"""Admin user management routes.""" from flask import Blueprint, request, jsonify, g from app import limiter from app.utils import role_required, validate_request_body from app.services.user_mangement import ( list_users, get_user_by_id_admin, create_user, update_user, delete_user, change_user_role, verify_owner, toggle_account_status, force_email_verification, reset_user_password, get_user_stats ) # Create admin users blueprint admin_users_bp = Blueprint('admin_users', __name__, url_prefix='/admin/users') @admin_users_bp.route('', methods=['GET']) @limiter.limit("100 per hour") @role_required('admin') def list_all_users(): """ List all users with pagination and filters. Query params: - page: Page number (default 1) - per_page: Items per page (default 20, max 100) - role: Filter by role (customer/owner/admin) - is_active: Filter by active status (true/false) - is_verified: Filter by owner verification (true/false) - search: Search by name, email, or username Returns: 200: Paginated user list 400: Invalid parameters 403: Forbidden (not admin) """ # Pagination page = request.args.get('page', 1, type=int) per_page = request.args.get('per_page', 20, type=int) # Limit per_page to max 100 per_page = min(per_page, 100) # Filters role = request.args.get('role') is_active = request.args.get('is_active') is_verified = request.args.get('is_verified') search = request.args.get('search') # Convert string booleans to actual booleans if is_active is not None: is_active = is_active.lower() in ['true', '1', 'yes'] if is_verified is not None: is_verified = is_verified.lower() in ['true', '1', 'yes'] result = list_users( page=page, per_page=per_page, role=role, is_active=is_active, is_verified=is_verified, search=search ) status_code = 200 if result['success'] else 400 return jsonify(result), status_code @admin_users_bp.route('/', methods=['GET']) @limiter.limit("100 per hour") @role_required('admin') def get_user_details(user_id): """ Get full user details (admin view). Args: user_id: User ID to fetch Returns: 200: User details 404: User not found 403: Forbidden (not admin) """ result = get_user_by_id_admin(user_id) status_code = 200 if result['success'] else 404 return jsonify(result), status_code @admin_users_bp.route('', methods=['POST']) @limiter.limit("20 per hour") @role_required('admin') def create_new_user(): """ Admin creates a new user account. Required fields: - first_name, last_name - username - email - password Optional fields: - role (customer/owner/admin, default: customer) - phone_number - address, city, country - date_of_birth - bypass_email_verification (true/false, default: false) Returns: 201: User created successfully 400: Validation error 403: Forbidden (not admin) """ data = request.get_json() required_fields = ['first_name', 'last_name', 'username', 'email', 'password'] is_valid, error_response = validate_request_body(data, required_fields) if not is_valid: return error_response # Check if admin wants to bypass email verification bypass_email_verification = data.get('bypass_email_verification', False) result = create_user(data, bypass_email_verification=bypass_email_verification) status_code = 201 if result['success'] else 400 return jsonify(result), status_code @admin_users_bp.route('/', methods=['PUT']) @limiter.limit("50 per hour") @role_required('admin') def update_user_details(user_id): """ Admin updates any user's information. Allowed fields: - first_name, last_name - email, username - phone_number - date_of_birth - address, city, country Note: Use dedicated endpoints for role changes, status changes, etc. Returns: 200: User updated successfully 400: Validation error 403: Forbidden (not admin) 404: User not found """ data = request.get_json() if not data: return jsonify({ 'success': False, 'message': 'No data provided', 'data': None }), 400 # Only allow specific fields to be updated via this endpoint allowed_fields = [ 'first_name', 'last_name', 'email', 'username', 'phone_number', 'date_of_birth', 'address', 'city', 'country' ] # Filter out any fields not in allowed list update_data = {k: v for k, v in data.items() if k in allowed_fields} if not update_data: return jsonify({ 'success': False, 'message': 'No valid fields provided for update', 'data': None }), 400 result = update_user(user_id, update_data) status_code = 200 if result['success'] else 400 return jsonify(result), status_code @admin_users_bp.route('/', methods=['DELETE']) @limiter.limit("20 per