Initial commit: Location Management Flask app

2026-02-26 19:24:17 +02:00
commit 7a22575dab
52 changed files with 3481 additions and 0 deletions
--- a/app/routes/admin.py
+++ b/app/routes/admin.py
@@ -0,0 +1,87 @@
+"""Admin routes – user management (admin only)."""
+from flask import Blueprint, render_template, redirect, url_for, flash, request, abort
+from flask_login import login_required, current_user
+from werkzeug.security import generate_password_hash
+
+from app import db
+from app.models.user import User
+
+admin_bp = Blueprint("admin", __name__)
+
+
+def _require_admin():
+    if not current_user.is_authenticated or not current_user.is_admin():
+        abort(403)
+
+
+@admin_bp.route("/users")
+@login_required
+def list_users():
+    _require_admin()
+    users = User.query.order_by(User.username).all()
+    return render_template("admin/users.html", users=users)
+
+
+@admin_bp.route("/users/add", methods=["GET", "POST"])
+@login_required
+def add_user():
+    _require_admin()
+    if request.method == "POST":
+        username = request.form.get("username", "").strip()
+        password = request.form.get("password", "")
+        role = request.form.get("role", "user")
+
+        if not username or not password:
+            flash("Username and password are required.", "danger")
+            return render_template("admin/user_form.html", user=None)
+
+        if User.query.filter_by(username=username).first():
+            flash("Username already exists.", "danger")
+            return render_template("admin/user_form.html", user=None)
+
+        user = User(
+            username=username,
+            password_hash=generate_password_hash(password),
+            role=role,
+            is_active=True,
+        )
+        db.session.add(user)
+        db.session.commit()
+        flash(f"User '{username}' created.", "success")
+        return redirect(url_for("admin.list_users"))
+
+    return render_template("admin/user_form.html", user=None)
+
+
+@admin_bp.route("/users/<int:user_id>/edit", methods=["GET", "POST"])
+@login_required
+def edit_user(user_id: int):
+    _require_admin()
+    user = db.get_or_404(User, user_id)
+
+    if request.method == "POST":
+        user.username = request.form.get("username", user.username).strip()
+        user.role = request.form.get("role", user.role)
+        user.is_active = "is_active" in request.form
+        new_password = request.form.get("password", "").strip()
+        if new_password:
+            user.password_hash = generate_password_hash(new_password)
+        db.session.commit()
+        flash("User updated.", "success")
+        return redirect(url_for("admin.list_users"))
+
+    return render_template("admin/user_form.html", user=user)
+
+
+@admin_bp.route("/users/<int:user_id>/delete", methods=["POST"])
+@login_required
+def delete_user(user_id: int):
+    _require_admin()
+    if user_id == current_user.id:
+        flash("You cannot delete your own account.", "danger")
+        return redirect(url_for("admin.list_users"))
+    user = db.get_or_404(User, user_id)
+    db.session.delete(user)
+    db.session.commit()
+    flash(f"User '{user.username}' deleted.", "warning")
+    return redirect(url_for("admin.list_users"))