ssss

2025-07-17 16:17:52 +03:00
parent e37cbf9fee
commit 67dfb671c4
4 changed files with 119 additions and 20 deletions
--- a/app/routes/admin.py
+++ b/app/routes/admin.py
@@ -78,9 +78,9 @@ def create_user():
        flash('Invalid role specified.', 'danger')
        return redirect(url_for('admin.index'))
    
-    # Prevent creating sadmin users - sadmin only exists from deployment
-    if role == 'sadmin':
-        flash('Super admin users cannot be created through the interface.', 'danger')
+    # Prevent regular admins from creating sadmin users - only sadmin can create sadmin
+    if role == 'sadmin' and not current_user.is_super_admin:
+        flash('Only super admin users can create other super admin users.', 'danger')
        return redirect(url_for('admin.index'))
    
    # Check if user already exists
@@ -106,7 +106,7 @@ def create_user():

@bp.route('/delete_user', methods=['POST'])
@login_required
-@super_admin_required
+@admin_required
 def delete_user():
    """Delete a user using POST form data"""
    user_id = request.form.get('user_id')
@@ -122,9 +122,9 @@ def delete_user():
    user = User.query.get_or_404(user_id)
    username = user.username
    
-    # Prevent deletion of sadmin users - they are permanent
-    if user.role == 'sadmin':
-        flash('Super admin users cannot be deleted.', 'danger')
+    # Prevent deletion of sadmin users by regular admins - only sadmin can delete sadmin
+    if user.role == 'sadmin' and not current_user.is_super_admin:
+        flash('Only super admin users can delete other super admin users.', 'danger')
        return redirect(url_for('admin.index'))
    
    try:
@@ -457,14 +457,14 @@ def edit_user():
        flash('Invalid role specified.', 'danger')
        return redirect(url_for('admin.index'))
    
-    # Prevent changing sadmin users - they are permanent
-    if user.role == 'sadmin':
-        flash('Super admin users cannot be modified.', 'danger')
+    # Prevent regular admins from modifying sadmin users - only sadmin can modify sadmin
+    if user.role == 'sadmin' and not current_user.is_super_admin:
+        flash('Only super admin users can modify other super admin users.', 'danger')
        return redirect(url_for('admin.index'))
    
-    # Prevent assigning sadmin role - sadmin only exists from deployment
-    if role == 'sadmin':
-        flash('Super admin role cannot be assigned through the interface.', 'danger')
+    # Prevent regular admins from assigning sadmin role - only sadmin can assign sadmin
+    if role == 'sadmin' and not current_user.is_super_admin:
+        flash('Only super admin users can assign super admin role.', 'danger')
        return redirect(url_for('admin.index'))
    
    # Check if username is taken by another user