1st

2025-08-27 18:03:54 +08:00
commit b9557250a4
31 changed files with 2353 additions and 0 deletions
--- a/routes/admin.py
+++ b/routes/admin.py
@@ -0,0 +1,76 @@
+from flask import Blueprint, render_template, request, redirect, url_for, flash
+from flask_login import login_required, current_user
+from werkzeug.security import generate_password_hash
+from models import User, db
+from utils import admin_required
+
+admin_bp = Blueprint('admin', __name__, url_prefix='/admin')
+
+@admin_bp.before_request
+@login_required
+@admin_required
+def before_request():
+    """在處理此藍圖中的任何請求之前，確保使用者是已登入的管理員。"""
+    pass
+
+@admin_bp.route('/users')
+def user_list():
+    users = User.query.all()
+    return render_template('user_management.html', users=users)
+
+@admin_bp.route('/users/create', methods=['POST'])
+def create_user():
+    username = request.form.get('username')
+    password = request.form.get('password')
+    role = request.form.get('role')
+
+    if not all([username, password, role]):
+        flash('所有欄位都是必填的！', 'danger')
+        return redirect(url_for('admin.user_list'))
+
+    if User.query.filter_by(username=username).first():
+        flash('該使用者名稱已存在！', 'danger')
+        return redirect(url_for('admin.user_list'))
+
+    new_user = User(
+        username=username,
+        password_hash=generate_password_hash(password),
+        role=role
+    )
+    db.session.add(new_user)
+    db.session.commit()
+    flash('新使用者已成功建立！', 'success')
+    return redirect(url_for('admin.user_list'))
+
+@admin_bp.route('/users/edit/<int:user_id>', methods=['POST'])
+def edit_user(user_id):
+    user = User.query.get_or_404(user_id)
+    new_role = request.form.get('role')
+    new_password = request.form.get('password')
+
+    if new_role:
+        # 防止 admin 修改自己的角色，導致失去管理權限
+        if user.id == current_user.id and user.role == 'admin' and new_role != 'admin':
+            flash('無法變更自己的管理員角色！', 'danger')
+            return redirect(url_for('admin.user_list'))
+        user.role = new_role
+    
+    if new_password:
+        user.password_hash = generate_password_hash(new_password)
+
+    db.session.commit()
+    flash(f"使用者 '{user.username}' 的資料已更新。", 'success')
+    return redirect(url_for('admin.user_list'))
+
+@admin_bp.route('/users/delete/<int:user_id>', methods=['POST'])
+def delete_user(user_id):
+    # 避免 admin 刪除自己
+    if user_id == current_user.id:
+        flash('無法刪除自己的帳號！', 'danger')
+        return redirect(url_for('admin.user_list'))
+        
+    user = User.query.get_or_404(user_id)
+    db.session.delete(user)
+    db.session.commit()
+    flash(f"使用者 '{user.username}' 已被刪除。", 'success')
+    return redirect(url_for('admin.user_list'))