Nexusphp-Panel/routes/user.py

from flask import Blueprint, render_template, session, redirect, url_for, jsonify, request
import sqlite3
import secrets

user_bp = Blueprint('user', __name__)

def get_db_connection():
    conn = sqlite3.connect('pt_manager.db')
    conn.row_factory = sqlite3.Row
    return conn

@user_bp.route('/user')
def user_index():
    if 'user_id' not in session:
        return redirect(url_for('auth.login'))
    
    if session['role'] != 'admin':
        return redirect(url_for('main.index'))
    
    conn = get_db_connection()
    users = conn.execute('SELECT id, username, role, created_at FROM users').fetchall()
    conn.close()
    
    return render_template('user/index.html', users=users)

@user_bp.route('/user/add', methods=['POST'])
def add_user():
    if 'user_id' not in session:
        return jsonify({'error': 'Authentication required'}), 401
    
    if session['role'] != 'admin':
        return jsonify({'error': 'Admin access required'}), 403
    
    username = request.form.get('username')
    role = request.form.get('role', 'user')
    
    if not username:
        return jsonify({'error': 'Username is required'}), 400
    
    # Generate a random password
    password = secrets.token_hex(8)
    
    conn = get_db_connection()
    try:
        conn.execute(
            'INSERT INTO users (username, password_hash, role) VALUES (?, ?, ?)',
            (username, password, role)
        )
        conn.commit()
        conn.close()
        return jsonify({'success': True, 'username': username, 'password': password})
    except sqlite3.IntegrityError:
        conn.close()
        return jsonify({'error': 'Username already exists'}), 400
    except Exception as e:
        conn.close()
        return jsonify({'error': str(e)}), 500

@user_bp.route('/user/delete/<int:user_id>', methods=['POST'])
def delete_user(user_id):
    if 'user_id' not in session:
        return jsonify({'error': 'Authentication required'}), 401
    
    if session['role'] != 'admin':
        return jsonify({'error': 'Admin access required'}), 403
    
    # Prevent deleting oneself
    if user_id == session['user_id']:
        return jsonify({'error': 'Cannot delete yourself'}), 400
    
    conn = get_db_connection()
    try:
        conn.execute('DELETE FROM users WHERE id = ?', (user_id,))
        conn.commit()
        conn.close()
        return jsonify({'success': True})
    except Exception as e:
        conn.close()
        return jsonify({'error': str(e)}), 500