creating first admin and update restrictions for ordinary users

2026-03-04 17:06:43 +03:00
parent 08e48aac29
commit ea06c16aac
16 changed files with 128 additions and 58 deletions
--- a/server/backend/auth/JWT.py
+++ b/server/backend/auth/JWT.py
@@ -6,8 +6,7 @@ from server.backend.schema.pydantic import settings

 def signJWT(user_info: dict) -> str:
    payload = {
-        "user_id": user_info.id,
-        "admin":user_info.admin,
+        "user_id":user_info.id,
        "expires": time.time() + settings.ACCESS_TOKEN_EXPIRE_SECONDS
    }
    token = pyjwt.encode(payload, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
--- a/server/backend/database/db.py
+++ b/server/backend/database/db.py
@@ -38,15 +38,19 @@ class User(Base):

 async def create_user(user_info):
    async with AsyncSessionLocal() as session:
-        user_data = user_info.dict(exclude_unset=True)
-        new_user = User(**user_data)
-        session.add(new_user)
-        await session.commit()
-        await session.refresh(new_user)
+        result = await session.execute(select(User).where(User.code==user_info.code))
+        user = result.scalar_one_or_none()
+        if user == None:
+            user_data = user_info.dict(exclude_unset=True)
+            new_user = User(**user_data)
+            session.add(new_user)
+            await session.commit()
+            await session.refresh(new_user)
+        return user

 async def update_user(user_info):
    async with AsyncSessionLocal() as session:
-        result = await session.execute(select(User).where(User.code==user_info.code))
+        result = await session.execute(select(User).where(User.id==user_info.id))
        user = result.scalar_one_or_none()
        if user:
            update_data = user_info.dict(exclude_unset=True)
@@ -64,13 +68,29 @@ async def list_users():
        return users
    else:
        return None
-
+async def list_user(id):
+    async with AsyncSessionLocal() as session:
+        result = await session.execute(select(User).where(User.id == id))
+        user = result.scalar_one_or_none()
+    if user:
+        return user
+    else:
+        return None
+async def list_user_by_code(code):
+    async with AsyncSessionLocal() as session:
+        result = await session.execute(select(User).where(User.code == code))
+        user = result.scalar_one_or_none()
+    if user:
+        return user
+    else:
+        return None
 async def login_user(code):
    async with AsyncSessionLocal() as session:
        result = await session.execute(select(User).where(User.code == code.code))
        user = result.scalar_one_or_none()
        if user:
            user.last_login=datetime.now(timezone.utc)
+            user.activated=True
            await session.commit()
            return user
        else:
--- a/server/backend/endpoints/endpoints.py
+++ b/server/backend/endpoints/endpoints.py
@@ -18,9 +18,27 @@ async def check_roles(user=Depends(get_current_user)):
    return user

@api.post("/update", response_model=pydantic.UserUpdate)
-async def update_user(data: pydantic.UserUpdate,user=Depends(get_current_user)):
-    data = await db.update_user(data)
-    return data
+async def update_user(data: pydantic.UserUpdate, user=Depends(get_current_user)):
+    user_check = await db.list_user(user["user_id"])
+    if not user_check:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+    if not user_check.admin:
+        if data.code != user_check.code:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Ordinary users cannot change their code"
+            )
+    if user_check.admin:
+        if data.code != user_check.code:
+            existing_user = await db.list_user_by_code(data.code)
+            if existing_user and existing_user.id != user_check.id:
+                raise HTTPException(
+                    status_code=status.HTTP_409_CONFLICT,
+                    detail="Code already exists for another user"
+                )
+    updated_data = data.copy(update={"id": user_check.id})
+    updated_data = await db.update_user(updated_data)
+    return updated_data

@api.post("/create", response_model=pydantic.UserAccess)
 async def create_user(user_info: pydantic.UserCreate,user=Depends(check_roles)):
--- a/server/backend/schema/pydantic.py
+++ b/server/backend/schema/pydantic.py
@@ -23,9 +23,6 @@ class UserOut(BaseModel):
    name: NameStr = Field(..., description="Name of the guest")
    surname: NameStr = Field(..., description="Surname of the guest")

-class UserCreate(UserAccess):
-    pass
-
 class UserUpdate(UserAccess):
    name: NameStr = Field(..., description="Name of the guest")
    surname: NameStr = Field(..., description="Surname of the guest")
@@ -35,6 +32,8 @@ class UserUpdate(UserAccess):
    alco: bool = Field(False, description="if the guest will drink alco or not")
    types_of_alco: str = Field("", description="types of alco")

+class UserCreate(UserUpdate):
+    admin:bool = Field(False, description="Admin privilegies")
 class Settings(BaseSettings):
    DIR:str
    PORT:int