l_konstantin/TestingWebApp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

блоки 2 и 3 доработки интерфейса системы тестирования

Browse Source
This commit is contained in:
Константин Лебединский
2026-04-29 21:06:17 +05:00
parent eff3fda5b0
commit bba96f8f9f
37 changed files with 4440 additions and 1292 deletions
Download Patch File Download Diff File Expand all files Collapse all files
flask_app/app/auth/routes.py
+68 -4
View File
@@ -14,7 +14,7 @@ from flask import (
url_for,
)
from ..config import is_assignment_feature_enabled, is_dev_ui
from ..config import get_dev_fio_password, is_assignment_feature_enabled, is_dev_ui
from ..messages import RU
from .decorators import login_required, current_user
from .services import AuthError, authenticate_credentials
@@ -46,7 +46,11 @@ def _do_login(login: str, password: str):
def login_page():
if current_user() is not None:
return redirect(_safe_next('/'))
return render_template('auth/login.html', next=_safe_next('/'))
return render_template(
'auth/login.html',
next=_safe_next('/'),
dev_fio_enabled=bool(get_dev_fio_password()),
)
@auth_bp.route('/login', methods=['POST'])
@@ -57,11 +61,21 @@ def login_submit():
_do_login(login, password)
except AuthError as e:
flash(e.message, 'error')
return render_template('auth/login.html', next=_safe_next('/'), login=login), e.status
return render_template(
'auth/login.html',
next=_safe_next('/'),
login=login,
dev_fio_enabled=bool(get_dev_fio_password()),
), e.status
except Exception:
log.exception('login_submit failed')
flash(RU['loginFailed'], 'error')
return render_template('auth/login.html', next=_safe_next('/'), login=login), 500
return render_template(
'auth/login.html',
next=_safe_next('/'),
login=login,
dev_fio_enabled=bool(get_dev_fio_password()),
), 500
return redirect(_safe_next('/'))
@@ -96,6 +110,56 @@ def api_logout():
return jsonify(message=RU['loggedOut'])
@auth_bp.route('/api/auth/dev/assignment-directory', methods=['GET'])
@login_required
def api_assignment_directory():
"""Список сотрудников для назначения теста с поиском по имени/логину и фильтром отдела."""
from ..db import get_session
from ..models import Department, User as UserModel
q_str = (request.args.get('q') or '').strip()
dept_filter = (request.args.get('department') or '').strip()
clinic_filter = (request.args.get('clinic') or 'all').strip()
session = get_session()
dept_rows = session.query(Department).order_by(Department.name).all()
dept_by_name = {d.name: d.id for d in dept_rows}
departments = [d.name for d in dept_rows]
query = (
session.query(UserModel)
.filter(UserModel.is_active.is_(True))
)
if q_str:
like = f'%{q_str}%'
query = query.filter(
UserModel.full_name.ilike(like) | UserModel.login.ilike(like)
)
if dept_filter and dept_filter in dept_by_name:
query = query.filter(UserModel.department_id == dept_by_name[dept_filter])
if clinic_filter == 'with':
query = query.filter(UserModel.staff_id.isnot(None))
elif clinic_filter == 'without':
query = query.filter(UserModel.staff_id.is_(None))
users = query.order_by(UserModel.full_name).limit(200).all()
dept_name_by_id = {d.id: d.name for d in dept_rows}
people = [
{
'staffId': str(u.id),
'fio': u.full_name,
'webLogin': u.login,
'role': u.role,
'department': dept_name_by_id.get(u.department_id) if u.department_id else None,
'clinicUserId': u.staff_id,
}
for u in users
]
return jsonify(people=people, departments=departments)
@auth_bp.route('/api/auth/me', methods=['GET'])
@login_required
def api_me():
flask_app/app/auth/services.py
+163 -98
View File
@@ -1,16 +1,13 @@
"""Бизнес-логика логина — порт `backend/src/routes/auth.js` + `utils/auth.js`.
"""Бизнес-логика логина (ORM-версия).
Поддерживает оба режима:
- Локальный (по умолчанию): bcrypt в `clinic_tests.users.password_hash`.
- HR_AUTH=1: пароль проверяется в `hr_bot_test.users` (Werkzeug scrypt/pbkdf2),
затем находим запись `staff_members` по `web_login` и UPSERT-им в
`clinic_tests.users` по `staff_id`.
Werkzeug-хеши проверяются через `werkzeug.security.check_password_hash`,
bcrypt-хеши — через пакет `bcrypt`.
- Локальный (по умолчанию): bcrypt / Werkzeug в `clinic_tests.users.password_hash`.
- HR_AUTH=1: пароль проверяется в `hr_bot_test.users` (raw SQL, внешняя схема),
затем UPSERT в `clinic_tests.users` по `staff_id`.
