1ST

2025-08-29 16:25:46 +08:00
commit b0c86302ff
65 changed files with 19786 additions and 0 deletions
--- a/backend/routes/todos.py
+++ b/backend/routes/todos.py
@@ -0,0 +1,709 @@
+from flask import Blueprint, request, jsonify
+from flask_jwt_extended import jwt_required, get_jwt_identity, get_jwt
+from datetime import datetime, date, timedelta
+from sqlalchemy import or_, and_
+from sqlalchemy.orm import selectinload, joinedload
+from models import (
+    db, TodoItem, TodoItemResponsible, TodoItemFollower,
+    TodoAuditLog, TodoUserPref
+)
+from utils.logger import get_logger
+from utils.ldap_utils import validate_ad_accounts
+import uuid
+
+todos_bp = Blueprint('todos', __name__)
+logger = get_logger(__name__)
+
+@todos_bp.route('', methods=['GET'])
+@jwt_required()
+def get_todos():
+    """Get todos with filtering and pagination"""
+    try:
+        identity = get_jwt_identity()
+        page = request.args.get('page', 1, type=int)
+        per_page = request.args.get('per_page', 20, type=int)
+        
+        # Filters
+        status = request.args.get('status')
+        priority = request.args.get('priority')
+        starred = request.args.get('starred', type=bool)
+        due_from = request.args.get('due_from')
+        due_to = request.args.get('due_to')
+        search = request.args.get('search')
+        view_type = request.args.get('view', 'all')  # all, created, responsible, following
+        
+        # Base query with eager loading to prevent N+1 queries
+        query = TodoItem.query.options(
+            joinedload(TodoItem.responsible_users),
+            joinedload(TodoItem.followers)
+        )
+        
+        # Apply view type filter
+        if view_type == 'created':
+            query = query.filter(TodoItem.creator_ad == identity)
+        elif view_type == 'responsible':
+            query = query.join(TodoItemResponsible).filter(
+                TodoItemResponsible.ad_account == identity
+            )
+        elif view_type == 'following':
+            query = query.join(TodoItemFollower).filter(
+                TodoItemFollower.ad_account == identity
+            )
+        else:  # all
+            query = query.filter(
+                or_(
+                    TodoItem.creator_ad == identity,
+                    TodoItem.responsible_users.any(TodoItemResponsible.ad_account == identity),
+                    TodoItem.followers.any(TodoItemFollower.ad_account == identity)
+                )
+            )
+        
+        # Apply filters
+        if status:
+            query = query.filter(TodoItem.status == status)
+        if priority:
+            query = query.filter(TodoItem.priority == priority)
+        if starred is not None:
+            query = query.filter(TodoItem.starred == starred)
+        if due_from:
+            query = query.filter(TodoItem.due_date >= datetime.strptime(due_from, '%Y-%m-%d').date())
+        if due_to:
+            query = query.filter(TodoItem.due_date <= datetime.strptime(due_to, '%Y-%m-%d').date())
+        if search:
+            query = query.filter(
+                or_(
+                    TodoItem.title.contains(search),
+                    TodoItem.description.contains(search)
+                )
+            )
+        
+        # Order by due date and priority (MySQL compatible)
+        query = query.order_by(
+            TodoItem.due_date.asc(),
+            TodoItem.priority.desc(),
+            TodoItem.created_at.desc()
+        )
+        
+        # Paginate
+        pagination = query.paginate(page=page, per_page=per_page, error_out=False)
+        
+        todos = [todo.to_dict() for todo in pagination.items]
+        
+        return jsonify({
+            'todos': todos,
+            'total': pagination.total,
+            'page': page,
+            'per_page': per_page,
+            'pages': pagination.pages
+        }), 200
+        
+    except Exception as e:
+        logger.error(f"Error fetching todos: {str(e)}")
+        return jsonify({'error': 'Failed to fetch todos'}), 500
+
+@todos_bp.route('/<todo_id>', methods=['GET'])
+@jwt_required()
+def get_todo(todo_id):
+    """Get single todo details"""
+    try:
+        identity = get_jwt_identity()
+        
+        todo = TodoItem.query.options(
+            joinedload(TodoItem.responsible_users),
+            joinedload(TodoItem.followers)
+        ).filter_by(id=todo_id).first()
+        if not todo:
+            return jsonify({'error': 'Todo not found'}), 404
+        
+        # Check permission
+        if not todo.can_view(identity):
+            return jsonify({'error': 'Access denied'}), 403
+        
+        return jsonify(todo.to_dict()), 200
+        
+    except Exception as e:
+        logger.error(f"Error fetching todo {todo_id}: {str(e)}")
+        return jsonify({'error': 'Failed to fetch todo'}), 500
+
+@todos_bp.route('', methods=['POST'])
+@jwt_required()
+def create_todo():
+    """Create new todo"""
+    try:
+        identity = get_jwt_identity()
+        claims = get_jwt()
+        data = request.get_json()
+        
+        # Validate required fields
+        if not data.get('title'):
+            return jsonify({'error': 'Title is required'}), 400
+        
+        # Parse due date if provided
+        due_date = None
+        if data.get('due_date'):
+            try:
+                due_date = datetime.strptime(data['due_date'], '%Y-%m-%d').date()
+            except ValueError:
+                return jsonify({'error': 'Invalid due date format. Use YYYY-MM-DD'}), 400
+        
+        # Create todo
+        todo = TodoItem(
+            id=str(uuid.uuid4()),
+            title=data['title'],
+            description=data.get('description', ''),
+            status=data.get('status', 'NEW'),
+            priority=data.get('priority', 'MEDIUM'),
+            due_date=due_date,
+            creator_ad=identity,
+            creator_display_name=claims.get('display_name', identity),
+            creator_email=claims.get('email', ''),
+            starred=data.get('starred', False)
+        )
+        db.session.add(todo)
+        
+        # Add responsible users
+        responsible_accounts = data.get('responsible_users', [])
+        if responsible_accounts:
+            valid_accounts = validate_ad_accounts(responsible_accounts)
+            for account in responsible_accounts:
+                if account in valid_accounts:
+                    responsible = TodoItemResponsible(
+                        todo_id=todo.id,
+                        ad_account=account,
+                        added_by=identity
+                    )
+                    db.session.add(responsible)
+        
+        # Add followers
+        follower_accounts = data.get('followers', [])
+        if follower_accounts:
+            valid_accounts = validate_ad_accounts(follower_accounts)
+            for account in follower_accounts:
+                if account in valid_accounts:
+                    follower = TodoItemFollower(
+                        todo_id=todo.id,
+                        ad_account=account,
+                        added_by=identity
+                    )
+                    db.session.add(follower)
+        
+        # Add audit log
+        audit = TodoAuditLog(
+            actor_ad=identity,
+            todo_id=todo.id,
+            action='CREATE',
+            detail={'title': todo.title, 'due_date': str(due_date) if due_date else None}
+        )
+        db.session.add(audit)
+        
+        db.session.commit()
+        
+        logger.info(f"Todo created: {todo.id} by {identity}")
+        return jsonify(todo.to_dict()), 201
+        
+    except Exception as e:
+        db.session.rollback()
+        logger.error(f"Error creating todo: {str(e)}")
+        return jsonify({'error': 'Failed to create todo'}), 500
+
+@todos_bp.route('/<todo_id>', methods=['PATCH'])
+@jwt_required()
+def update_todo(todo_id):
+    """Update todo"""
+    try:
+        identity = get_jwt_identity()
+        data = request.get_json()
+        
+        todo = TodoItem.query.filter_by(id=todo_id).first()
+        if not todo:
+            return jsonify({'error': 'Todo not found'}), 404
+        
+        # Check permission
+        if not todo.can_edit(identity):
+            return jsonify({'error': 'Access denied'}), 403
+        
+        # Track changes for audit
+        changes = {}
+        
+        # Update fields
+        if 'title' in data:
+            changes['title'] = {'old': todo.title, 'new': data['title']}
+            todo.title = data['title']
+        
+        if 'description' in data:
+            changes['description'] = {'old': todo.description, 'new': data['description']}
+            todo.description = data['description']
+        
+        if 'status' in data:
+            changes['status'] = {'old': todo.status, 'new': data['status']}
+            todo.status = data['status']
+            
+            # Set completed_at if status is DONE
+            if data['status'] == 'DONE' and not todo.completed_at:
+                todo.completed_at = datetime.utcnow()
+            elif data['status'] != 'DONE':
+                todo.completed_at = None
+        
+        if 'priority' in data:
+            changes['priority'] = {'old': todo.priority, 'new': data['priority']}
+            todo.priority = data['priority']
+        
+        if 'due_date' in data:
+            old_due = str(todo.due_date) if todo.due_date else None
+            if data['due_date']:
+                todo.due_date = datetime.strptime(data['due_date'], '%Y-%m-%d').date()
+                new_due = data['due_date']
+            else:
+                todo.due_date = None
+                new_due = None
+            changes['due_date'] = {'old': old_due, 'new': new_due}
+        
+        if 'starred' in data:
+            changes['starred'] = {'old': todo.starred, 'new': data['starred']}
+            todo.starred = data['starred']
+        
+        # Update responsible users
+        if 'responsible_users' in data:
+            # Remove existing
+            TodoItemResponsible.query.filter_by(todo_id=todo_id).delete()
+            
+            # Add new
+            responsible_accounts = data['responsible_users']
+            if responsible_accounts:
+                valid_accounts = validate_ad_accounts(responsible_accounts)
+                for account in responsible_accounts:
+                    if account in valid_accounts:
+                        responsible = TodoItemResponsible(
+                            todo_id=todo.id,
+                            ad_account=account,
+                            added_by=identity
+                        )
+                        db.session.add(responsible)
+            
+            changes['responsible_users'] = data['responsible_users']
+        
+        # Update followers
+        if 'followers' in data:
+            # Remove existing
+            TodoItemFollower.query.filter_by(todo_id=todo_id).delete()
+            
+            # Add new
+            follower_accounts = data['followers']
+            if follower_accounts:
+                valid_accounts = validate_ad_accounts(follower_accounts)
+                for account in follower_accounts:
+                    if account in valid_accounts:
+                        follower = TodoItemFollower(
+                            todo_id=todo.id,
+                            ad_account=account,
+                            added_by=identity
+                        )
+                        db.session.add(follower)
+            
+            changes['followers'] = data['followers']
+        
+        # Add audit log
+        if changes:
+            audit = TodoAuditLog(
+                actor_ad=identity,
+                todo_id=todo.id,
+                action='UPDATE',
+                detail=changes
+            )
+            db.session.add(audit)
+        
+        db.session.commit()
+        
+        logger.info(f"Todo updated: {todo_id} by {identity}")
+        return jsonify(todo.to_dict()), 200
+        
+    except Exception as e:
+        db.session.rollback()
+        logger.error(f"Error updating todo {todo_id}: {str(e)}")
+        return jsonify({'error': 'Failed to update todo'}), 500
+
+@todos_bp.route('/<todo_id>', methods=['DELETE'])
+@jwt_required()
+def delete_todo(todo_id):
+    """Delete todo"""
+    try:
+        identity = get_jwt_identity()
+        
+        todo = TodoItem.query.filter_by(id=todo_id).first()
+        if not todo:
+            return jsonify({'error': 'Todo not found'}), 404
+        
+        # Only creator can delete
+        if todo.creator_ad != identity:
+            return jsonify({'error': 'Only creator can delete todo'}), 403
+        
+        # Add audit log before deletion
+        audit = TodoAuditLog(
