added manager user type

2025-06-05 14:43:06 +02:00
parent 164e8373a4
commit 33f6e0386b
24 changed files with 226 additions and 128 deletions
--- a/routes/rooms.py
+++ b/routes/rooms.py
@@ -85,7 +85,7 @@ def create_room():
@require_password_change
 def room(room_id):
    room = Room.query.get_or_404(room_id)
-    # Admins always have access
+    # Admins always have access, managers need to be members
    if not current_user.is_admin:
        is_member = RoomMemberPermission.query.filter_by(room_id=room_id, user_id=current_user.id).first() is not None
        if not is_member:
@@ -116,14 +116,15 @@ def room(room_id):
@require_password_change
 def room_members(room_id):
    room = Room.query.get_or_404(room_id)
-    # Admins always have access
+    # Check if user is a member
    if not current_user.is_admin:
        is_member = RoomMemberPermission.query.filter_by(room_id=room_id, user_id=current_user.id).first() is not None
        if not is_member:
            flash('You do not have access to this room.', 'error')
            return redirect(url_for('rooms.rooms'))
-    if not current_user.is_admin:
-        flash('Only administrators can manage room members.', 'error')
+    # Only admins and managers who are members can manage room members
+    if not (current_user.is_admin or (current_user.is_manager and is_member)):
+        flash('Only administrators and managers can manage room members.', 'error')
        return redirect(url_for('rooms.room', room_id=room_id))
    member_permissions = {p.user_id: p for p in room.member_permissions}
    available_users = User.query.filter(~User.id.in_(member_permissions.keys())).all()
@@ -139,8 +140,9 @@ def add_member(room_id):
    if not is_member:
        flash('You do not have access to this room.', 'error')
        return redirect(url_for('rooms.rooms'))
-    if not current_user.is_admin:
-        flash('Only administrators can manage room members.', 'error')
+    # Only admins and managers who are members can manage room members
+    if not (current_user.is_admin or (current_user.is_manager and is_member)):
+        flash('Only administrators and managers can manage room members.', 'error')
        return redirect(url_for('rooms.room', room_id=room_id))
    user_id = request.form.get('user_id')
    if not user_id:
@@ -211,59 +213,30 @@ def remove_member(room_id, user_id):
    if not is_member:
        flash('You do not have access to this room.', 'error')
        return redirect(url_for('rooms.rooms'))
-    if not current_user.is_admin:
-        flash('Only administrators can manage room members.', 'error')
+    # Only admins and managers who are members can manage room members
+    if not (current_user.is_admin or (current_user.is_manager and is_member)):
+        flash('Only administrators and managers can manage room members.', 'error')
        return redirect(url_for('rooms.room', room_id=room_id))
    if user_id == room.created_by:
        flash('Cannot remove the room creator.', 'error')
    else:
        perm = RoomMemberPermission.query.filter_by(room_id=room_id, user_id=user_id).first()
-        if not perm:
-            flash('User is not a member of this room.', 'error')
+        if perm:
+            db.session.delete(perm)
+            db.session.commit()
+            flash('Member has been removed from the room.', 'success')
        else:
-            user = User.query.get(user_id)
-            try:
-                # Create notification for the removed user
-                create_notification(
-                    notif_type='room_invite_removed',
-                    user_id=user_id,
-                    sender_id=current_user.id,
-                    details={
-                        'message': f'You have been removed from room "{room.name}"',
-                        'room_id': room_id,
-                        'room_name': room.name,
-                        'removed_by': f"{current_user.username} {current_user.last_name}",
-                        'timestamp': datetime.utcnow().isoformat()
-                    }
-                )
-                
-                log_event(
-                    event_type='room_member_remove',
-                    details={
-                        'room_id': room_id,
-                        'room_name': room.name,
-                        'removed_user': f"{user.username} {user.last_name}",
-                        'removed_by': f"{current_user.username} {current_user.last_name}"
-                    },
-                    user_id=current_user.id
-                )
-                
-                db.session.delete(perm)
-                db.session.commit()
-                flash('User has been removed from the room.', 'success')
-            except Exception as e:
-                db.session.rollback()
-                flash('An error occurred while removing the member.', 'error')
-                print(f"Error removing member: {str(e)}")
-                
+            flash('Member not found.', 'error')
    return redirect(url_for('rooms.room_members', room_id=room_id))

@rooms_bp.route('/<int:room_id>/members/<int:user_id>/permissions', methods=['POST'])
@login_required
 def update_member_permissions(room_id, user_id):
    room = Room.query.get_or_404(room_id)
-    if not current_user.is_admin:
-        flash('Only administrators can update permissions.', 'error')
+    # Check if user is a member
+    is_member = RoomMemberPermission.query.filter_by(room_id=room_id, user_id=current_user.id).first() is not None
+    if not (current_user.is_admin or (current_user.is_manager and is_member)):
+        flash('Only administrators and managers can update permissions.', 'error')
        return redirect(url_for('rooms.room_members', room_id=room_id))
    perm = RoomMemberPermission.query.filter_by(room_id=room_id, user_id=user_id).first()
    if not perm:
@@ -312,11 +285,13 @@ def update_member_permissions(room_id, user_id):
@rooms_bp.route('/<int:room_id>/edit', methods=['GET', 'POST'])
@login_required
 def edit_room(room_id):
-    if not current_user.is_admin:
-        flash('Only administrators can edit rooms.', 'error')
+    room = Room.query.get_or_404(room_id)
+    # Check if user is a member
+    is_member = RoomMemberPermission.query.filter_by(room_id=room_id, user_id=current_user.id).first() is not None
+    if not (current_user.is_admin or (current_user.is_manager and is_member)):
+        flash('Only administrators and managers can edit rooms.', 'error')
        return redirect(url_for('rooms.rooms'))
    
-    room = Room.query.get_or_404(room_id)
    form = RoomForm()
    
    if form.validate_on_submit():
@@ -354,11 +329,13 @@ def edit_room(room_id):
@rooms_bp.route('/<int:room_id>/delete', methods=['POST'])
@login_required
 def delete_room(room_id):
-    if not current_user.is_admin:
-        flash('Only administrators can delete rooms.', 'error')
+    room = Room.query.get_or_404(room_id)
+    # Check if user is a member
+    is_member = RoomMemberPermission.query.filter_by(room_id=room_id, user_id=current_user.id).first() is not None
+    if not (current_user.is_admin or (current_user.is_manager and is_member)):
+        flash('Only administrators and managers can delete rooms.', 'error')
        return redirect(url_for('rooms.rooms'))
    
-    room = Room.query.get_or_404(room_id)
    room_name = room.name
    
    try: