yakpanel-core/YakPanel-server/backend/app/api/user.py

"""YakPanel - User management API (admin only)"""
from fastapi import APIRouter, Depends, HTTPException
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy import select
from pydantic import BaseModel

from app.core.database import get_db
from app.core.security import get_password_hash
from app.api.auth import get_current_user
from app.models.user import User

router = APIRouter(prefix="/user", tags=["user"])


def require_superuser(current_user: User):
    if not current_user.is_superuser:
        raise HTTPException(status_code=403, detail="Admin access required")


class CreateUserRequest(BaseModel):
    username: str
    password: str
    email: str = ""


@router.get("/list")
async def user_list(
    current_user: User = Depends(get_current_user),
    db: AsyncSession = Depends(get_db),
):
    """List all users (admin only)"""
    require_superuser(current_user)
    result = await db.execute(select(User).order_by(User.id))
    rows = result.scalars().all()
    return [
        {
            "id": r.id,
            "username": r.username,
            "email": r.email or "",
            "is_active": r.is_active,
            "is_superuser": r.is_superuser,
        }
        for r in rows
    ]


@router.post("/create")
async def user_create(
    body: CreateUserRequest,
    current_user: User = Depends(get_current_user),
    db: AsyncSession = Depends(get_db),
):
    """Create a new user (admin only)"""
    require_superuser(current_user)
    if not body.username or len(body.username) < 2:
        raise HTTPException(status_code=400, detail="Username must be at least 2 characters")
    if not body.password or len(body.password) < 6:
        raise HTTPException(status_code=400, detail="Password must be at least 6 characters")
    result = await db.execute(select(User).where(User.username == body.username))
    if result.scalar_one_or_none():
        raise HTTPException(status_code=400, detail="Username already exists")
    user = User(
        username=body.username,
        password=get_password_hash(body.password),
        email=body.email.strip() or None,
        is_active=True,
        is_superuser=False,
    )
    db.add(user)
    await db.commit()
    return {"status": True, "msg": "User created", "id": user.id}


@router.delete("/{user_id}")
async def user_delete(
    user_id: int,
    current_user: User = Depends(get_current_user),
    db: AsyncSession = Depends(get_db),
):
    """Delete a user (admin only). Cannot delete self."""
    require_superuser(current_user)
    if user_id == current_user.id:
        raise HTTPException(status_code=400, detail="Cannot delete your own account")
    result = await db.execute(select(User).where(User.id == user_id))
    user = result.scalar_one_or_none()
    if not user:
        raise HTTPException(status_code=404, detail="User not found")
    await db.delete(user)
    await db.commit()
    return {"status": True, "msg": "User deleted"}


@router.put("/{user_id}/toggle-active")
async def user_toggle_active(
    user_id: int,
    current_user: User = Depends(get_current_user),
    db: AsyncSession = Depends(get_db),
):
    """Toggle user active status (admin only). Cannot deactivate self."""
    require_superuser(current_user)
    if user_id == current_user.id:
        raise HTTPException(status_code=400, detail="Cannot deactivate your own account")
    result = await db.execute(select(User).where(User.id == user_id))
    user = result.scalar_one_or_none()
    if not user:
        raise HTTPException(status_code=404, detail="User not found")
    user.is_active = not user.is_active
    await db.commit()
    return {"status": True, "msg": "Updated", "is_active": user.is_active}