refine account managing

project/auth.py

@@ -87,7 +87,6 @@ def logout():
 @auth.route('/manage', methods=['POST'])
 @login_required
 def manage_post():
-    if current_user.role == "admin":
     method = request.form.get('method')
     id = request.form.get('id')
     email = request.form.get('email')
@@ -95,20 +94,28 @@ def manage_post():
     role = request.form.get('role')
     isActivated = True if request.form.get(
         'isActivated') == "true" else False
+    if current_user.role == "admin":
         if method == "update":
             account = User.query.filter_by(
                 id=id, email=email, name=name).first()
             if account:
-                print(account)
+                if current_user.id != 1 and account.role == "admin" and role == "user":
+                    return "fail 您无权移除管理员！"
+                if current_user.id != 1 and account.isActivated and not isActivated:
+                    return "fail 您无权禁用管理员！"
+
                 if db.session.query(User).filter(User.id == id).update({"role": role, "isActivated": isActivated}) and not db.session.commit():
                     time.sleep(0.05)
                     return "success"
                 else:
-                    time.sleep(0.1)
+                    time.sleep(0.05)
                     return "fail db_commit"
             time.sleep(1)
             return "fail no account"
         if method == "delete":
+            if role == "admin" and id != current_user.id:
+                return "fail 无法直接删除管理员"
+
             account = User.query.filter_by(
                 id=id, email=email, name=name, role=role, isActivated=isActivated).first()
             if account:
@@ -121,5 +128,9 @@ def manage_post():
             time.sleep(1)
             return "fail no account"
 
+    if current_user.id == id and current_user.role == "user":
+        flash("暂时无法更改信息")
+        return redirect(url_for('main.index'))
+
     flash("您无权管理其他账户")
     return redirect(url_for('main.index'))

project/templates/manage.html

@@ -75,8 +75,12 @@
       data: data,
       success: null,
       dataType: null
-    });
+    }).always(function (data) {
+        if (data.startsWith("fail")) {
+          alert(data);
+        }
         location.reload();
+      });
   }
 
   function delete_account(obj) {
@@ -89,16 +93,31 @@
       role: account?.children[3]?.children[0].value,
       isActivated: account?.children[4].children[0].checked
     }
+    var ret = confirm("确认删除用户\"" + data.name + "\"吗？")
+    if (ret == true) {
       $.ajax({
         type: 'POST',
         url: "{{ url_for('main.manage') }}",
         data: data,
         success: null,
         dataType: null
-    });
+      }).always(function (data) {
+        if (data.startsWith("fail")) {
+          alert(data);
+        }
         location.reload();
+      });
+    }
   }
 
 </script>
 
+{% with messages = get_flashed_messages() %}
+{% if messages %}
+<div class="notification is-danger">
+  {{ messages[0] }}
+</div>
+{% endif %}
+{% endwith %}
+
 {% endblock %}

project/templates/profile.html

@@ -45,4 +45,13 @@
 <!-- 未激活 -->
 <p class="text-warning">您的账号暂未激活，请等待管理员激活此账号。</p>
 {% endif %}
+
+{% with messages = get_flashed_messages() %}
+{% if messages %}
+<div class="notification is-danger">
+  {{ messages[0] }}
+</div>
+{% endif %}
+{% endwith %}
+
 {% endblock %}