优化了users的鉴权逻辑，使用了依赖注入的方式判断管理员

2025-01-21 22:14:03 +08:00
parent f1cdbab0f4
commit a90838b79f
3 changed files with 100 additions and 109 deletions
--- a/routes/depends.py
+++ b/routes/depends.py
@@ -2,6 +2,7 @@ from fastapi import Depends, HTTPException, status
 from fastapi.security import OAuth2PasswordBearer
 from typing import Optional
 from schemas.auth import TokenData
+from schemas.user import UserRole
 from services.auth_service import verify_token

 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="auth/login")
@@ -16,3 +17,22 @@ async def get_current_user(token: str = Depends(oauth2_scheme)) -> TokenData:
            headers={"WWW-Authenticate": "Bearer"},
        )
    return token_data
+
+
+
+async def get_current_admin(token: str = Depends(oauth2_scheme)) -> TokenData:
+    """获取当前用户"""
+    token_data = verify_token(token)
+    if token_data is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid authentication credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    if token_data.role not in [UserRole.SYSTEM_ADMIN.value, UserRole.ADMIN.value]:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="You are not admin",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    return token_data
--- a/routes/users.py
+++ b/routes/users.py
@@ -1,9 +1,10 @@
 from fastapi import APIRouter, Depends, HTTPException, status
 from typing import List, Optional
 from schemas.auth import TokenData
-from schemas.user import UserCreate, UserUpdate, UserResponse
-from routes.depends import get_current_user
-from services.user_services import get_user_by_id
+from schemas.user import UserCreate, UserUpdate, UserResponse, UserRole
+from routes.depends import get_current_user,get_current_admin
+from services.user_services import get_user_by_id,get_users,create_user,update_user,delete_user
+from services.db import get_db_session

 router = APIRouter(tags=["users"])

@@ -20,68 +21,39 @@ async def get_users(
            status_code=status.HTTP_404_NOT_FOUND,
            detail="User not found"
        )
-    if current_user.role not in ["system_admin", "admin"]:
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Only admin can access user list"
-        )
-    # 实现获取用户列表逻辑
-    pass
+    async with get_db_session() as session:
+        skip = (page - 1) * limit
+        users = await get_users(session, skip=skip, limit=limit)
+        if role:
+            users = [user for user in users if user.role == role]
+        return users

@router.post("/", response_model=UserResponse, status_code=status.HTTP_201_CREATED)
 async def create_user(
    user_data: UserCreate,
-    current_user_token: TokenData = Depends(get_current_user)
+    current_user_token: TokenData = Depends(get_current_admin)
 ):
-    current_user = await get_user_by_id(current_user_token.id)
-    if current_user is None:
-        raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND,
-            detail="User not found"
-        )
-    if current_user.role not in ["system_admin", "admin"]:
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Only admin can create users"
-        )
-    # 实现创建用户逻辑
-    pass
+    async with get_db_session() as session:
+        return await create_user(session, user_data)

@router.put("/{user_id}", response_model=UserResponse)
 async def update_user(
    user_id: int,
    user_data: UserUpdate,
-    current_user_token: TokenData = Depends(get_current_user)
+    current_user_token: TokenData = Depends(get_current_admin)
 ):
-    current_user = await get_user_by_id(current_user_token.id)
-    if current_user is None:
-        raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND,
-            detail="User not found"
-        )
-    if current_user.role not in ["system_admin", "admin"]:
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Only admin can update users"
-        )
-    # 实现更新用户逻辑
-    pass
+    async with get_db_session() as session:
+        return await update_user(session, user_id, user_data)

@router.delete("/{user_id}", status_code=status.HTTP_204_NO_CONTENT)
 async def delete_user(
    user_id: int,
-    current_user_token: TokenData = Depends(get_current_user)
+    current_user_token: TokenData = Depends(get_current_admin)
 ):
-    current_user = await get_user_by_id(current_user_token.id)
-    if current_user is None:
-        raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND,
-            detail="User not found"
-        )
-    if current_user.role not in ["system_admin", "admin"]:
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Only admin can delete users"
-        )
-    # 实现删除用户逻辑
-    pass
+    async with get_db_session() as session:
+        success = await delete_user(session, user_id)
+        if not success:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail="User not found"
+            )