from fastapi import APIRouter, Depends from app.models.models import UserInfo, PasswordChangeRequest, UserListResponse, CreateUserRequest, UpdateUserRequest, RoleInfo from app.core.database import get_db_connection from app.core.auth import get_current_user from app.core.response import create_api_response import app.core.config as config_module import hashlib import datetime import re router = APIRouter() def validate_email(email: str) -> bool: """Basic email validation""" pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$' return re.match(pattern, email) is not None def hash_password(password: str) -> str: return hashlib.sha256(password.encode()).hexdigest() @router.get("/roles") def get_all_roles(current_user: dict = Depends(get_current_user)): """获取所有角色列表""" if current_user['role_id'] != 1: # 1 is admin return create_api_response(code="403", message="仅管理员有权限查看角色列表") with get_db_connection() as connection: cursor = connection.cursor(dictionary=True) cursor.execute("SELECT role_id, role_name FROM roles ORDER BY role_id") roles = cursor.fetchall() return create_api_response(code="200", message="获取角色列表成功", data=[RoleInfo(**role).dict() for role in roles]) @router.post("/users") def create_user(request: CreateUserRequest, current_user: dict = Depends(get_current_user)): if current_user['role_id'] != 1: # 1 is admin return create_api_response(code="403", message="仅管理员有权限创建用户") if not validate_email(request.email): return create_api_response(code="400", message="邮箱格式不正确") with get_db_connection() as connection: cursor = connection.cursor(dictionary=True) cursor.execute("SELECT user_id FROM users WHERE username = %s", (request.username,)) if cursor.fetchone(): return create_api_response(code="400", message="用户名已存在") password = request.password if request.password else config_module.DEFAULT_RESET_PASSWORD hashed_password = hash_password(password) query = "INSERT INTO users (username, password_hash, caption, email, role_id, created_at) VALUES (%s, %s, %s, %s, %s, %s)" created_at = datetime.datetime.utcnow() cursor.execute(query, (request.username, hashed_password, request.caption, request.email, request.role_id, created_at)) connection.commit() return create_api_response(code="200", message="用户创建成功") @router.put("/users/{user_id}") def update_user(user_id: int, request: UpdateUserRequest, current_user: dict = Depends(get_current_user)): if current_user['role_id'] != 1: # 1 is admin return create_api_response(code="403", message="仅管理员有权限修改用户信息") if request.email and not validate_email(request.email): return create_api_response(code="400", message="邮箱格式不正确") with get_db_connection() as connection: cursor = connection.cursor(dictionary=True) cursor.execute("SELECT user_id, username, caption, email, role_id FROM users WHERE user_id = %s", (user_id,)) existing_user = cursor.fetchone() if not existing_user: return create_api_response(code="404", message="用户不存在") if request.username and request.username != existing_user['username']: cursor.execute("SELECT user_id FROM users WHERE username = %s AND user_id != %s", (request.username, user_id)) if cursor.fetchone(): return create_api_response(code="400", message="用户名已存在") update_data = { 'username': request.username if request.username else existing_user['username'], 'caption': request.caption if request.caption else existing_user['caption'], 'email': request.email if request.email else existing_user['email'], 'role_id': request.role_id if request.role_id is not None else existing_user['role_id'] } query = "UPDATE users SET username = %s, caption = %s, email = %s, role_id = %s WHERE user_id = %s" cursor.execute(query, (update_data['username'], update_data['caption'], update_data['email'], update_data['role_id'], user_id)) connection.commit() cursor.execute(''' SELECT u.user_id, u.username, u.caption, u.email, u.created_at, u.role_id, r.role_name FROM users u LEFT JOIN roles r ON u.role_id = r.role_id WHERE u.user_id = %s ''', (user_id,)) updated_user = cursor.fetchone() user_info = UserInfo( user_id=updated_user['user_id'], username=updated_user['username'], caption=updated_user['caption'], email=updated_user['email'], created_at=updated_user['created_at'], role_id=updated_user['role_id'], role_name=updated_user['role_name'], meetings_created=0, meetings_attended=0 ) return create_api_response(code="200", message="用户信息更新成功", data=user_info.dict()) @router.delete("/users/{user_id}") def