feat: remove register, add evo webhooks, admin view-as user

- Remove /register route and nav links (users created via Evotor webhook)
- Fix evotor_webhooks.py: use phone=None instead of phone="" to avoid unique constraint
- Add admin "view as user" feature: POST /admin/users/{id}/view-as sets viewed_user_id
  in session; POST /admin/view-as/stop clears it
- catalog, vk_catalog, sync, connections GET routes use get_viewed_user() so admins
  see another user's data while browsing
- Orange banner shown at top when admin is viewing as another user

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/routes/admin.py

@@ -101,6 +101,30 @@ async def admin_user_detail(user_id: int, request: Request, db: Session = Depend
     return _render(request, "admin/user_detail.html", {"user": admin, "target": target})
 
 
+# ── View-as ───────────────────────────────────────────────────────────────────
+
+@router.post("/users/{user_id}/view-as")
+async def admin_view_as(user_id: int, request: Request, db: Session = Depends(get_db)):
+    try:
+        _admin_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    target = db.get(User, user_id)
+    if target:
+        request.session["viewed_user_id"] = user_id
+    return RedirectResponse("/connections", 303)
+
+
+@router.post("/view-as/stop")
+async def admin_view_as_stop(request: Request, db: Session = Depends(get_db)):
+    try:
+        _admin_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    request.session.pop("viewed_user_id", None)
+    return RedirectResponse("/admin/users", 303)
+
+
 # ── User actions ──────────────────────────────────────────────────────────────
 
 @router.post("/users/{user_id}/activate")

web/routes/auth.py

@@ -1,11 +1,10 @@
 import secrets
 
 from fastapi import APIRouter, Depends, Request
-from fastapi.responses import HTMLResponse, RedirectResponse
-from sqlalchemy import or_
+from fastapi.responses import HTMLResponse, RedirectResponse, Response
 from sqlalchemy.orm import Session
 
-from web.auth.password import hash_password, verify_password
+from web.auth.password import verify_password
 from web.auth.session import get_session_user_id
 from web.config import settings
 from web.database import get_db
@@ -23,60 +22,13 @@ def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
 
 
 @router.get("/register")
-async def register_get(request: Request, db: Session = Depends(get_db)):
-    if get_session_user_id(request):
-        return RedirectResponse("/profile", 303)
-    return _render(request, "register.html", {"user": None})
+async def register_get(request: Request):
+    return Response(status_code=404)
 
 
 @router.post("/register")
-async def register_post(request: Request, db: Session = Depends(get_db)):
-    form = await request.form()
-    data = {k: str(v).strip() for k, v in form.items()}
-    errors = []
-
-    if not data.get("email"):
-        errors.append("Email обязателен")
-    if not data.get("phone"):
-        errors.append("Телефон обязателен")
-    if not data.get("password"):
-        errors.append("Пароль обязателен")
-    if len(data.get("password", "")) < 8:
-        errors.append("Пароль должен содержать минимум 8 символов")
-    if data.get("password") != data.get("password_confirm"):
-        errors.append("Пароли не совпадают")
-
-    if not errors:
-        existing = db.query(User).filter(
-            or_(User.email == data["email"], User.phone == data["phone"])
-        ).first()
-        if existing:
-            if existing.email == data["email"]:
-                errors.append("Пользователь с таким email уже существует")
-            else:
-                errors.append("Пользователь с таким телефоном уже существует")
-
-    if errors:
-        return _render(request, "register.html", {"user": None, "errors": errors, "form": data})
-
-    token = secrets.token_urlsafe(32)
-    user = User(
-        first_name=data.get("first_name", ""),
-        last_name=data.get("last_name", ""),
-        email=data["email"],
-        phone=data["phone"],
-        password_hash=await _hash(data["password"]),
-        email_confirm_token=token,
-        status=UserStatusEnum.pending,
-    )
-    db.add(user)
-    db.commit()
-
-    confirm_url = f"{settings.BASE_URL}/confirm-email?token={token}"
-    html = f'<p>Подтвердите email: <a href="{confirm_url}">{confirm_url}</a></p>'
-    send_email_task.delay(user.email, "Подтвердите ваш email — ЭВОСИНК", html)
-
-    return _render(request, "confirm_email.html", {"user": None})
+async def register_post(request: Request):
+    return Response(status_code=404)
 