+            actor_ad=identity,
+            todo_id=None,  # Will be null after deletion
+            action='DELETE',
+            detail={'title': todo.title, 'deleted_todo_id': todo_id}
+        )
+        db.session.add(audit)
+        
+        # Delete todo (cascades will handle related records)
+        db.session.delete(todo)
+        db.session.commit()
+        
+        logger.info(f"Todo deleted: {todo_id} by {identity}")
+        return jsonify({'message': 'Todo deleted successfully'}), 200
+        
+    except Exception as e:
+        db.session.rollback()
+        logger.error(f"Error deleting todo {todo_id}: {str(e)}")
+        return jsonify({'error': 'Failed to delete todo'}), 500
+
+@todos_bp.route('/batch', methods=['PATCH'])
+@jwt_required()
+def batch_update_todos():
+    """Batch update multiple todos"""
+    try:
+        identity = get_jwt_identity()
+        data = request.get_json()
+        
+        todo_ids = data.get('todo_ids', [])
+        updates = data.get('updates', {})
+        
+        if not todo_ids or not updates:
+            return jsonify({'error': 'Todo IDs and updates required'}), 400
+        
+        updated_count = 0
+        errors = []
+        
+        for todo_id in todo_ids:
+            try:
+                todo = TodoItem.query.filter_by(id=todo_id).first()
+                if not todo:
+                    errors.append({'todo_id': todo_id, 'error': 'Not found'})
+                    continue
+                
+                if not todo.can_edit(identity):
+                    errors.append({'todo_id': todo_id, 'error': 'Access denied'})
+                    continue
+                
+                # Apply updates
+                if 'status' in updates:
+                    todo.status = updates['status']
+                    if updates['status'] == 'DONE':
+                        todo.completed_at = datetime.utcnow()
+                    else:
+                        todo.completed_at = None
+                
+                if 'priority' in updates:
+                    todo.priority = updates['priority']
+                
+                if 'due_date' in updates:
+                    if updates['due_date']:
+                        todo.due_date = datetime.strptime(updates['due_date'], '%Y-%m-%d').date()
+                    else:
+                        todo.due_date = None
+                
+                # Add audit log
+                audit = TodoAuditLog(
+                    actor_ad=identity,
+                    todo_id=todo.id,
+                    action='UPDATE',
+                    detail={'batch_update': updates}
+                )
+                db.session.add(audit)
+                
+                updated_count += 1
+                
+            except Exception as e:
+                errors.append({'todo_id': todo_id, 'error': str(e)})
+        
+        db.session.commit()
+        
+        logger.info(f"Batch update: {updated_count} todos updated by {identity}")
+        
+        return jsonify({
+            'updated': updated_count,
+            'errors': errors
+        }), 200
+        
+    except Exception as e:
+        db.session.rollback()
+        logger.error(f"Error in batch update: {str(e)}")
+        return jsonify({'error': 'Batch update failed'}), 500
+
+@todos_bp.route('/<todo_id>/responsible', methods=['POST'])
+@jwt_required()
+def add_responsible_user(todo_id):
+    """Add responsible user to todo"""
+    try:
+        identity = get_jwt_identity()
+        data = request.get_json()
+        
+        if not data or 'ad_account' not in data:
+            return jsonify({'error': 'AD account is required'}), 400
+        
+        ad_account = data['ad_account']
+        
+        # Get todo
+        todo = TodoItem.query.filter_by(id=todo_id).first()
+        if not todo:
+            return jsonify({'error': 'Todo not found'}), 404
+        
+        # Check permission
+        if not todo.can_edit(identity):
+            return jsonify({'error': 'No permission to edit this todo'}), 403
+        
+        # Validate AD account
+        valid_accounts = validate_ad_accounts([ad_account])
+        if ad_account not in valid_accounts:
+            return jsonify({'error': 'Invalid AD account'}), 400
+        
