from flask import Blueprint, render_template, request, redirect, url_for, flash from flask_login import login_required, current_user from models import User, db from utils import admin_required admin_bp = Blueprint('admin', __name__, url_prefix='/admin') ALLOWED_ROLES = {'viewer', 'editor', 'admin'} @admin_bp.route('/users') @login_required @admin_required def user_list(): users = User.query.order_by(User.username).all() return render_template('user_management.html', users=users) @admin_bp.route('/users/create', methods=['POST']) @login_required @admin_required def create_user(): username = request.form.get('username', '').strip() name = request.form.get('name', '').strip() password = request.form.get('password', '') role = request.form.get('role', 'viewer') errors = [] if not username: errors.append('請輸入帳號') if not name: errors.append('請輸入姓名') if not password: errors.append('請輸入密碼') if password and len(password) < 6: errors.append('密碼長度至少需 6 碼') if role not in ALLOWED_ROLES: errors.append('角色設定不正確') if username and User.query.filter_by(username=username).first(): errors.append('帳號已存在,請改用其他帳號') if errors: for message in errors: flash(message, 'danger') return redirect(url_for('admin.user_list')) new_user = User(username=username, name=name, role=role) new_user.set_password(password) db.session.add(new_user) db.session.commit() flash(f"已建立帳號 {username}", 'success') return redirect(url_for('admin.user_list')) @admin_bp.route('/users/update/', methods=['POST']) @login_required @admin_required def update_user(user_id): user = User.query.get_or_404(user_id) name = request.form.get('name', '').strip() role = request.form.get('role', 'viewer') password = request.form.get('password', '').strip() if not name: flash('請輸入姓名', 'danger') return redirect(url_for('admin.user_list')) if role not in ALLOWED_ROLES: flash('角色設定不正確', 'danger') return redirect(url_for('admin.user_list')) if password and len(password) < 6: flash('密碼長度至少需 6 碼', 'danger') return redirect(url_for('admin.user_list')) if user.id == current_user.id and user.role == 'admin' and role != 'admin': flash('無法變更自己的管理員權限', 'danger') return redirect(url_for('admin.user_list')) if user.role == 'admin' and role != 'admin': admin_count = User.query.filter_by(role='admin').count() if admin_count <= 1: flash('系統至少需要一位管理員,無法變更該帳號的管理員權限', 'danger') return redirect(url_for('admin.user_list')) user.name = name user.role = role if password: user.set_password(password) db.session.commit() flash(f"已更新帳號 {user.username}", 'success') return redirect(url_for('admin.user_list')) @admin_bp.route('/users/delete/', methods=['POST']) @login_required @admin_required def delete_user(user_id): if user_id == current_user.id: flash('無法刪除自己的帳號', 'danger') return redirect(url_for('admin.user_list')) user = User.query.get_or_404(user_id) if user.role == 'admin': admin_count = User.query.filter_by(role='admin').count() if admin_count <= 1: flash('系統至少需要一位管理員,無法刪除該帳號', 'danger') return redirect(url_for('admin.user_list')) db.session.delete(user) db.session.commit() flash(f"已刪除帳號 {user.username}", 'success') return redirect(url_for('admin.user_list'))