delete_user(user_id: int, current_user: dict = Depends(get_current_user)): if current_user['role_id'] != 1: # 1 is admin return create_api_response(code="403", message="仅管理员有权限删除用户") with get_db_connection() as connection: cursor = connection.cursor(dictionary=True) cursor.execute("SELECT user_id FROM users WHERE user_id = %s", (user_id,)) if not cursor.fetchone(): return create_api_response(code="404", message="用户不存在") cursor.execute("DELETE FROM users WHERE user_id = %s", (user_id,)) connection.commit() return create_api_response(code="200", message="用户删除成功") @router.post("/users/{user_id}/reset-password") def reset_password(user_id: int, current_user: dict = Depends(get_current_user)): if current_user['role_id'] != 1: # 1 is admin return create_api_response(code="403", message="仅管理员有权限重置密码") with get_db_connection() as connection: cursor = connection.cursor(dictionary=True) cursor.execute("SELECT user_id FROM users WHERE user_id = %s", (user_id,)) if not cursor.fetchone(): return create_api_response(code="404", message="用户不存在") hashed_password = hash_password(config_module.DEFAULT_RESET_PASSWORD) query = "UPDATE users SET password_hash = %s WHERE user_id = %s" cursor.execute(query, (hashed_password, user_id)) connection.commit() return create_api_response(code="200", message=f"用户 {user_id} 的密码已重置") @router.get("/users") def get_all_users(page: int = 1, size: int = 10, current_user: dict = Depends(get_current_user)): with get_db_connection() as connection: cursor = connection.cursor(dictionary=True) cursor.execute("SELECT COUNT(*) as total FROM users") total = cursor.fetchone()['total'] offset = (page - 1) * size query = ''' SELECT u.user_id, u.username, u.caption, u.email, u.created_at, u.role_id, r.role_name, (SELECT COUNT(*) FROM meetings WHERE user_id = u.user_id) as meetings_created, (SELECT COUNT(*) FROM attendees WHERE user_id = u.user_id) as meetings_attended FROM users u LEFT JOIN roles r ON u.role_id = r.role_id ORDER BY u.user_id ASC LIMIT %s OFFSET %s ''' cursor.execute(query, (size, offset)) users = cursor.fetchall() user_list = [UserInfo(**user) for user in users] response_data = UserListResponse(users=user_list, total=total) return create_api_response(code="200", message="获取用户列表成功", data=response_data.dict()) @router.get("/users/{user_id}") def get_user_info(user_id: int, current_user: dict = Depends(get_current_user)): with get_db_connection() as connection: cursor = connection.cursor(dictionary=True) user_query = ''' SELECT u.user_id, u.username, u.caption, u.email, u.created_at, u.role_id, r.role_name FROM users u LEFT JOIN roles r ON u.role_id = r.role_id WHERE u.user_id = %s ''' cursor.execute(user_query, (user_id,)) user = cursor.fetchone() if not user: return create_api_response(code="404", message="用户不存在") created_query = "SELECT COUNT(*) as count FROM meetings WHERE user_id = %s" cursor.execute(created_query, (user_id,)) meetings_created = cursor.fetchone()['count'] attended_query = "SELECT COUNT(*) as count FROM attendees WHERE user_id = %s" cursor.execute(attended_query, (user_id,)) meetings_attended = cursor.fetchone()['count'] user_info = UserInfo( user_id=user['user_id'], username=user['username'], caption=user['caption'], email=user['email'], created_at=user['created_at'], role_id=user['role_id'], role_name=user['role_name'], meetings_created=meetings_created, meetings_attended=meetings_attended ) return create_api_response(code="200", message="获取用户信息成功", data=user_info.dict()) @router.put("/users/{user_id}/password") def update_password(user_id: int, request: PasswordChangeRequest, current_user: dict = Depends(get_current_user)): if user_id != current_user['user_id'] and current_user['role_id'] != 1: return create_api_response(code="403", message="没有权限修改其他用户的密码") with get_db_connection() as connection: cursor = connection.cursor(dictionary=True) cursor.execute("SELECT password_hash FROM users WHERE user_id = %s", (user_id,)) user = cursor.fetchone() if not user: return create_api_response(code="404", message="用户不存在") if current_user['role_id'] != 1: if user['password_hash'] != hash_password(request.old_password): return create_api_response(code="400", message="旧密码错误") new_password_hash = hash_password(request.new_password) cursor.execute("UPDATE users SET password_hash = %s WHERE user_id = %s", (new_password_hash, user_id)) connection.commit() return create_api_response(code="200", message="密码修改成功")