+        # Check if already responsible
+        existing = TodoItemResponsible.query.filter_by(
+            todo_id=todo_id, ad_account=ad_account
+        ).first()
+        
+        if existing:
+            return jsonify({'error': 'User is already responsible for this todo'}), 400
+        
+        # Add responsible user
+        responsible = TodoItemResponsible(
+            todo_id=todo_id,
+            ad_account=ad_account,
+            added_by=identity
+        )
+        db.session.add(responsible)
+        
+        # Log audit
+        audit = TodoAuditLog(
+            actor_ad=identity,
+            todo_id=todo_id,
+            action='UPDATE',
+            detail={
+                'field': 'responsible_users',
+                'action': 'add',
+                'ad_account': ad_account
+            }
+        )
+        db.session.add(audit)
+        db.session.commit()
+        
+        logger.info(f"Added responsible user {ad_account} to todo {todo_id} by {identity}")
+        return jsonify({'message': 'Responsible user added successfully'}), 201
+        
+    except Exception as e:
+        db.session.rollback()
+        logger.error(f"Add responsible user error: {str(e)}")
+        return jsonify({'error': 'Failed to add responsible user'}), 500
+
+@todos_bp.route('/<todo_id>/responsible/<ad_account>', methods=['DELETE'])
+@jwt_required()
+def remove_responsible_user(todo_id, ad_account):
+    """Remove responsible user from todo"""
+    try:
+        identity = get_jwt_identity()
+        
+        # Get todo
+        todo = TodoItem.query.filter_by(id=todo_id).first()
+        if not todo:
+            return jsonify({'error': 'Todo not found'}), 404
+        
+        # Check permission
+        if not todo.can_edit(identity):
+            return jsonify({'error': 'No permission to edit this todo'}), 403
+        
+        # Find responsible relationship
+        responsible = TodoItemResponsible.query.filter_by(
+            todo_id=todo_id, ad_account=ad_account
+        ).first()
+        
+        if not responsible:
+            return jsonify({'error': 'User is not responsible for this todo'}), 404
+        
+        # Remove responsible user
+        db.session.delete(responsible)
+        
+        # Log audit
+        audit = TodoAuditLog(
+            actor_ad=identity,
+            todo_id=todo_id,
+            action='UPDATE',
+            detail={
+                'field': 'responsible_users',
+                'action': 'remove',
+                'ad_account': ad_account
+            }
+        )
+        db.session.add(audit)
+        db.session.commit()
+        
+        logger.info(f"Removed responsible user {ad_account} from todo {todo_id} by {identity}")
+        return jsonify({'message': 'Responsible user removed successfully'}), 200
+        
+    except Exception as e:
+        db.session.rollback()
+        logger.error(f"Remove responsible user error: {str(e)}")
+        return jsonify({'error': 'Failed to remove responsible user'}), 500
+
+@todos_bp.route('/<todo_id>/followers', methods=['POST'])
+@jwt_required()
+def add_follower(todo_id):
+    """Add follower to todo"""
+    try:
+        identity = get_jwt_identity()
+        data = request.get_json()
+        
+        if not data or 'ad_account' not in data:
+            return jsonify({'error': 'AD account is required'}), 400
+        
+        ad_account = data['ad_account']
+        
+        # Get todo
+        todo = TodoItem.query.filter_by(id=todo_id).first()
+        if not todo:
+            return jsonify({'error': 'Todo not found'}), 404
+        
+        # Check permission (anyone who can view the todo can add followers)
+        if not todo.can_view(identity):
+            return jsonify({'error': 'No permission to view this todo'}), 403
+        
+        # Validate AD account
+        valid_accounts = validate_ad_accounts([ad_account])
+        if ad_account not in valid_accounts:
+            return jsonify({'error': 'Invalid AD account'}), 400
+        
+        # Check if already following
+        existing = TodoItemFollower.query.filter_by(
+            todo_id=todo_id, ad_account=ad_account
+        ).first()
+        
+        if existing:
+            return jsonify({'error': 'User is already following this todo'}), 400