"""
from __future__ import annotations
import re
from dataclasses import dataclass
from typing import Optional
@@ -20,16 +17,18 @@ from werkzeug.security import check_password_hash as _werkzeug_check
from ..config import (
HR_MANAGED_PASSWORD_PLACEHOLDER,
get_dev_fio_password,
is_hr_auth_enabled,
)
from ..db import get_engine, get_hr_engine
from ..db import get_engine, get_session
from ..messages import RU
from ..models import User
from .hr_role import map_hr_role_to_app
@dataclass
class AuthUser:
id: str # UUID в виде строки
id: str
login: str
full_name: str | None
role: str
@@ -37,20 +36,17 @@ class AuthUser:
staff_id: Optional[int]
def to_public_dict(self) -> dict:
out = {
return {
'id': str(self.id),
'login': self.login,
'fullName': self.full_name,
'role': self.role,
'departmentId': self.department_id,
'departmentId': str(self.department_id) if self.department_id else None,
'staffId': self.staff_id,
}
out['staffId'] = self.staff_id
return out
class AuthError(Exception):
"""Ошибка авторизации с HTTP-кодом и сообщением для пользователя."""
def __init__(self, status: int, message: str) -> None:
super().__init__(message)
self.status = status
@@ -58,7 +54,6 @@ class AuthError(Exception):
def _verify_password(plain: str, hashed: str | None) -> bool:
"""Универсальная проверка пароля: bcrypt + Werkzeug (scrypt/pbkdf2)."""
if not hashed:
return False
if hashed == HR_MANAGED_PASSWORD_PLACEHOLDER:
@@ -79,53 +74,136 @@ def _verify_password(plain: str, hashed: str | None) -> bool:
return False
def _user_to_auth(user: User) -> AuthUser:
return AuthUser(
id=str(user.id),
login=user.login,
full_name=user.full_name,
role=user.role,
department_id=str(user.department_id) if user.department_id else None,
staff_id=user.staff_id,
)
def _normalize_fio(s: str) -> str:
"""Приводим ФИО к одному виду: trim, пробелы, неразрывный пробел, много переводов строк."""
t = str(s or '')
t = t.replace('\u00a0', ' ')
return re.sub(r'\s+', ' ', t).strip()
def authenticate_credentials(login: str, password: str) -> AuthUser:
"""Главная точка входа. Возвращает AuthUser или поднимает AuthError."""
login = (login or '').strip()
password = password or ''
if not login or not password:
raise AuthError(400, RU['loginAndPasswordRequired'])
# Dev-режим: вход по ФИО из HR с общим паролем
dev_pw = get_dev_fio_password()
if dev_pw and password.strip() == dev_pw.strip():
try:
return _authenticate_dev_fio(login)
except AuthError:
pass # если ФИО не найдено — продолжаем обычную проверку
if is_hr_auth_enabled():
return _authenticate_via_hr(login, password)
return _authenticate_local(login, password)
# ─── локальный режим ────────────────────────────────────────────────
def _authenticate_dev_fio(fio_raw: str) -> AuthUser:
"""Dev-режим: найти сотрудника по ФИО в HR-системе и создать/обновить локального пользователя."""
from ..db import get_hr_engine
hr_eng = get_hr_engine()
if hr_eng is None:
raise AuthError(500, RU['hrDatabaseUrlMissing'])
fio_needle = _normalize_fio(fio_raw)
if not fio_needle:
raise AuthError(401, RU['invalidCredentials'])
needle = fio_needle.lower()
with hr_eng.connect() as hr_conn:
rows = hr_conn.execute(
text(
"""
SELECT id, fio, web_login
FROM staff_members
WHERE fio IS NOT NULL
AND lower(
regexp_replace(
trim(replace(replace(coalesce(fio, ''), chr(160), ' '), E'\\t', ' ')),
'[[:space:]]+', ' ', 'g'
)
) = :needle
"""
),
{'needle': needle},
).mappings().all()
if len(rows) != 1:
raise AuthError(401, RU['invalidCredentials'])
s = rows[0]
web_login = (s['web_login'] or '').strip() or f'fio_{s["id"]}'
staff_id = int(s['id'])
full_name = s['fio'] or fio_raw
session = get_session()
user = session.query(User).filter(User.staff_id == staff_id).first()
if not user:
# Не переиспользовать строку другого человека только по совпадению логина HR
occupied = session.query(User).filter(User.login == web_login).first()
login_val = web_login
if occupied and occupied.staff_id != staff_id:
login_val = f'hr_staff_{staff_id}'
user = User(
login=login_val,
password_hash=HR_MANAGED_PASSWORD_PLACEHOLDER,
full_name=full_name,
role='employee',
is_active=True,
staff_id=staff_id,
)
session.add(user)
else:
user.full_name = full_name
