From 5c3cce15564f1a96bba69ae1b186cc1b2b55e004 Mon Sep 17 00:00:00 2001 From: Kobe Date: Tue, 10 Jun 2025 07:45:27 +0200 Subject: [PATCH] Update admin_api.py --- routes/admin_api.py | 43 +++++++++++++++++++++---------------------- 1 file changed, 21 insertions(+), 22 deletions(-) diff --git a/routes/admin_api.py b/routes/admin_api.py index 7f80ec5..14c6da3 100644 --- a/routes/admin_api.py +++ b/routes/admin_api.py @@ -4,14 +4,13 @@ from models import ( KeyValueSettings, User, Room, Conversation, RoomFile, SiteSettings, DocuPulseSettings, Event, Mail, ManagementAPIKey ) -from extensions import db +from extensions import db, csrf from datetime import datetime, timedelta import os import jwt from werkzeug.security import generate_password_hash import secrets from flask_login import login_user -from flask_wtf.csrf import csrf_exempt admin_api = Blueprint('admin_api', __name__) @@ -73,7 +72,7 @@ def validate_management_api_key(api_key): return False @admin_api.route('/login', methods=['POST']) -@csrf_exempt +@csrf.exempt def admin_login(): try: # Check if this is an API request @@ -132,7 +131,7 @@ def admin_login(): return redirect(url_for('auth.login')) @admin_api.route('/management-token', methods=['POST']) -@csrf_exempt +@csrf.exempt def get_management_token(): """Generate a JWT token for the management tool using API key authentication""" api_key = request.headers.get('X-API-Key') @@ -150,7 +149,7 @@ def get_management_token(): }) @admin_api.route('/management-api-key', methods=['POST']) -@csrf_exempt +@csrf.exempt @token_required def create_management_api_key(current_user): """Create a new API key for the management tool (only accessible by admin users)""" @@ -178,7 +177,7 @@ def create_management_api_key(current_user): }), 201 @admin_api.route('/management-api-keys', methods=['GET']) -@csrf_exempt +@csrf.exempt @token_required def list_management_api_keys(current_user): """List all management API keys (only accessible by admin users)""" @@ -196,7 +195,7 @@ def list_management_api_keys(current_user): } for key in keys]) @admin_api.route('/management-api-key/', methods=['DELETE']) -@csrf_exempt +@csrf.exempt @token_required def revoke_management_api_key(current_user, key_id): """Revoke a management API key (only accessible by admin users)""" @@ -213,7 +212,7 @@ def revoke_management_api_key(current_user, key_id): # Key-Value Settings CRUD @admin_api.route('/key-value', methods=['GET']) -@csrf_exempt +@csrf.exempt @token_required def get_key_values(current_user): settings = KeyValueSettings.query.all() @@ -228,7 +227,7 @@ def get_key_value(current_user, key): return jsonify({'key': setting.key, 'value': setting.value}) @admin_api.route('/key-value', methods=['POST']) -@csrf_exempt +@csrf.exempt @token_required def create_key_value(current_user): data = request.get_json() @@ -241,7 +240,7 @@ def create_key_value(current_user): return jsonify({'message': 'Key-value pair created successfully'}), 201 @admin_api.route('/key-value/', methods=['PUT']) -@csrf_exempt +@csrf.exempt @token_required def update_key_value(current_user, key): setting = KeyValueSettings.query.filter_by(key=key).first() @@ -257,7 +256,7 @@ def update_key_value(current_user, key): return jsonify({'message': 'Key-value pair updated successfully'}) @admin_api.route('/key-value/', methods=['DELETE']) -@csrf_exempt +@csrf.exempt @token_required def delete_key_value(current_user, key): setting = KeyValueSettings.query.filter_by(key=key).first() @@ -270,7 +269,7 @@ def delete_key_value(current_user, key): # Contacts (Users) CRUD @admin_api.route('/contacts', methods=['GET']) -@csrf_exempt +@csrf.exempt @token_required def get_contacts(current_user): users = User.query.all() @@ -287,7 +286,7 @@ def get_contacts(current_user): } for user in users]) @admin_api.route('/contacts/', methods=['GET']) -@csrf_exempt +@csrf.exempt @token_required def get_contact(current_user, user_id): user = User.query.get(user_id) @@ -306,7 +305,7 @@ def get_contact(current_user, user_id): }) @admin_api.route('/contacts', methods=['POST']) -@csrf_exempt +@csrf.exempt @token_required def create_contact(current_user): data = request.get_json() @@ -332,7 +331,7 @@ def create_contact(current_user): return jsonify({'message': 'Contact created successfully', 'id': user.id}), 201 @admin_api.route('/contacts/', methods=['PUT']) -@csrf_exempt +@csrf.exempt @token_required def update_contact(current_user, user_id): user = User.query.get(user_id) @@ -359,7 +358,7 @@ def update_contact(current_user, user_id): return jsonify({'message': 'Contact updated successfully'}) @admin_api.route('/contacts/', methods=['DELETE']) -@csrf_exempt +@csrf.exempt @token_required def delete_contact(current_user, user_id): user = User.query.get(user_id) @@ -372,7 +371,7 @@ def delete_contact(current_user, user_id): # Statistics @admin_api.route('/statistics', methods=['GET']) -@csrf_exempt +@csrf.exempt @token_required def get_statistics(current_user): room_count = Room.query.count() @@ -392,7 +391,7 @@ def get_statistics(current_user): # Website Settings CRUD @admin_api.route('/settings', methods=['GET']) -@csrf_exempt +@csrf.exempt @token_required def get_settings(current_user): settings = SiteSettings.get_settings() @@ -414,7 +413,7 @@ def get_settings(current_user): }) @admin_api.route('/settings', methods=['PUT']) -@csrf_exempt +@csrf.exempt @token_required def update_settings(current_user): settings = SiteSettings.get_settings() @@ -429,7 +428,7 @@ def update_settings(current_user): # Website Logs @admin_api.route('/logs', methods=['GET']) -@csrf_exempt +@csrf.exempt @token_required def get_logs(current_user): page = request.args.get('page', 1, type=int) @@ -456,7 +455,7 @@ def get_logs(current_user): # Mail Logs @admin_api.route('/mail-logs', methods=['GET']) -@csrf_exempt +@csrf.exempt @token_required def get_mail_logs(current_user): page = request.args.get('page', 1, type=int) @@ -483,7 +482,7 @@ def get_mail_logs(current_user): # Resend Setup Mail @admin_api.route('/resend-setup-mail/', methods=['POST']) -@csrf_exempt +@csrf.exempt @token_required def resend_setup_mail(current_user, user_id): user = User.query.get(user_id)