+        
+        # Add follower
+        follower = TodoItemFollower(
+            todo_id=todo_id,
+            ad_account=ad_account,
+            added_by=identity
+        )
+        db.session.add(follower)
+        
+        # Log audit
+        audit = TodoAuditLog(
+            actor_ad=identity,
+            todo_id=todo_id,
+            action='UPDATE',
+            detail={
+                'field': 'followers',
+                'action': 'add',
+                'ad_account': ad_account
+            }
+        )
+        db.session.add(audit)
+        db.session.commit()
+        
+        logger.info(f"Added follower {ad_account} to todo {todo_id} by {identity}")
+        return jsonify({'message': 'Follower added successfully'}), 201
+        
+    except Exception as e:
+        db.session.rollback()
+        logger.error(f"Add follower error: {str(e)}")
+        return jsonify({'error': 'Failed to add follower'}), 500
+
+@todos_bp.route('/<todo_id>/followers/<ad_account>', methods=['DELETE'])
+@jwt_required()
+def remove_follower(todo_id, ad_account):
+    """Remove follower from todo"""
+    try:
+        identity = get_jwt_identity()
+        
+        # Get todo
+        todo = TodoItem.query.filter_by(id=todo_id).first()
+        if not todo:
+            return jsonify({'error': 'Todo not found'}), 404
+        
+        # Check permission (user can remove themselves or todo editors can remove anyone)
+        if ad_account != identity and not todo.can_edit(identity):
+            return jsonify({'error': 'No permission to remove this follower'}), 403
+        
+        # Find follower relationship
+        follower = TodoItemFollower.query.filter_by(
+            todo_id=todo_id, ad_account=ad_account
+        ).first()
+        
+        if not follower:
+            return jsonify({'error': 'User is not following this todo'}), 404
+        
+        # Remove follower
+        db.session.delete(follower)
+        
+        # Log audit
+        audit = TodoAuditLog(
+            actor_ad=identity,
+            todo_id=todo_id,
+            action='UPDATE',
+            detail={
+                'field': 'followers',
+                'action': 'remove',
+                'ad_account': ad_account
+            }
+        )
+        db.session.add(audit)
+        db.session.commit()
+        
+        logger.info(f"Removed follower {ad_account} from todo {todo_id} by {identity}")
+        return jsonify({'message': 'Follower removed successfully'}), 200
+        
+    except Exception as e:
+        db.session.rollback()
+        logger.error(f"Remove follower error: {str(e)}")
+        return jsonify({'error': 'Failed to remove follower'}), 500
+
+@todos_bp.route('/<todo_id>/star', methods=['POST'])
+@jwt_required()
+def star_todo(todo_id):
+    """Star/unstar a todo item"""
+    try:
+        identity = get_jwt_identity()
+        
+        # Get todo
+        todo = TodoItem.query.filter_by(id=todo_id).first()
+        if not todo:
+            return jsonify({'error': 'Todo not found'}), 404
+        
+        # Check permission
+        if not todo.can_view(identity):
+            return jsonify({'error': 'No permission to view this todo'}), 403
+        
+        # Only creator can star/unstar
+        if todo.creator_ad != identity:
+            return jsonify({'error': 'Only creator can star/unstar todos'}), 403
+        
+        # Toggle star status
+        todo.starred = not todo.starred
+        
+        # Log audit
+        audit = TodoAuditLog(
+            actor_ad=identity,
+            todo_id=todo_id,
+            action='UPDATE',
+            detail={
+                'field': 'starred',
+                'value': todo.starred
+            }
+        )
+        db.session.add(audit)
+        db.session.commit()
+        
+        action = 'starred' if todo.starred else 'unstarred'
+        logger.info(f"Todo {todo_id} {action} by {identity}")
+        
+        return jsonify({
+            'message': f'Todo {action} successfully',
+            'starred': todo.starred
+        }), 200
+        
+    except Exception as e:
+        db.session.rollback()
+        logger.error(f"Star todo error: {str(e)}")
+        return jsonify({'error': 'Failed to star todo'}), 500