creating first admin and update restrictions for ordinary users

2026-03-04 17:06:43 +03:00
parent 08e48aac29
commit ea06c16aac
16 changed files with 128 additions and 58 deletions
--- a/server/backend/endpoints/endpoints.py
+++ b/server/backend/endpoints/endpoints.py
@@ -18,9 +18,27 @@ async def check_roles(user=Depends(get_current_user)):
    return user

@api.post("/update", response_model=pydantic.UserUpdate)
-async def update_user(data: pydantic.UserUpdate,user=Depends(get_current_user)):
-    data = await db.update_user(data)
-    return data
+async def update_user(data: pydantic.UserUpdate, user=Depends(get_current_user)):
+    user_check = await db.list_user(user["user_id"])
+    if not user_check:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+    if not user_check.admin:
+        if data.code != user_check.code:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Ordinary users cannot change their code"
+            )
+    if user_check.admin:
+        if data.code != user_check.code:
+            existing_user = await db.list_user_by_code(data.code)
+            if existing_user and existing_user.id != user_check.id:
+                raise HTTPException(
+                    status_code=status.HTTP_409_CONFLICT,
+                    detail="Code already exists for another user"
+                )
+    updated_data = data.copy(update={"id": user_check.id})
+    updated_data = await db.update_user(updated_data)
+    return updated_data

@api.post("/create", response_model=pydantic.UserAccess)
 async def create_user(user_info: pydantic.UserCreate,user=Depends(check_roles)):