hour") @role_required('admin') def delete_user_account(user_id): """ Delete user account. Query params: - hard_delete: If true, permanently delete from database (default: false) Default behavior is soft delete (set is_active=False). Returns: 200: User deleted successfully 400: Error 403: Forbidden (not admin) 404: User not found """ # Check if hard delete is requested hard_delete = request.args.get('hard_delete', 'false').lower() in ['true', '1', 'yes'] result = delete_user(user_id, hard_delete=hard_delete) status_code = 200 if result['success'] else 400 return jsonify(result), status_code @admin_users_bp.route('//role', methods=['PUT']) @limiter.limit("20 per hour") @role_required('admin') def change_role(user_id): """ Change user's role. Required field: - role: New role (customer/owner/admin) Returns: 200: Role changed successfully 400: Invalid role 403: Forbidden (not admin) 404: User not found """ data = request.get_json() is_valid, error_response = validate_request_body(data, ['role']) if not is_valid: return error_response new_role = data['role'] result = change_user_role(user_id, new_role) status_code = 200 if result['success'] else 400 return jsonify(result), status_code @admin_users_bp.route('//verify', methods=['PUT']) @limiter.limit("50 per hour") @role_required('admin') def verify_owner_account(user_id): """ Verify owner account (set is_verified=True). Only applicable to users with 'owner' role. Returns: 200: Owner verified successfully 400: User is not an owner or already verified 403: Forbidden (not admin) 404: User not found """ result = verify_owner(user_id) status_code = 200 if result['success'] else 400 return jsonify(result), status_code @admin_users_bp.route('//status', methods=['PUT']) @limiter.limit("50 per hour") @role_required('admin') def update_account_status(user_id): """ Activate or deactivate user account. Required field: - is_active: Boolean (true to activate, false to deactivate) Returns: 200: Account status updated 400: Invalid data 403: Forbidden (not admin) 404: User not found """ data = request.get_json() is_valid, error_response = validate_request_body(data, ['is_active']) if not is_valid: return error_response # Validate boolean is_active = data['is_active'] if not isinstance(is_active, bool): return jsonify({ 'success': False, 'message': 'is_active must be a boolean', 'data': None }), 400 result = toggle_account_status(user_id, is_active) status_code = 200 if result['success'] else 400 return jsonify(result), status_code @admin_users_bp.route('//verify-email', methods=['PUT']) @limiter.limit("50 per hour") @role_required('admin') def verify_user_email(user_id): """ Manually mark user's email as verified. Used for customer support cases where email verification is bypassed. Returns: 200: Email verified successfully 400: Email already verified 403: Forbidden (not admin) 404: User not found """ result = force_email_verification(user_id) status_code = 200 if result['success'] else 400 return jsonify(result), status_code @admin_users_bp.route('//reset-password', methods=['POST']) @limiter.limit("10 per hour") @role_required('admin') def reset_password(user_id): """ Reset user's password and send email with temporary password. - Generates a random 12-character temporary password - Updates user's password in database - Sends email to user with temporary password - User should change password immediately after login Returns: 200: Password reset successfully, email sent 400: Failed to reset password or send email 403: Forbidden (not admin) 404: User not found """ admin_id = g.current_user.id result = reset_user_password(user_id, admin_id) status_code = 200 if result['success'] else 400 return jsonify(result), status_code @admin_users_bp.route('/stats', methods=['GET']) @limiter.limit("100 per hour") @role_required('admin') def user_statistics(): """ Get user statistics and analytics. Returns: - total_users: Total registered users - active_users: Users with is_active=True - inactive_users: Users with is_active=False - customers: Users with customer role - owners: Users with owner role - admins: Users with admin role - verified_owners: Owners with is_verified=True - email_verified: Users with is_email_verified=True - recent_registrations_7days: New registrations in last 7 days Returns: 200: User statistics 403: Forbidden (not admin) """ result = get_user_stats() status_code = 200 if result['success'] else 400 return jsonify(result), status_code