 
 @router.get("/confirm-email")
@@ -167,4 +119,5 @@ async def logout(request: Request):
 
 async def _hash(plain: str) -> str:
     import asyncio
+    from web.auth.password import hash_password
     return await asyncio.get_event_loop().run_in_executor(None, hash_password, plain)

web/routes/catalog.py

@@ -5,7 +5,7 @@ from fastapi.responses import HTMLResponse, RedirectResponse
 from sqlalchemy import func
 from sqlalchemy.orm import Session
 
-from web.auth.session import get_current_user
+from web.auth.session import get_current_user, get_viewed_user
 from web.config import settings
 from web.database import get_db
 from web.models.connections import CachedGroup, CachedProduct, CachedStore, SyncConfig, SyncFilter
@@ -55,21 +55,22 @@ def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
 @router.get("/catalog/stores")
 async def catalog_stores(request: Request, db: Session = Depends(get_db)):
     try:
-        user = get_current_user(request, db)
+        real_user, viewed_user = get_viewed_user(request, db)
     except Exception:
         return RedirectResponse("/login", 303)
 
     stores = (
         db.query(CachedStore)
-        .filter(CachedStore.user_id == user.id)
+        .filter(CachedStore.user_id == viewed_user.id)
         .order_by(CachedStore.name)
         .all()
     )
-    enabled_ids = _enabled_store_ids(db, user.id)
+    enabled_ids = _enabled_store_ids(db, viewed_user.id)
     return _render(request, "catalog/stores.html", {
-        "user": user,
+        "user": real_user,
+        "viewed_user": viewed_user if viewed_user.id != real_user.id else None,
         "stores": stores,
-        "enabled_ids": enabled_ids,  # None = all enabled, set = explicit list
+        "enabled_ids": enabled_ids,
         "refresh_interval": settings.CATALOG_REFRESH_INTERVAL_SECONDS,
     })
 
@@ -77,13 +78,13 @@ async def catalog_stores(request: Request, db: Session = Depends(get_db)):
 @router.get("/catalog/stores/{store_evotor_id}/groups")
 async def catalog_groups(store_evotor_id: str, request: Request, db: Session = Depends(get_db)):
     try:
-        user = get_current_user(request, db)
+        real_user, viewed_user = get_viewed_user(request, db)
     except Exception:
         return RedirectResponse("/login", 303)
 
     store = (
         db.query(CachedStore)
-        .filter(CachedStore.user_id == user.id, CachedStore.evotor_id == store_evotor_id)
+        .filter(CachedStore.user_id == viewed_user.id, CachedStore.evotor_id == store_evotor_id)
         .first()
     )
     if not store:
@@ -91,22 +92,24 @@ async def catalog_groups(store_evotor_id: str, request: Request, db: Session = D
 
     groups = (
         db.query(CachedGroup)
-        .filter(CachedGroup.user_id == user.id, CachedGroup.store_evotor_id == store_evotor_id)
+        .filter(CachedGroup.user_id == viewed_user.id, CachedGroup.store_evotor_id == store_evotor_id)
         .order_by(CachedGroup.name)
         .all()
     )
-    enabled_ids = _enabled_group_ids(db, user.id, store_evotor_id)
+    enabled_ids = _enabled_group_ids(db, viewed_user.id, store_evotor_id)
 
     counts_q = (
         db.query(CachedProduct.group_evotor_id, func.count().label("cnt"))
-        .filter(CachedProduct.user_id == user.id, CachedProduct.store_evotor_id == store_evotor_id)
+        .filter(CachedProduct.user_id == viewed_user.id, CachedProduct.store_evotor_id == store_evotor_id)
         .group_by(CachedProduct.group_evotor_id)
         .all()
     )
     product_counts = {row.group_evotor_id: row.cnt for row in counts_q}
 
