mish/evo-sync
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases 5 Wiki Activity

feat: remove register, add evo webhooks, admin view-as user

Browse Source 
- Remove /register route and nav links (users created via Evotor webhook)
- Fix evotor_webhooks.py: use phone=None instead of phone="" to avoid unique constraint
- Add admin "view as user" feature: POST /admin/users/{id}/view-as sets viewed_user_id
  in session; POST /admin/view-as/stop clears it
- catalog, vk_catalog, sync, connections GET routes use get_viewed_user() so admins
  see another user's data while browsing
- Orange banner shown at top when admin is viewing as another user

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
mguschin
2026-05-13 20:44:25 +03:00
parent 1729ff9b7b
commit 5e7be16755
11 changed files with 113 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
web/auth/session.py
View File

@@ -3,7 +3,7 @@ from fastapi.responses import RedirectResponse
from sqlalchemy.orm import Session
from starlette.requests import Request
from web.models.user import User, UserStatusEnum
from web.models.user import User, UserRoleEnum, UserStatusEnum
def get_session_user_id(request: Request) -> int | None:
@@ -21,5 +21,22 @@ def get_current_user(request: Request, db: Session) -> User:
return user
def get_viewed_user(request: Request, db: Session) -> tuple[User, User]:
"""Return (real_user, viewed_user).
Admins/system users can view another user's data by having
`viewed_user_id` set in the session (via /admin/users/{id}/view-as).
For regular users, both values are the same.
"""
real_user = get_current_user(request, db)
is_admin = real_user.role in (UserRoleEnum.admin, UserRoleEnum.system)
viewed_id = request.session.get("viewed_user_id") if is_admin else None
if viewed_id:
viewed = db.get(User, viewed_id)
if viewed:
return real_user, viewed
return real_user, real_user
def login_redirect() -> RedirectResponse:
return RedirectResponse("/login", status_code=303)

24
web/routes/admin.py
View File

@@ -101,6 +101,30 @@ async def admin_user_detail(user_id: int, request: Request, db: Session = Depend
return _render(request, "admin/user_detail.html", {"user": admin, "target": target})
# ── View-as ───────────────────────────────────────────────────────────────────
@router.post("/users/{user_id}/view-as")
async def admin_view_as(user_id: int, request: Request, db: Session = Depends(get_db)):
try:
_admin_user(request, db)
except Exception:
return RedirectResponse("/login", 303)
target = db.get(User, user_id)
if target:
request.session["viewed_user_id"] = user_id
return RedirectResponse("/connections", 303)
@router.post("/view-as/stop")
async def admin_view_as_stop(request: Request, db: Session = Depends(get_db)):
try:
_admin_user(request, db)
except Exception:
return RedirectResponse("/login", 303)
request.session.pop("viewed_user_id", None)
return RedirectResponse("/admin/users", 303)
# ── User actions ──────────────────────────────────────────────────────────────
@router.post("/users/{user_id}/activate")

61
web/routes/auth.py
View File

@@ -1,11 +1,10 @@
import secrets
from fastapi import APIRouter, Depends, Request
from fastapi.responses import HTMLResponse, RedirectResponse
from sqlalchemy import or_
from fastapi.responses import HTMLResponse, RedirectResponse, Response
from sqlalchemy.orm import Session
from web.auth.password import hash_password, verify_password
from web.auth.password import verify_password
from web.auth.session import get_session_user_id
from web.config import settings
from web.database import get_db
@@ -23,60 +22,13 @@ def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
@router.get("/register")
async def register_get(request: Request, db: Session = Depends(get_db)):
if get_session_user_id(request):
return RedirectResponse("/profile", 303)
return _render(request, "register.html", {"user": None})
async def register_get(request: Request):
return Response(status_code=404)
@router.post("/register")
async def register_post(request: Request, db: Session = Depends(get_db)):
form = await request.form()
data = {k: str(v).strip() for k, v in form.items()}
errors = []
if not data.get("email"):
errors.append("Email обязателен")
if not data.get("phone"):
errors.append("Телефон обязателен")
if not data.get("password"):
errors.append("Пароль обязателен")
if len(data.get("password", "")) < 8:
errors.append("Пароль должен содержать минимум 8 символов")
if data.get("password") != data.get("password_confirm"):
errors.append("Пароли не совпадают")
if not errors:
existing = db.query(User).filter(
or_(User.email == data["email"], User.phone == data["phone"])
).first()
if existing:
if existing.email == data["email"]:
errors.append("Пользователь с таким email уже существует")
else:
errors.append("Пользователь с таким телефоном уже существует")
if errors:
return _render(request, "register.html", {"user": None, "errors": errors, "form": data})
token = secrets.token_urlsafe(32)
user = User(
first_name=data.get("first_name", ""),
last_name=data.get("last_name", ""),
email=data["email"],
phone=data["phone"],
password_hash=await _hash(data["password"]),
email_confirm_token=token,
status=UserStatusEnum.pending,
)
db.add(user)
db.commit()
confirm_url = f"{settings.BASE_URL}/confirm-email?token={token}"
html = f'<p>Подтвердите email: <a href="{confirm_url}">{confirm_url}</a></p>'
send_email_task.delay(user.email, "Подтвердите ваш email — ЭВОСИНК", html)
return _render(request, "confirm_email.html", {"user": None})
async def register_post(request: Request):
return Response(status_code=404)
@router.get("/confirm-email")
@@ -167,4 +119,5 @@ async def logout(request: Request):
async def _hash(plain: str) -> str:
import asyncio
from web.auth.password import hash_password
return await asyncio.get_event_loop().run_in_executor(None, hash_password, plain)

