From a597639aa7f8023b96798a8395c206b4df6d18e8 Mon Sep 17 00:00:00 2001 From: mguschin Date: Sun, 24 May 2026 17:13:48 +0300 Subject: [PATCH] fix: grant admin role full access to logs, roles, delete, and role changes Previously these actions were restricted to system role only. Admin and system are now treated equally across: API logs view, user role editing, user deletion, and role/permissions management. Regular users remain blocked. Co-Authored-By: Claude Sonnet 4.6 --- web/routes/admin.py | 11 ++--------- web/routes/logs.py | 3 +++ 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/web/routes/admin.py b/web/routes/admin.py index aaa4bca..3036e9e 100644 --- a/web/routes/admin.py +++ b/web/routes/admin.py @@ -125,7 +125,7 @@ async def admin_create_user(request: Request, db: Session = Depends(get_db)): errors.append("Email обязателен") if not password or len(password) < 8: errors.append("Пароль должен содержать минимум 8 символов") - if role_str not in ("user", "admin") and admin.role != UserRoleEnum.system: + if role_str not in ("user", "admin", "system"): role_str = "user" if not errors: @@ -300,7 +300,7 @@ async def admin_edit_user(user_id: int, request: Request, db: Session = Depends( user.email = data["email"] if data.get("phone"): user.phone = data["phone"] - if data.get("role") and admin.role == UserRoleEnum.system: + if data.get("role"): try: user.role = UserRoleEnum(data["role"]) except ValueError: @@ -315,8 +315,6 @@ async def admin_delete_user(user_id: int, request: Request, db: Session = Depend admin = _admin_user(request, db) except Exception: return RedirectResponse("/login", 303) - if admin.role != UserRoleEnum.system: - return RedirectResponse(f"/admin/users/{user_id}", 303) user = db.get(User, user_id) if user: db.delete(user) @@ -332,8 +330,6 @@ async def admin_roles(request: Request, db: Session = Depends(get_db)): admin = _admin_user(request, db) except Exception: return RedirectResponse("/login", 303) - if admin.role != UserRoleEnum.system: - return RedirectResponse("/admin/users", 303) roles = db.query(Role).order_by(Role.id).all() permissions = db.query(Permission).order_by(Permission.name).all() role_perm_ids: dict[int, set[int]] = {} @@ -356,9 +352,6 @@ async def admin_update_role_permissions( admin = _admin_user(request, db) except Exception: return RedirectResponse("/login", 303) - if admin.role != UserRoleEnum.system: - return RedirectResponse("/admin/roles", 303) - form = await request.form() selected_ids = {int(v) for k, v in form.items() if k.startswith("perm_")} diff --git a/web/routes/logs.py b/web/routes/logs.py index 67e2263..49cc841 100644 --- a/web/routes/logs.py +++ b/web/routes/logs.py @@ -8,6 +8,7 @@ from sqlalchemy.orm import Session from web.auth.session import get_current_user from web.database import get_db from web.models.connections import ApiLog +from web.models.user import UserRoleEnum from web.templates_env import templates router = APIRouter() @@ -34,6 +35,8 @@ async def admin_logs( user = get_current_user(request, db) except Exception: return RedirectResponse("/login", 303) + if user.role not in (UserRoleEnum.admin, UserRoleEnum.system): + return RedirectResponse("/login", 303) since = datetime.utcnow() - timedelta(hours=hours) query = db.query(ApiLog).filter(ApiLog.created_at >= since)