77 lines
2.7 KiB
Python
77 lines
2.7 KiB
Python
from flask import Blueprint, render_template, request, redirect, url_for, flash
|
|
from flask_login import login_required, current_user
|
|
from werkzeug.security import generate_password_hash
|
|
from models import User, db
|
|
from utils import admin_required
|
|
|
|
admin_bp = Blueprint('admin', __name__, url_prefix='/admin')
|
|
|
|
@admin_bp.before_request
|
|
@login_required
|
|
@admin_required
|
|
def before_request():
|
|
"""在處理此藍圖中的任何請求之前,確保使用者是已登入的管理員。"""
|
|
pass
|
|
|
|
@admin_bp.route('/users')
|
|
def user_list():
|
|
users = User.query.all()
|
|
return render_template('user_management.html', users=users)
|
|
|
|
@admin_bp.route('/users/create', methods=['POST'])
|
|
def create_user():
|
|
username = request.form.get('username')
|
|
password = request.form.get('password')
|
|
role = request.form.get('role')
|
|
|
|
if not all([username, password, role]):
|
|
flash('所有欄位都是必填的!', 'danger')
|
|
return redirect(url_for('admin.user_list'))
|
|
|
|
if User.query.filter_by(username=username).first():
|
|
flash('該使用者名稱已存在!', 'danger')
|
|
return redirect(url_for('admin.user_list'))
|
|
|
|
new_user = User(
|
|
username=username,
|
|
password_hash=generate_password_hash(password),
|
|
role=role
|
|
)
|
|
db.session.add(new_user)
|
|
db.session.commit()
|
|
flash('新使用者已成功建立!', 'success')
|
|
return redirect(url_for('admin.user_list'))
|
|
|
|
@admin_bp.route('/users/edit/<int:user_id>', methods=['POST'])
|
|
def edit_user(user_id):
|
|
user = User.query.get_or_404(user_id)
|
|
new_role = request.form.get('role')
|
|
new_password = request.form.get('password')
|
|
|
|
if new_role:
|
|
# 防止 admin 修改自己的角色,導致失去管理權限
|
|
if user.id == current_user.id and user.role == 'admin' and new_role != 'admin':
|
|
flash('無法變更自己的管理員角色!', 'danger')
|
|
return redirect(url_for('admin.user_list'))
|
|
user.role = new_role
|
|
|
|
if new_password:
|
|
user.password_hash = generate_password_hash(new_password)
|
|
|
|
db.session.commit()
|
|
flash(f"使用者 '{user.username}' 的資料已更新。", 'success')
|
|
return redirect(url_for('admin.user_list'))
|
|
|
|
@admin_bp.route('/users/delete/<int:user_id>', methods=['POST'])
|
|
def delete_user(user_id):
|
|
# 避免 admin 刪除自己
|
|
if user_id == current_user.id:
|
|
flash('無法刪除自己的帳號!', 'danger')
|
|
return redirect(url_for('admin.user_list'))
|
|
|
|
user = User.query.get_or_404(user_id)
|
|
db.session.delete(user)
|
|
db.session.commit()
|
|
flash(f"使用者 '{user.username}' 已被刪除。", 'success')
|
|
return redirect(url_for('admin.user_list'))
|