38
web/routes/catalog.py
View File

@@ -5,7 +5,7 @@ from fastapi.responses import HTMLResponse, RedirectResponse
from sqlalchemy import func
from sqlalchemy.orm import Session
from web.auth.session import get_current_user
from web.auth.session import get_current_user, get_viewed_user
from web.config import settings
from web.database import get_db
from web.models.connections import CachedGroup, CachedProduct, CachedStore, SyncConfig, SyncFilter
@@ -55,21 +55,22 @@ def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
@router.get("/catalog/stores")
async def catalog_stores(request: Request, db: Session = Depends(get_db)):
try:
user = get_current_user(request, db)
real_user, viewed_user = get_viewed_user(request, db)
except Exception:
return RedirectResponse("/login", 303)
stores = (
db.query(CachedStore)
.filter(CachedStore.user_id == user.id)
.filter(CachedStore.user_id == viewed_user.id)
.order_by(CachedStore.name)
.all()
)
enabled_ids = _enabled_store_ids(db, user.id)
enabled_ids = _enabled_store_ids(db, viewed_user.id)
return _render(request, "catalog/stores.html", {
"user": user,
"user": real_user,
"viewed_user": viewed_user if viewed_user.id != real_user.id else None,
"stores": stores,
"enabled_ids": enabled_ids, # None = all enabled, set = explicit list
"enabled_ids": enabled_ids,
"refresh_interval": settings.CATALOG_REFRESH_INTERVAL_SECONDS,
})
@@ -77,13 +78,13 @@ async def catalog_stores(request: Request, db: Session = Depends(get_db)):
@router.get("/catalog/stores/{store_evotor_id}/groups")
async def catalog_groups(store_evotor_id: str, request: Request, db: Session = Depends(get_db)):
try:
user = get_current_user(request, db)
real_user, viewed_user = get_viewed_user(request, db)
except Exception:
return RedirectResponse("/login", 303)
store = (
db.query(CachedStore)
.filter(CachedStore.user_id == user.id, CachedStore.evotor_id == store_evotor_id)
.filter(CachedStore.user_id == viewed_user.id, CachedStore.evotor_id == store_evotor_id)
.first()
)
if not store:
@@ -91,22 +92,24 @@ async def catalog_groups(store_evotor_id: str, request: Request, db: Session = D
groups = (
db.query(CachedGroup)
.filter(CachedGroup.user_id == user.id, CachedGroup.store_evotor_id == store_evotor_id)
.filter(CachedGroup.user_id == viewed_user.id, CachedGroup.store_evotor_id == store_evotor_id)
.order_by(CachedGroup.name)
.all()
)
enabled_ids = _enabled_group_ids(db, user.id, store_evotor_id)
enabled_ids = _enabled_group_ids(db, viewed_user.id, store_evotor_id)
counts_q = (
db.query(CachedProduct.group_evotor_id, func.count().label("cnt"))
.filter(CachedProduct.user_id == user.id, CachedProduct.store_evotor_id == store_evotor_id)
.filter(CachedProduct.user_id == viewed_user.id, CachedProduct.store_evotor_id == store_evotor_id)
.group_by(CachedProduct.group_evotor_id)
.all()
)
product_counts = {row.group_evotor_id: row.cnt for row in counts_q}
return _render(request, "catalog/groups.html", {
"user": user, "store": store, "groups": groups,
"user": real_user,
"viewed_user": viewed_user if viewed_user.id != real_user.id else None,
"store": store, "groups": groups,
"enabled_ids": enabled_ids,
"product_counts": product_counts,
})
@@ -115,13 +118,13 @@ async def catalog_groups(store_evotor_id: str, request: Request, db: Session = D
@router.get("/catalog/stores/{store_evotor_id}/products")
async def catalog_products(store_evotor_id: str, request: Request, db: Session = Depends(get_db)):
try:
user = get_current_user(request, db)
real_user, viewed_user = get_viewed_user(request, db)
except Exception:
return RedirectResponse("/login", 303)
store = (
db.query(CachedStore)
.filter(CachedStore.user_id == user.id, CachedStore.evotor_id == store_evotor_id)
.filter(CachedStore.user_id == viewed_user.id, CachedStore.evotor_id == store_evotor_id)
.first()
)
if not store:
@@ -129,7 +132,7 @@ async def catalog_products(store_evotor_id: str, request: Request, db: Session =
group_id = request.query_params.get("group")
q = db.query(CachedProduct).filter(
CachedProduct.user_id == user.id,
CachedProduct.user_id == viewed_user.id,
CachedProduct.store_evotor_id == store_evotor_id,
)
if group_id:
@@ -138,13 +141,14 @@ async def catalog_products(store_evotor_id: str, request: Request, db: Session =
products = q.order_by(CachedProduct.name).all()
groups = (
db.query(CachedGroup)
.filter(CachedGroup.user_id == user.id, CachedGroup.store_evotor_id == store_evotor_id)
.filter(CachedGroup.user_id == viewed_user.id, CachedGroup.store_evotor_id == store_evotor_id)
.order_by(CachedGroup.name)
.all()
)
group_map = {g.evotor_id: g.name for g in groups}
return _render(request, "catalog/products.html", {
"user": user,
"user": real_user,
"viewed_user": viewed_user if viewed_user.id != real_user.id else None,
"store": store,
"products": products,
"groups": groups,

