Journaling improvements

2026-04-03 03:57:20 -04:00
parent 2dce14507b
commit dee58e0aae
18 changed files with 1061 additions and 44 deletions
@@ -3,6 +3,8 @@ from sqlalchemy.orm import Session
 from app.models.ppr import User
 from app.schemas.ppr import UserCreate, UserUpdate
 from app.core.security import get_password_hash, verify_password
+from app.models.journal import EntityType
+from app.crud.crud_journal import journal


 class CRUDUser:
@@ -15,7 +17,7 @@ class CRUDUser:
    def get_multi(self, db: Session, skip: int = 0, limit: int = 100) -> List[User]:
        return db.query(User).offset(skip).limit(limit).all()

-    def create(self, db: Session, obj_in: UserCreate) -> User:
+    def create(self, db: Session, obj_in: UserCreate, admin_user: str = "system") -> User:
        hashed_password = get_password_hash(obj_in.password)
        db_obj = User(
            username=obj_in.username,
@@ -25,17 +27,46 @@ class CRUDUser:
        db.add(db_obj)
        db.commit()
        db.refresh(db_obj)
+        
+        # Log user creation in journal
+        journal.log_change(
+            db,
+            EntityType.USER,
+            db_obj.id,
+            f"User created: {obj_in.username} with role {obj_in.role}",
+            admin_user,
+            None
+        )
+        
        return db_obj

-    def update(self, db: Session, db_obj: User, obj_in: UserUpdate) -> User:
+    def update(self, db: Session, db_obj: User, obj_in: UserUpdate, admin_user: str = "system") -> User:
        update_data = obj_in.dict(exclude_unset=True)
+        changes = []
        if "password" in update_data:
            update_data["password"] = get_password_hash(update_data["password"])
+            changes.append("password changed")
        for field, value in update_data.items():
-            setattr(db_obj, field, value)
+            old_value = getattr(db_obj, field)
+            if field == "password" or old_value != value:
+                if field != "password":  # Don't log actual password values
+                    changes.append(f"{field} changed from '{old_value}' to '{value}'")
+                setattr(db_obj, field, value)
        db.add(db_obj)
        db.commit()
        db.refresh(db_obj)
+        
+        # Log user update in journal
+        if changes:
+            journal.log_change(
+                db,
+                EntityType.USER,
+                db_obj.id,
+                "; ".join(changes),
+                admin_user,
+                None
+            )
+        
        return db_obj

    def authenticate(self, db: Session, username: str, password: str) -> Optional[User]:
@@ -50,13 +81,24 @@ class CRUDUser:
        # For future use if we add user status
        return True

-    def change_password(self, db: Session, db_obj: User, new_password: str) -> User:
+    def change_password(self, db: Session, db_obj: User, new_password: str, admin_user: str = "system") -> User:
        """Change a user's password (typically used by admins to reset another user's password)"""
        hashed_password = get_password_hash(new_password)
        db_obj.password = hashed_password
        db.add(db_obj)
        db.commit()
        db.refresh(db_obj)
+        
+        # Log password change in journal (security audit)
+        journal.log_change(
+            db,
+            EntityType.USER,
+            db_obj.id,
+            f"Password changed by {admin_user}",
+            admin_user,
+            None
+        )
+        
        return db_obj