas les permissions pour désactiver la 2FA', 'error');
+				return;
+			}
+
 			const userId = document.getElementById('edit-user-id').value;
 
 			if (!confirm('Êtes-vous sûr de vouloir désactiver la 2FA pour cet utilisateur ?')) {
@@ -1192,6 +1297,38 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
 			}
 		}
 
+		/**
+		 * Désactive la 2FA rapidement depuis la table (sans ouvrir le modal)
+		 */
+		async function quickDisable2FA(userId, username) {
+			if (!canDisable2FA()) {
+				showAlert('Vous n\'avez pas les permissions pour désactiver la 2FA', 'error');
+				return;
+			}
+
+			if (!confirm(`Êtes-vous sûr de vouloir désactiver la 2FA pour ${username} ?`)) {
+				return;
+			}
+
+			try {
+				const response = await fetch(`/api/auth/admin/users/${userId}/disable-2fa`, {
+					method: 'POST',
+					credentials: 'include'
+				});
+
+				if (!response.ok) {
+					const data = await response.json();
+					throw new Error(data.error?.message || 'Erreur lors de la désactivation de la 2FA');
+				}
+
+				showAlert(`2FA désactivée avec succès pour ${username}`, 'success');
+				await loadUsers();
+			} catch (error) {
+				console.error('Disable 2FA error:', error);
+				showAlert(error.message || 'Erreur lors de la désactivation de la 2FA', 'error');
+			}
+		}
+
 		// === Pagination Functions ===
 		function updatePaginationControls() {
 			const totalPages = Math.ceil(filteredUsers.length / itemsPerPage);
@@ -1294,6 +1431,27 @@ <h3 class="text-lg font-semibold text-gray-900">${config.name}</h3>
 			return protectedAccounts.includes(username.toLowerCase());
 		}
 
+		// Role-based permission checks
+		function isAdmin() {
+			return currentUser && currentUser.role === 'admin';
+		}
+
+		function isModerator() {
+			return currentUser && currentUser.role === 'moderator';
+		}
+
+		function canModifyUsers() {
+			return isAdmin();
+		}
+
+		function canDeleteUsers() {
+			return isAdmin();
+		}
+
+		function canDisable2FA() {
+			return isAdmin() || isModerator();
+		}
+
 
 		function validateEditForm() {
 			clearValidationErrors('edit');
diff --git a/srcs/nginx/src/html/dashboard.html b/srcs/nginx/src/html/dashboard.html
index 36c0ed4b..a3e263ec 100644
--- a/srcs/nginx/src/html/dashboard.html
+++ b/srcs/nginx/src/html/dashboard.html
@@ -734,11 +734,12 @@ <h2 class="text-xl font-semibold text-gray-800 mb-4 flex items-center">
                     if (data.user) {
                         const user = data.user
                         const isAdmin = user.role === 'admin'
+                        const isModerator = user.role === 'moderator'
                         const has2FA = user.isTwoFactorAuthEnabled || user.is2FAEnabled
 
                         // En-tête avec avatar et nom
                         html += '<div class="flex items-start space-x-4 mb-6">'
-                        html += `<div class="flex-shrink-0 w-16 h-16 ${isAdmin ? 'bg-gradient-to-br from-purple-500 to-purple-600' : 'bg-gradient-to-br from-blue-500 to-blue-600'} text-white rounded-full flex items-center justify-center text-2xl font-bold shadow-lg">`
+                        html += `<div class="flex-shrink-0 w-16 h-16 ${isAdmin ? 'bg-gradient-to-br from-purple-500 to-purple-600' : isModerator ? 'bg-gradient-to-br from-indigo-500 to-indigo-600' : 'bg-gradient-to-br from-blue-500 to-blue-600'} text-white rounded-full flex items-center justify-center text-2xl font-bold shadow-lg">`
                         html += `${(user.username || 'U').charAt(0).toUpperCase()}`
                         html += `</div>`
                         html += '<div class="flex-1">'
@@ -750,6 +751,9 @@ <h2 class="text-xl font-semibold text-gray-800 mb-4 flex items-center">
                         if (isAdmin) {
                             html += `<span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-semibold bg-purple-100 text-purple-800 border border-purple-200">`
                             html += `👑 Administrateur`
+                        } else if (isModerator) {
+                            html += `<span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-semibold bg-indigo-100 text-indigo-800 border border-indigo-200">`
+                            html += `🔧 Modérateur`
                         } else {
                             html += `<span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-semibold bg-gray-100 text-gray-800 border border-gray-200">`
                             html += `👤 Utilisateur`
@@ -815,8 +819,8 @@ <h2 class="text-xl font-semibold text-gray-800 mb-4 flex items-center">
                         html += `</svg>`
                         html += '<span class="text-xs font-semibold text-gray-500 uppercase tracking-wide">Rôle</span>'
                         html += '</div>'
-                        html += `<p class="mt-1 text-sm font-medium ${isAdmin ? 'text-purple-700' : 'text-gray-900'}">`
-                        html += `${isAdmin ? '👑 Administrateur' : '👤 Utilisateur'}`
+                        html += `<p class="mt-1 text-sm font-medium ${isAdmin ? 'text-purple-700' : isModerator ? 'text-indigo-700' : 'text-gray-900'}">`
+                        html += `${isAdmin ? '👑 Administrateur' : isModerator ? '🔧 Modérateur' : '👤 Utilisateur'}`
                         html += `</p>`
                         html += '</div>'
 