15
web/routes/connections.py
View File

@@ -8,7 +8,7 @@ from fastapi import APIRouter, Depends, Request
from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
from sqlalchemy.orm import Session
from web.auth.session import get_current_user
from web.auth.session import get_current_user, get_viewed_user
from web.config import settings
from web.database import get_db
from web.models.connections import EvotorConnection, VkConnection
@@ -32,13 +32,18 @@ def _now() -> datetime:
@router.get("/connections")
async def connections_get(request: Request, db: Session = Depends(get_db)):
try:
user = get_current_user(request, db)
real_user, viewed_user = get_viewed_user(request, db)
except Exception:
return RedirectResponse("/login", 303)
evotor = db.query(EvotorConnection).filter_by(user_id=user.id).first()
vk = db.query(VkConnection).filter_by(user_id=user.id).first()
return _render(request, "connections.html", {"user": user, "evotor": evotor, "vk": vk})
evotor = db.query(EvotorConnection).filter_by(user_id=viewed_user.id).first()
vk = db.query(VkConnection).filter_by(user_id=viewed_user.id).first()
return _render(request, "connections.html", {
"user": real_user,
"viewed_user": viewed_user if viewed_user.id != real_user.id else None,
"evotor": evotor,
"vk": vk,
})
@router.post("/connections/evotor")

4
web/routes/evotor_webhooks.py
View File

@@ -134,8 +134,8 @@ async def user_create(request: Request, db: Session = Depends(get_db)):
user = User(
first_name=first_name or "",
last_name=last_name or "",
email=email or f"{evotor_user_id}@evotor.placeholder",
phone=phone or "",
email=email or f"{evotor_user_id}@evotor.invalid",
phone=phone or None,
password_hash=None,
role=UserRoleEnum.user,
status=UserStatusEnum.pending,

9
web/routes/sync.py
View File

@@ -5,7 +5,7 @@ from fastapi import APIRouter, Depends, Request
from fastapi.responses import RedirectResponse
from sqlalchemy.orm import Session
from web.auth.session import get_current_user
from web.auth.session import get_current_user, get_viewed_user
from web.config import settings
from web.database import get_db
from web.models.connections import SyncConfig
@@ -23,13 +23,14 @@ def _render(request: Request, ctx: dict):
@router.get("/sync")
async def sync_get(request: Request, db: Session = Depends(get_db)):
try:
user = get_current_user(request, db)
real_user, viewed_user = get_viewed_user(request, db)
except Exception:
return RedirectResponse("/login", 303)
config = db.query(SyncConfig).filter_by(user_id=user.id).first()
config = db.query(SyncConfig).filter_by(user_id=viewed_user.id).first()
return _render(request, {
"user": user,
"user": real_user,
"viewed_user": viewed_user if viewed_user.id != real_user.id else None,
"config": config,
"saved": request.query_params.get("saved"),
})

