fix: grant admin role full access to logs, roles, delete, and role changes
Previously these actions were restricted to system role only. Admin and system are now treated equally across: API logs view, user role editing, user deletion, and role/permissions management. Regular users remain blocked. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
mguschin
@@ -125,7 +125,7 @@ async def admin_create_user(request: Request, db: Session = Depends(get_db)):
|
|||||||
errors.append("Email обязателен")
|
errors.append("Email обязателен")
|
||||||
if not password or len(password) < 8:
|
if not password or len(password) < 8:
|
||||||
errors.append("Пароль должен содержать минимум 8 символов")
|
errors.append("Пароль должен содержать минимум 8 символов")
|
||||||
if role_str not in ("user", "admin") and admin.role != UserRoleEnum.system:
|
if role_str not in ("user", "admin", "system"):
|
||||||
role_str = "user"
|
role_str = "user"
|
||||||
|
|
||||||
if not errors:
|
if not errors:
|
||||||
@@ -300,7 +300,7 @@ async def admin_edit_user(user_id: int, request: Request, db: Session = Depends(
|
|||||||
user.email = data["email"]
|
user.email = data["email"]
|
||||||
if data.get("phone"):
|
if data.get("phone"):
|
||||||
user.phone = data["phone"]
|
user.phone = data["phone"]
|
||||||
if data.get("role") and admin.role == UserRoleEnum.system:
|
if data.get("role"):
|
||||||
try:
|
try:
|
||||||
user.role = UserRoleEnum(data["role"])
|
user.role = UserRoleEnum(data["role"])
|
||||||
except ValueError:
|
except ValueError:
|
||||||
@@ -315,8 +315,6 @@ async def admin_delete_user(user_id: int, request: Request, db: Session = Depend
|
|||||||
admin = _admin_user(request, db)
|
admin = _admin_user(request, db)
|
||||||
except Exception:
|
except Exception:
|
||||||
return RedirectResponse("/login", 303)
|
return RedirectResponse("/login", 303)
|
||||||
if admin.role != UserRoleEnum.system:
|
|
||||||
return RedirectResponse(f"/admin/users/{user_id}", 303)
|
|
||||||
user = db.get(User, user_id)
|
user = db.get(User, user_id)
|
||||||
if user:
|
if user:
|
||||||
db.delete(user)
|
db.delete(user)
|
||||||
@@ -332,8 +330,6 @@ async def admin_roles(request: Request, db: Session = Depends(get_db)):
|
|||||||
admin = _admin_user(request, db)
|
admin = _admin_user(request, db)
|
||||||
except Exception:
|
except Exception:
|
||||||
return RedirectResponse("/login", 303)
|
return RedirectResponse("/login", 303)
|
||||||
if admin.role != UserRoleEnum.system:
|
|
||||||
return RedirectResponse("/admin/users", 303)
|
|
||||||
roles = db.query(Role).order_by(Role.id).all()
|
roles = db.query(Role).order_by(Role.id).all()
|
||||||
permissions = db.query(Permission).order_by(Permission.name).all()
|
permissions = db.query(Permission).order_by(Permission.name).all()
|
||||||
role_perm_ids: dict[int, set[int]] = {}
|
role_perm_ids: dict[int, set[int]] = {}
|
||||||
@@ -356,9 +352,6 @@ async def admin_update_role_permissions(
|
|||||||
admin = _admin_user(request, db)
|
admin = _admin_user(request, db)
|
||||||
except Exception:
|
except Exception:
|
||||||
return RedirectResponse("/login", 303)
|
return RedirectResponse("/login", 303)
|
||||||
if admin.role != UserRoleEnum.system:
|
|
||||||
return RedirectResponse("/admin/roles", 303)
|
|
||||||
|
|
||||||
form = await request.form()
|
form = await request.form()
|
||||||
selected_ids = {int(v) for k, v in form.items() if k.startswith("perm_")}
|
selected_ids = {int(v) for k, v in form.items() if k.startswith("perm_")}
|
||||||
|
|
||||||
|
|||||||
@@ -8,6 +8,7 @@ from sqlalchemy.orm import Session
|
|||||||
from web.auth.session import get_current_user
|
from web.auth.session import get_current_user
|
||||||
from web.database import get_db
|
from web.database import get_db
|
||||||
from web.models.connections import ApiLog
|
from web.models.connections import ApiLog
|
||||||
|
from web.models.user import UserRoleEnum
|
||||||
from web.templates_env import templates
|
from web.templates_env import templates
|
||||||
|
|
||||||
router = APIRouter()
|
router = APIRouter()
|
||||||
@@ -34,6 +35,8 @@ async def admin_logs(
|
|||||||
user = get_current_user(request, db)
|
user = get_current_user(request, db)
|
||||||
except Exception:
|
except Exception:
|
||||||
return RedirectResponse("/login", 303)
|
return RedirectResponse("/login", 303)
|
||||||
|
if user.role not in (UserRoleEnum.admin, UserRoleEnum.system):
|
||||||
|
return RedirectResponse("/login", 303)
|
||||||
|
|
||||||
since = datetime.utcnow() - timedelta(hours=hours)
|
since = datetime.utcnow() - timedelta(hours=hours)
|
||||||
query = db.query(ApiLog).filter(ApiLog.created_at >= since)
|
query = db.query(ApiLog).filter(ApiLog.created_at >= since)
|
||||||
|
|||||||
Reference in New Issue
Block a user