import os from flask import request, jsonify from app.api import api_bp from app.api.auth import admin_required, token_required from app.extensions import db from app.models.user import User from app.models.settings import AppSettings @api_bp.route('/users', methods=['GET']) @admin_required def list_users(): users = User.query.order_by(User.created_at.desc()).all() return jsonify([u.to_dict(include_email=True) for u in users]), 200 @api_bp.route('/users', methods=['POST']) @admin_required def create_user(): """Admin creates a new user.""" data = request.get_json() if not data: return jsonify({'error': 'Keine Daten gesendet'}), 400 username = data.get('username', '').strip() password = data.get('password', '') email = data.get('email', '').strip() or None role = data.get('role', 'user') if not username or not password: return jsonify({'error': 'Benutzername und Passwort erforderlich'}), 400 if len(username) < 3: return jsonify({'error': 'Benutzername muss mindestens 3 Zeichen lang sein'}), 400 if len(password) < 8: return jsonify({'error': 'Passwort muss mindestens 8 Zeichen lang sein'}), 400 if role not in ('admin', 'user'): return jsonify({'error': 'Rolle muss "admin" oder "user" sein'}), 400 if User.query.filter_by(username=username).first(): return jsonify({'error': 'Benutzername bereits vergeben'}), 409 if email and User.query.filter_by(email=email).first(): return jsonify({'error': 'Email-Adresse bereits vergeben'}), 409 user = User( username=username, email=email, role=role, master_key_salt=os.urandom(32), storage_quota_mb=data.get('storage_quota_mb', 5120), ) user.set_password(password) db.session.add(user) db.session.commit() return jsonify(user.to_dict(include_email=True)), 201 @api_bp.route('/users/', methods=['GET']) @admin_required def get_user(user_id): user = db.session.get(User, user_id) if not user: return jsonify({'error': 'Benutzer nicht gefunden'}), 404 return jsonify(user.to_dict(include_email=True)), 200 @api_bp.route('/users/', methods=['PUT']) @admin_required def update_user(user_id): user = db.session.get(User, user_id) if not user: return jsonify({'error': 'Benutzer nicht gefunden'}), 404 data = request.get_json() if not data: return jsonify({'error': 'Keine Daten gesendet'}), 400 if 'email' in data: email = data['email'].strip() or None if email and email != user.email: if User.query.filter_by(email=email).first(): return jsonify({'error': 'Email bereits vergeben'}), 409 user.email = email if 'role' in data and data['role'] in ('admin', 'user'): if user.role == 'admin' and data['role'] == 'user': admin_count = User.query.filter_by(role='admin', is_active=True).count() if admin_count <= 1: return jsonify({'error': 'Letzter Admin kann nicht herabgestuft werden'}), 400 user.role = data['role'] if 'is_active' in data: if user.id == request.current_user.id and not data['is_active']: return jsonify({'error': 'Eigenes Konto kann nicht deaktiviert werden'}), 400 user.is_active = data['is_active'] if 'storage_quota_mb' in data: user.storage_quota_mb = max(0, int(data['storage_quota_mb'])) if 'password' in data and data['password']: if len(data['password']) < 8: return jsonify({'error': 'Passwort muss mindestens 8 Zeichen lang sein'}), 400 user.set_password(data['password']) db.session.commit() return jsonify(user.to_dict(include_email=True)), 200 @api_bp.route('/users/', methods=['DELETE']) @admin_required def delete_user(user_id): user = db.session.get(User, user_id) if not user: return jsonify({'error': 'Benutzer nicht gefunden'}), 404 if user.id == request.current_user.id: return jsonify({'error': 'Eigenes Konto kann nicht geloescht werden'}), 400 if user.role == 'admin': admin_count = User.query.filter_by(role='admin', is_active=True).count() if admin_count <= 1: return jsonify({'error': 'Letzter Admin kann nicht geloescht werden'}), 400 db.session.delete(user) db.session.commit() return jsonify({'message': 'Benutzer geloescht'}), 200 # --- App Settings --- @api_bp.route('/settings', methods=['GET']) @admin_required def get_settings(): return jsonify({ 'public_registration': AppSettings.get_bool('public_registration', default=False), }), 200 @api_bp.route('/settings', methods=['PUT']) @admin_required def update_settings(): data = request.get_json() if 'public_registration' in data: AppSettings.set('public_registration', str(data['public_registration']).lower()) return jsonify({'message': 'Einstellungen gespeichert'}), 200 # --- User search (for sharing dialogs) --- @api_bp.route('/users/search', methods=['GET']) @token_required def search_users(): """Search users by username - for sharing dialogs.""" query = request.args.get('q', '').strip() if len(query) < 2: return jsonify([]), 200 users = User.query.filter( User.username.ilike(f'%{query}%'), User.id != request.current_user.id, User.is_active == True, ).limit(10).all() return jsonify([{'id': u.id, 'username': u.username} for u in users]), 200 # --- Change password (non-admin, own account) --- @api_bp.route('/auth/change-password', methods=['POST']) @token_required def change_password(): data = request.get_json() if not data: return jsonify({'error': 'Keine Daten gesendet'}), 400 current_password = data.get('current_password', '') new_password = data.get('new_password', '') if not current_password or not new_password: return jsonify({'error': 'Aktuelles und neues Passwort erforderlich'}), 400 if len(new_password) < 8: return jsonify({'error': 'Neues Passwort muss mindestens 8 Zeichen lang sein'}), 400 user = request.current_user if not user.check_password(current_password): return jsonify({'error': 'Aktuelles Passwort falsch'}), 401 user.set_password(new_password) db.session.commit() return jsonify({'message': 'Passwort geaendert'}), 200