20
web/routes/vk_catalog.py
View File

@@ -2,7 +2,7 @@ from fastapi import APIRouter, Depends, Request
from fastapi.responses import HTMLResponse, RedirectResponse
from sqlalchemy.orm import Session
from web.auth.session import get_current_user
from web.auth.session import get_viewed_user
from web.config import settings
from web.database import get_db
from web.models.connections import VkCachedAlbum, VkCachedProduct, VkConnection
@@ -20,19 +20,20 @@ def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
@router.get("/vk-catalog/albums")
async def vk_catalog_albums(request: Request, db: Session = Depends(get_db)):
try:
user = get_current_user(request, db)
real_user, viewed_user = get_viewed_user(request, db)
except Exception:
return RedirectResponse("/login", 303)
vk_conn = db.query(VkConnection).filter_by(user_id=user.id).first()
vk_conn = db.query(VkConnection).filter_by(user_id=viewed_user.id).first()
albums = (
db.query(VkCachedAlbum)
.filter(VkCachedAlbum.user_id == user.id)
.filter(VkCachedAlbum.user_id == viewed_user.id)
.order_by(VkCachedAlbum.title)
.all()
)
return _render(request, "vk_catalog/albums.html", {
"user": user,
"user": real_user,
"viewed_user": viewed_user if viewed_user.id != real_user.id else None,
"albums": albums,
"vk_conn": vk_conn,
"refresh_interval": settings.CATALOG_REFRESH_INTERVAL_SECONDS,
@@ -42,22 +43,23 @@ async def vk_catalog_albums(request: Request, db: Session = Depends(get_db)):
@router.get("/vk-catalog/albums/{album_id}/products")
async def vk_catalog_products(album_id: str, request: Request, db: Session = Depends(get_db)):
try:
user = get_current_user(request, db)
real_user, viewed_user = get_viewed_user(request, db)
except Exception:
return RedirectResponse("/login", 303)
album = db.query(VkCachedAlbum).filter_by(user_id=user.id, album_id=album_id).first()
album = db.query(VkCachedAlbum).filter_by(user_id=viewed_user.id, album_id=album_id).first()
if not album:
return RedirectResponse("/vk-catalog/albums", 303)
products = (
db.query(VkCachedProduct)
.filter(VkCachedProduct.user_id == user.id, VkCachedProduct.album_id == album_id)
.filter(VkCachedProduct.user_id == viewed_user.id, VkCachedProduct.album_id == album_id)
.order_by(VkCachedProduct.name)
.all()
)
return _render(request, "vk_catalog/products.html", {
"user": user,
"user": real_user,
"viewed_user": viewed_user if viewed_user.id != real_user.id else None,
"album": album,
"products": products,
})

5
web/templates/admin/user_detail.html
View File

@@ -96,6 +96,11 @@
<i class="bi bi-envelope me-1"></i>Отправить приглашение
</button>
</form>
<form method="post" action="/admin/users/{{ target.id }}/view-as">
<button type="submit" class="w-100 outline">
<i class="bi bi-eye me-1"></i>Просмотр от имени пользователя
</button>
</form>
{% if user.role == 'system' and target.id != user.id %}
<form method="post" action="/admin/users/{{ target.id }}/delete"
onsubmit="return confirm('Удалить пользователя {{ target.email }}? Это действие необратимо.')">

11
web/templates/base.html
View File

@@ -28,7 +28,6 @@
<li><a href="/logout" class="secondary">Выход</a></li>
{% else %}
<li><a href="/login">Вход</a></li>
<li><a href="/register">Регистрация</a></li>
{% endif %}
</ul>
{% if user %}
@@ -52,13 +51,21 @@
<summary role="button" class="outline secondary icon-btn"><i class="bi bi-list"></i></summary>
<ul>
<li><a href="/login">Вход</a></li>
<li><a href="/register">Регистрация</a></li>
</ul>
</details>
{% endif %}
</nav>
</header>
{% if viewed_user %}
<div style="background:#e65c00;color:#fff;text-align:center;padding:0.4rem 1rem;font-size:0.9rem;">
<i class="bi bi-eye me-1"></i>Просмотр от имени: <strong>{{ viewed_user.first_name }} {{ viewed_user.last_name }}</strong> ({{ viewed_user.email }})
<form method="post" action="/admin/view-as/stop" style="display:inline;margin-left:1rem;">
<button type="submit" style="background:none;border:1px solid #fff;color:#fff;padding:0.1rem 0.6rem;font-size:0.85rem;cursor:pointer;border-radius:4px;">Выйти</button>
</form>
</div>
{% endif %}
<main class="container py-4">
{% if errors %}
<div role="alert" class="alert alert-danger">

3
web/templates/login.html
View File

@@ -17,8 +17,7 @@
<button type="submit" class="w-100">Войти</button>
</form>
<div class="text-center small mt-3">
<a href="/forgot-password">Забыли пароль?</a><br>
<a href="/register">Зарегистрироваться</a>
<a href="/forgot-password">Забыли пароль?</a>
</div>
</div>
</article>