89 lines
3.8 KiB
Python
89 lines
3.8 KiB
Python
|
from fastapi import APIRouter, Depends, HTTPException, Request, Form
|
||
|
|
from sqlalchemy.ext.asyncio import AsyncSession
|
||
|
|
from sqlalchemy.future import select
|
||
|
|
from model.database import get_async_session, User, hash_password
|
||
|
|
from fastapi.templating import Jinja2Templates
|
||
|
|
from fastapi.responses import RedirectResponse
|
||
|
|
|
||
|
|
from routers.auth import get_current_user
|
||
|
|
|
||
|
|
router = APIRouter()
|
||
|
|
templates = Jinja2Templates(directory="templates")
|
||
|
|
|
||
|
|
|
||
|
|
# 🔹 Список пользователей (доступно только авторизованным)
|
||
|
|
@router.get("/users")
|
||
|
|
async def users_list(
|
||
|
|
request: Request,
|
||
|
|
db: AsyncSession = Depends(get_async_session),
|
||
|
|
username: dict = Depends(get_current_user)
|
||
|
|
):
|
||
|
|
result = await db.execute(select(User))
|
||
|
|
users = result.scalars().all()
|
||
|
|
username = username
|
||
|
|
size = "Users"
|
||
|
|
if username["role"] != "admin":
|
||
|
|
raise HTTPException(status_code=403, detail="Access forbidden")
|
||
|
|
return templates.TemplateResponse("users.html", {"request": request, "users":users, "role": username["role"], "username": username["username"], "size": size, "current_path": request.url.path})
|
||
|
|
|
||
|
|
|
||
|
|
# 🔹 Создание пользователя (доступно только администраторам)
|
||
|
|
@router.post("/users/create")
|
||
|
|
async def create_user(
|
||
|
|
request: Request,
|
||
|
|
username: str = Form(...),
|
||
|
|
password: str = Form(...),
|
||
|
|
role: str = Form("user"),
|
||
|
|
db: AsyncSession = Depends(get_async_session),
|
||
|
|
current_user: dict = Depends(get_current_user) # Проверяем авторизацию
|
||
|
|
):
|
||
|
|
# Проверяем, является ли пользователь администратором
|
||
|
|
result = await db.execute(select(User).filter(User.username == current_user['username']))
|
||
|
|
user = result.scalars().first()
|
||
|
|
if not user or user.role != "admin":
|
||
|
|
raise HTTPException(status_code=403, detail="Доступ запрещен")
|
||
|
|
|
||
|
|
# Проверяем, есть ли уже такой пользователь
|
||
|
|
result = await db.execute(select(User).filter(User.username == username))
|
||
|
|
existing_user = result.scalars().first()
|
||
|
|
|
||
|
|
if existing_user:
|
||
|
|
raise HTTPException(status_code=400, detail="Пользователь уже существует")
|
||
|
|
|
||
|
|
hashed_password = hash_password(password)
|
||
|
|
new_user = User(username=username, hashed_password=hashed_password, role=role)
|
||
|
|
|
||
|
|
db.add(new_user)
|
||
|
|
await db.commit()
|
||
|
|
|
||
|
|
return RedirectResponse(url="/users", status_code=303)
|
||
|
|
|
||
|
|
|
||
|
|
# 🔹 Обновление пароля (доступно только для администраторов или самого пользователя)
|
||
|
|
@router.post("/users/update_password")
|
||
|
|
async def update_password(
|
||
|
|
request: Request,
|
||
|
|
user_id: int = Form(...),
|
||
|
|
new_password: str = Form(...),
|
||
|
|
db: AsyncSession = Depends(get_async_session),
|
||
|
|
current_user: dict = Depends(get_current_user) # Проверяем авторизацию
|
||
|
|
):
|
||
|
|
result = await db.execute(select(User).filter(User.id == user_id))
|
||
|
|
user = result.scalars().first()
|
||
|
|
|
||
|
|
if not user:
|
||
|
|
raise HTTPException(status_code=404, detail="Пользователь не найден")
|
||
|
|
|
||
|
|
# Получаем данные текущего пользователя
|
||
|
|
result = await db.execute(select(User).filter(User.username == current_user['username']))
|
||
|
|
current_user_obj = result.scalars().first()
|
||
|
|
|
||
|
|
# Только админ или сам пользователь могут менять пароль
|
||
|
|
if not current_user_obj or (current_user_obj.role != "admin" and current_user_obj.id != user.id):
|
||
|
|
raise HTTPException(status_code=403, detail="Доступ запрещен")
|
||
|
|
|
||
|
|
user.hashed_password = hash_password(new_password)
|
||
|
|
await db.commit()
|
||
|
|
|
||
|
|
return RedirectResponse(url="/users", status_code=303)
|