# 用户管理路由 from flask import request, jsonify, render_template, session from app.routes import main_bp from app.models import db, User from app.routes.auth import login_required_json, admin_required @main_bp.route("/users") @admin_required def users_page(): """用户管理页面""" return render_template("users.html", active_nav="users") @main_bp.route("/api/users", methods=["GET"]) @admin_required def api_users_list(): """用户列表""" users = User.query.order_by(User.created_at.desc()).all() return jsonify([u.to_dict() for u in users]) @main_bp.route("/api/users", methods=["POST"]) @admin_required def api_users_create(): """新增用户""" data = request.get_json() username = data.get("username", "").strip() password = data.get("password", "") role = data.get("role", "user") if not username or not password: return jsonify({"error": "请输入用户名和密码"}), 400 if User.query.filter_by(username=username).first(): return jsonify({"error": "用户名已存在"}), 400 if role not in ["admin", "user"]: return jsonify({"error": "无效的角色"}), 400 try: user = User(username=username, role=role) user.set_password(password) db.session.add(user) db.session.commit() return jsonify(user.to_dict()) except ValueError as e: return jsonify({"error": str(e)}), 400 except Exception as e: db.session.rollback() return jsonify({"error": "创建失败: " + str(e)}), 500 @main_bp.route("/api/users/", methods=["PUT"]) @admin_required def api_users_update(user_id): """编辑用户(仅管理员可改角色)""" user = User.query.get_or_404(user_id) data = request.get_json() if "role" in data: if data["role"] in ["admin", "user"]: user.role = data["role"] try: db.session.commit() return jsonify(user.to_dict()) except Exception as e: db.session.rollback() return jsonify({"error": "更新失败: " + str(e)}), 500 @main_bp.route("/api/users/", methods=["DELETE"]) @admin_required def api_users_delete(user_id): """删除用户""" if user_id == session.get("user_id"): return jsonify({"error": "不能删除自己"}), 400 user = User.query.get_or_404(user_id) try: db.session.delete(user) db.session.commit() return jsonify({"message": "删除成功"}) except Exception as e: db.session.rollback() return jsonify({"error": "删除失败: " + str(e)}), 500 @main_bp.route("/api/users//reset-password", methods=["POST"]) @admin_required def api_users_reset_password(user_id): """重置用户密码(管理员无需知道原密码)""" user = User.query.get_or_404(user_id) data = request.get_json() new_password = data.get("new_password", "") if not new_password: return jsonify({"error": "请输入新密码"}), 400 try: user.set_password(new_password) db.session.commit() return jsonify({"message": "密码重置成功"}) except ValueError as e: return jsonify({"error": str(e)}), 400 except Exception as e: db.session.rollback() return jsonify({"error": "重置失败: " + str(e)}), 500 @main_bp.route("/api/users/change-password", methods=["POST"]) @login_required_json def api_users_change_password(): """修改当前用户密码""" user = User.query.get(session.get("user_id")) data = request.get_json() old_password = data.get("old_password", "") new_password = data.get("new_password", "") confirm_password = data.get("confirm_password", "") if not old_password or not new_password: return jsonify({"error": "请填写完整"}), 400 if not user.check_password(old_password): return jsonify({"error": "原密码错误"}), 400 if new_password != confirm_password: return jsonify({"error": "两次密码输入不一致"}), 400 try: user.set_password(new_password) db.session.commit() return jsonify({"message": "密码修改成功"}) except ValueError as e: return jsonify({"error": str(e)}), 400 except Exception as e: db.session.rollback() return jsonify({"error": "修改失败: " + str(e)}), 500