     return _render(request, "catalog/groups.html", {
-        "user": user, "store": store, "groups": groups,
+        "user": real_user,
+        "viewed_user": viewed_user if viewed_user.id != real_user.id else None,
+        "store": store, "groups": groups,
         "enabled_ids": enabled_ids,
         "product_counts": product_counts,
     })
@@ -115,13 +118,13 @@ async def catalog_groups(store_evotor_id: str, request: Request, db: Session = D
 @router.get("/catalog/stores/{store_evotor_id}/products")
 async def catalog_products(store_evotor_id: str, request: Request, db: Session = Depends(get_db)):
     try:
-        user = get_current_user(request, db)
+        real_user, viewed_user = get_viewed_user(request, db)
     except Exception:
         return RedirectResponse("/login", 303)
 
     store = (
         db.query(CachedStore)
-        .filter(CachedStore.user_id == user.id, CachedStore.evotor_id == store_evotor_id)
+        .filter(CachedStore.user_id == viewed_user.id, CachedStore.evotor_id == store_evotor_id)
         .first()
     )
     if not store:
@@ -129,7 +132,7 @@ async def catalog_products(store_evotor_id: str, request: Request, db: Session =
 
     group_id = request.query_params.get("group")
     q = db.query(CachedProduct).filter(
-        CachedProduct.user_id == user.id,
+        CachedProduct.user_id == viewed_user.id,
         CachedProduct.store_evotor_id == store_evotor_id,
     )
     if group_id:
@@ -138,13 +141,14 @@ async def catalog_products(store_evotor_id: str, request: Request, db: Session =
     products = q.order_by(CachedProduct.name).all()
     groups = (
         db.query(CachedGroup)
-        .filter(CachedGroup.user_id == user.id, CachedGroup.store_evotor_id == store_evotor_id)
+        .filter(CachedGroup.user_id == viewed_user.id, CachedGroup.store_evotor_id == store_evotor_id)
         .order_by(CachedGroup.name)
         .all()
     )
     group_map = {g.evotor_id: g.name for g in groups}
     return _render(request, "catalog/products.html", {
-        "user": user,
+        "user": real_user,
+        "viewed_user": viewed_user if viewed_user.id != real_user.id else None,
         "store": store,
         "products": products,
         "groups": groups,

web/routes/connections.py

@@ -8,7 +8,7 @@ from fastapi import APIRouter, Depends, Request
 from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
 from sqlalchemy.orm import Session
 
-from web.auth.session import get_current_user
+from web.auth.session import get_current_user, get_viewed_user
 from web.config import settings
 from web.database import get_db
 from web.models.connections import EvotorConnection, VkConnection
@@ -32,13 +32,18 @@ def _now() -> datetime:
 @router.get("/connections")
 async def connections_get(request: Request, db: Session = Depends(get_db)):
     try:
-        user = get_current_user(request, db)
+        real_user, viewed_user = get_viewed_user(request, db)
     except Exception:
         return RedirectResponse("/login", 303)
 
-    evotor = db.query(EvotorConnection).filter_by(user_id=user.id).first()
-    vk = db.query(VkConnection).filter_by(user_id=user.id).first()
-    return _render(request, "connections.html", {"user": user, "evotor": evotor, "vk": vk})
+    evotor = db.query(EvotorConnection).filter_by(user_id=viewed_user.id).first()
+    vk = db.query(VkConnection).filter_by(user_id=viewed_user.id).first()
+    return _render(request, "connections.html", {
+        "user": real_user,
+        "viewed_user": viewed_user if viewed_user.id != real_user.id else None,
+        "evotor": evotor,
+        "vk": vk,
+    })
 
 
 @router.post("/connections/evotor")

web/routes/evotor_webhooks.py

@@ -134,8 +134,8 @@ async def user_create(request: Request, db: Session = Depends(get_db)):
         user = User(
             first_name=first_name or "",
             last_name=last_name or "",
-            email=email or f"{evotor_user_id}@evotor.placeholder",
-            phone=phone or "",
+            email=email or f"{evotor_user_id}@evotor.invalid",
+            phone=phone or None,
             password_hash=None,
             role=UserRoleEnum.user,
             status=UserStatusEnum.pending,

web/routes/sync.py

@@ -5,7 +5,7 @@ from fastapi import APIRouter, Depends, Request
 from fastapi.responses import RedirectResponse
 from sqlalchemy.orm import Session
 