@@ -837,7 +841,7 @@ <h2 class="text-xl font-semibold text-gray-800 mb-4 flex items-center">
                         html += '</div>'
 
                         // Lien admin si applicable
-                        if (isAdmin) {
+                        if (isAdmin || isModerator) {
                             html += `<div class="mt-6 pt-4 border-t border-gray-200">`
                             html += `<a href="/admin" class="inline-flex items-center justify-center w-full px-4 py-3 bg-gradient-to-r from-purple-600 to-purple-700 hover:from-purple-700 hover:to-purple-800 text-white text-sm font-semibold rounded-lg transition-all shadow-md hover:shadow-lg">`
                             html += `<svg class="w-5 h-5 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">`
diff --git a/srcs/nginx/src/types/react-types.ts b/srcs/nginx/src/types/react-types.ts
index 2931e23b..2bac82a9 100644
--- a/srcs/nginx/src/types/react-types.ts
+++ b/srcs/nginx/src/types/react-types.ts
@@ -11,8 +11,9 @@ export enum MenuActions {
 }
 
 export enum Roles {
-  USER = 'USER',
-  ADMIN = 'ADMIN',
+  USER = 'user',
+  MODERATOR = 'moderator',
+  ADMIN = 'admin',
 }
 
 export interface AuthContextType {
diff --git a/srcs/shared/core/src/index.ts b/srcs/shared/core/src/index.ts
index 37453aac..e585cab8 100644
--- a/srcs/shared/core/src/index.ts
+++ b/srcs/shared/core/src/index.ts
@@ -51,7 +51,7 @@ export {
   emailSchema,
   passwordSchema,
   IdSchema,
-  roleShema,
+  roleSchema,
 } from './schemas/base.schema.js';
 export { UserNameSchema } from './schemas/user.schema.js';
 export { UserSchema, UserLoginSchema, UserRegisterSchema } from './schemas/auth.schema.js';
diff --git a/srcs/shared/core/src/schemas/base.schema.ts b/srcs/shared/core/src/schemas/base.schema.ts
index 052176da..5217f121 100644
--- a/srcs/shared/core/src/schemas/base.schema.ts
+++ b/srcs/shared/core/src/schemas/base.schema.ts
@@ -30,7 +30,7 @@ export const passwordSchema = z
   .regex(/^(?=.*\d)/, 'Password must contain at least one number')
   .regex(/^(?=.*[!@#$%^&*])/, 'Password must contain at least one special character (!@#$%^&*)');
 
-export const roleShema = z.enum(['GUEST', 'USER', 'ADMIN']);
+export const roleSchema = z.enum(['user', 'moderator', 'admin']);
 
 export const emailSchema = z.email();
 
@@ -52,5 +52,5 @@ export type emailDTO = z.output<typeof emailSchema>;
 export type idDTO = z.output<typeof idSchema>;
 
 export type IdDTO = z.output<typeof IdSchema>;
-export type RoleDTO = z.output<typeof roleShema>;
+export type RoleDTO = z.output<typeof roleSchema>;
 export type TargetUserIdDTO = z.output<typeof TargetUserIdSchema>;