user.password_hash = HR_MANAGED_PASSWORD_PLACEHOLDER
user.is_active = True
# Обновить логин с HR только если конфликта нет
if web_login != user.login:
taken = session.query(User).filter(
User.login == web_login,
User.id != user.id,
).first()
if not taken:
user.login = web_login
session.commit()
session.refresh(user)
return _user_to_auth(user)
def _authenticate_local(login: str, password: str) -> AuthUser:
eng = get_engine()
with eng.connect() as conn:
row = conn.execute(
text(
'SELECT id, login, password_hash, full_name, role, department_id, staff_id '
'FROM users WHERE login = :login AND is_active = true'
),
{'login': login},
).mappings().first()
if not row:
raise AuthError(401, RU['invalidCredentials'])
if row['password_hash'] == HR_MANAGED_PASSWORD_PLACEHOLDER:
raise AuthError(401, RU['useHrLogin'])
if not _verify_password(password, row['password_hash']):
raise AuthError(401, RU['invalidCredentials'])
return AuthUser(
id=str(row['id']),
login=row['login'],
full_name=row['full_name'],
role=row['role'],
department_id=row['department_id'],
staff_id=row['staff_id'],
session = get_session()
user = (
session.query(User)
.filter(User.login == login, User.is_active.is_(True))
.first()
)
if not user:
raise AuthError(401, RU['invalidCredentials'])
if user.password_hash == HR_MANAGED_PASSWORD_PLACEHOLDER:
raise AuthError(401, RU['useHrLogin'])
if not _verify_password(password, user.password_hash):
raise AuthError(401, RU['invalidCredentials'])
return _user_to_auth(user)
# ─── HR_AUTH=1 ──────────────────────────────────────────────────────
def _authenticate_via_hr(login: str, password: str) -> AuthUser:
from ..db import get_hr_engine
hr_eng = get_hr_engine()
if hr_eng is None:
raise AuthError(500, RU['hrDatabaseUrlMissing'])
@@ -157,61 +235,48 @@ def _authenticate_via_hr(login: str, password: str) -> AuthUser:
fio = s['fio'] or login
app_role = map_hr_role_to_app(u['role'])
eng = get_engine()
with eng.begin() as conn:
row = conn.execute(
text(
"""
INSERT INTO users (login, password_hash, full_name, role,
department_id, is_active, staff_id)
VALUES (:login, :ph, :fn, :role, NULL, true, :staff_id)
ON CONFLICT (staff_id) DO UPDATE SET
login = EXCLUDED.login,
full_name = EXCLUDED.full_name,
role = EXCLUDED.role,
password_hash = EXCLUDED.password_hash
RETURNING id, login, full_name, role, department_id, staff_id
"""
),
{
'login': login,
'ph': HR_MANAGED_PASSWORD_PLACEHOLDER,
'fn': fio,
'role': app_role,
'staff_id': staff_id,
},
).mappings().first()
return AuthUser(
id=str(row['id']),
login=row['login'],
full_name=row['full_name'],
role=row['role'],
department_id=row['department_id'],
staff_id=row['staff_id'],
)
# UPSERT через ORM: ищем по staff_id, затем по login, затем создаём
session = get_session()
user = session.query(User).filter(User.staff_id == staff_id).first()
if not user:
# при первом входе staff_id ещё не проставлен — ищем по login
user = session.query(User).filter(User.login == login).first()
if user:
user.login = login
user.full_name = fio
user.role = app_role
user.password_hash = HR_MANAGED_PASSWORD_PLACEHOLDER
user.staff_id = staff_id
user.is_active = True
else:
user = User(
login=login,
password_hash=HR_MANAGED_PASSWORD_PLACEHOLDER,
full_name=fio,
role=app_role,
is_active=True,
staff_id=staff_id,
)
session.add(user)
session.commit()
session.refresh(user)
return _user_to_auth(user)
def load_user_by_id(user_id: str) -> Optional[AuthUser]:
"""Догружает пользователя из `clinic_tests.users` (используется при каждом запросе)."""
if not user_id:
return None
eng = get_engine()
with eng.connect() as conn:
row = conn.execute(
text(
'SELECT id, login, full_name, role, department_id, staff_id '
'FROM users WHERE id = :id AND is_active = true'
),
{'id': user_id},
).mappings().first()
if not row:
session = get_session()
try:
import uuid as _uuid
uid = _uuid.UUID(user_id)
except (ValueError, AttributeError):
return None
return AuthUser(
id=str(row['id']),
login=row['login'],
full_name=row['full_name'],
role=row['role'],
department_id=row['department_id'],
staff_id=row['staff_id'],
user = (
session.query(User)
.filter(User.id == uid, User.is_active.is_(True))
.first()
)
if not user:
return None
return _user_to_auth(user)