fix: grant admin role full access to logs, roles, delete, and role changes
Previously these actions were restricted to system role only. Admin and system are now treated equally across: API logs view, user role editing, user deletion, and role/permissions management. Regular users remain blocked. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
mguschin
@@ -125,7 +125,7 @@ async def admin_create_user(request: Request, db: Session = Depends(get_db)):
|
||||
errors.append("Email обязателен")
|
||||
if not password or len(password) < 8:
|
||||
errors.append("Пароль должен содержать минимум 8 символов")
|
||||
if role_str not in ("user", "admin") and admin.role != UserRoleEnum.system:
|
||||
if role_str not in ("user", "admin", "system"):
|
||||
role_str = "user"
|
||||
|
||||
if not errors:
|
||||
@@ -300,7 +300,7 @@ async def admin_edit_user(user_id: int, request: Request, db: Session = Depends(
|
||||
user.email = data["email"]
|
||||
if data.get("phone"):
|
||||
user.phone = data["phone"]
|
||||
if data.get("role") and admin.role == UserRoleEnum.system:
|
||||
if data.get("role"):
|
||||
try:
|
||||
user.role = UserRoleEnum(data["role"])
|
||||
except ValueError:
|
||||
@@ -315,8 +315,6 @@ async def admin_delete_user(user_id: int, request: Request, db: Session = Depend
|
||||
admin = _admin_user(request, db)
|
||||
except Exception:
|
||||
return RedirectResponse("/login", 303)
|
||||
if admin.role != UserRoleEnum.system:
|
||||
return RedirectResponse(f"/admin/users/{user_id}", 303)
|
||||
user = db.get(User, user_id)
|
||||
if user:
|
||||
db.delete(user)
|
||||
@@ -332,8 +330,6 @@ async def admin_roles(request: Request, db: Session = Depends(get_db)):
|
||||
admin = _admin_user(request, db)
|
||||
except Exception:
|
||||
return RedirectResponse("/login", 303)
|
||||
if admin.role != UserRoleEnum.system:
|
||||
return RedirectResponse("/admin/users", 303)
|
||||
roles = db.query(Role).order_by(Role.id).all()
|
||||
permissions = db.query(Permission).order_by(Permission.name).all()
|
||||
role_perm_ids: dict[int, set[int]] = {}
|
||||
@@ -356,9 +352,6 @@ async def admin_update_role_permissions(
|
||||
admin = _admin_user(request, db)
|
||||
except Exception:
|
||||
return RedirectResponse("/login", 303)
|
||||
if admin.role != UserRoleEnum.system:
|
||||
return RedirectResponse("/admin/roles", 303)
|
||||
|
||||
form = await request.form()
|
||||
selected_ids = {int(v) for k, v in form.items() if k.startswith("perm_")}
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@ from sqlalchemy.orm import Session
|
||||
from web.auth.session import get_current_user
|
||||
from web.database import get_db
|
||||
from web.models.connections import ApiLog
|
||||
from web.models.user import UserRoleEnum
|
||||
from web.templates_env import templates
|
||||
|
||||
router = APIRouter()
|
||||
@@ -34,6 +35,8 @@ async def admin_logs(
|
||||
user = get_current_user(request, db)
|
||||
except Exception:
|
||||
return RedirectResponse("/login", 303)
|
||||
if user.role not in (UserRoleEnum.admin, UserRoleEnum.system):
|
||||
return RedirectResponse("/login", 303)
|
||||
|
||||
since = datetime.utcnow() - timedelta(hours=hours)
|
||||
query = db.query(ApiLog).filter(ApiLog.created_at >= since)
|
||||
|
||||
Reference in New Issue
Block a user