-from web.auth.session import get_current_user
+from web.auth.session import get_current_user, get_viewed_user
 from web.config import settings
 from web.database import get_db
 from web.models.connections import SyncConfig
@@ -23,13 +23,14 @@ def _render(request: Request, ctx: dict):
 @router.get("/sync")
 async def sync_get(request: Request, db: Session = Depends(get_db)):
     try:
-        user = get_current_user(request, db)
+        real_user, viewed_user = get_viewed_user(request, db)
     except Exception:
         return RedirectResponse("/login", 303)
 
-    config = db.query(SyncConfig).filter_by(user_id=user.id).first()
+    config = db.query(SyncConfig).filter_by(user_id=viewed_user.id).first()
     return _render(request, {
-        "user": user,
+        "user": real_user,
+        "viewed_user": viewed_user if viewed_user.id != real_user.id else None,
         "config": config,
         "saved": request.query_params.get("saved"),
     })

web/routes/vk_catalog.py

@@ -2,7 +2,7 @@ from fastapi import APIRouter, Depends, Request
 from fastapi.responses import HTMLResponse, RedirectResponse
 from sqlalchemy.orm import Session
 
-from web.auth.session import get_current_user
+from web.auth.session import get_viewed_user
 from web.config import settings
 from web.database import get_db
 from web.models.connections import VkCachedAlbum, VkCachedProduct, VkConnection
@@ -20,19 +20,20 @@ def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
 @router.get("/vk-catalog/albums")
 async def vk_catalog_albums(request: Request, db: Session = Depends(get_db)):
     try:
-        user = get_current_user(request, db)
+        real_user, viewed_user = get_viewed_user(request, db)
     except Exception:
         return RedirectResponse("/login", 303)
 
-    vk_conn = db.query(VkConnection).filter_by(user_id=user.id).first()
+    vk_conn = db.query(VkConnection).filter_by(user_id=viewed_user.id).first()
     albums = (
         db.query(VkCachedAlbum)
-        .filter(VkCachedAlbum.user_id == user.id)
+        .filter(VkCachedAlbum.user_id == viewed_user.id)
         .order_by(VkCachedAlbum.title)
         .all()
     )
     return _render(request, "vk_catalog/albums.html", {
-        "user": user,
+        "user": real_user,
+        "viewed_user": viewed_user if viewed_user.id != real_user.id else None,
         "albums": albums,
         "vk_conn": vk_conn,
         "refresh_interval": settings.CATALOG_REFRESH_INTERVAL_SECONDS,
@@ -42,22 +43,23 @@ async def vk_catalog_albums(request: Request, db: Session = Depends(get_db)):
 @router.get("/vk-catalog/albums/{album_id}/products")
 async def vk_catalog_products(album_id: str, request: Request, db: Session = Depends(get_db)):
     try:
-        user = get_current_user(request, db)
+        real_user, viewed_user = get_viewed_user(request, db)
     except Exception:
         return RedirectResponse("/login", 303)
 
-    album = db.query(VkCachedAlbum).filter_by(user_id=user.id, album_id=album_id).first()
+    album = db.query(VkCachedAlbum).filter_by(user_id=viewed_user.id, album_id=album_id).first()
     if not album:
         return RedirectResponse("/vk-catalog/albums", 303)
 
     products = (
         db.query(VkCachedProduct)
-        .filter(VkCachedProduct.user_id == user.id, VkCachedProduct.album_id == album_id)
+        .filter(VkCachedProduct.user_id == viewed_user.id, VkCachedProduct.album_id == album_id)
         .order_by(VkCachedProduct.name)
         .all()
     )
     return _render(request, "vk_catalog/products.html", {
-        "user": user,
+        "user": real_user,
+        "viewed_user": viewed_user if viewed_user.id != real_user.id else None,
         "album": album,
         "products": products,
     })