diff --git a/backend/tests/Feature/User/UserSearchAndPromoteTest.php b/backend/tests/Feature/User/UserSearchAndPromoteTest.php
new file mode 100644
index 0000000..b5a67f5
--- /dev/null
+++ b/backend/tests/Feature/User/UserSearchAndPromoteTest.php
@@ -0,0 +1,92 @@
+<?php
+
+namespace Tests\Feature\User;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\Feature\AuthenticatesUsers;
+use Tests\TestCase;
+
+class UserSearchAndPromoteTest extends TestCase
+{
+    use AuthenticatesUsers;
+    use RefreshDatabase;
+
+    public function test_search_is_public(): void
+    {
+        $this->signupAndLogin(
+            email: 'alice@example.com',
+            displayName: 'alice',
+            password: 'longenoughpassword',
+        );
+        $this->signupAndLogin(
+            email: 'alex@example.com',
+            displayName: 'alex',
+            password: 'longenoughpassword',
+        );
+
+        $this->resetClientState();
+        $response = $this->getJson('/api/users?q=al');
+        $response->assertStatus(200);
+        $response->assertJsonCount(2, 'users');
+    }
+
+    public function test_search_with_no_query_returns_empty(): void
+    {
+        $response = $this->getJson('/api/users');
+        $response->assertStatus(200);
+        $response->assertJsonPath('users', []);
+    }
+
+    public function test_non_admin_cannot_promote(): void
+    {
+        $alice = $this->signupAndLogin(
+            email: 'alice@example.com',
+            displayName: 'alice',
+            password: 'longenoughpassword',
+        );
+        $bob = $this->signupAndLogin(
+            email: 'bob@example.com',
+            displayName: 'bob',
+            password: 'longenoughpassword',
+        );
+
+        $this->resetClientState();
+        $this->withCredentials()
+            ->withUnencryptedCookie('auth_token', $alice['cookie'])
+            ->postJson('/api/admin/users/promote', [
+                'userId' => $bob['user']->getId(),
+            ])
+            ->assertStatus(403);
+    }
+
+    public function test_admin_promotes_user(): void
+    {
+        $alice = $this->signupAndLogin(
+            email: 'alice@example.com',
+            displayName: 'alice',
+            password: 'longenoughpassword',
+        );
+        $bob = $this->signupAndLogin(
+            email: 'bob@example.com',
+            displayName: 'bob',
+            password: 'longenoughpassword',
+        );
+
+        $this->promoteToAdmin($alice['user']->getId());
+        $loginResponse = $this->postJson('/api/login', [
+            'email' => 'alice@example.com',
+            'password' => 'longenoughpassword',
+        ]);
+        $aliceCookie = $loginResponse->getCookie('auth_token', false)
+            ->getValue();
+
+        $this->resetClientState();
+        $this->withCredentials()
+            ->withUnencryptedCookie('auth_token', $aliceCookie)
+            ->postJson('/api/admin/users/promote', [
+                'userId' => $bob['user']->getId(),
+            ])
+            ->assertStatus(200)
+            ->assertJsonPath('user.isAdmin', true);
+    }
+}