ppr-ng/backend/app/crud/crud_user.py

from typing import List, Optional
from sqlalchemy.orm import Session
from app.models.ppr import User
from app.schemas.ppr import UserCreate, UserUpdate
from app.core.security import get_password_hash, verify_password
from app.models.journal import EntityType
from app.crud.crud_journal import journal


class CRUDUser:
    def get(self, db: Session, user_id: int) -> Optional[User]:
        return db.query(User).filter(User.id == user_id).first()

    def get_by_username(self, db: Session, username: str) -> Optional[User]:
        return db.query(User).filter(User.username == username).first()

    def get_multi(self, db: Session, skip: int = 0, limit: int = 100) -> List[User]:
        return db.query(User).offset(skip).limit(limit).all()

    def create(self, db: Session, obj_in: UserCreate, admin_user: str = "system") -> User:
        hashed_password = get_password_hash(obj_in.password)
        db_obj = User(
            username=obj_in.username,
            password=hashed_password,
            role=obj_in.role
        )
        db.add(db_obj)
        db.commit()
        db.refresh(db_obj)
        
        # Log user creation in journal
        journal.log_change(
            db,
            EntityType.USER,
            db_obj.id,
            f"User created: {obj_in.username} with role {obj_in.role}",
            admin_user,
            None
        )
        
        return db_obj

    def update(self, db: Session, db_obj: User, obj_in: UserUpdate, admin_user: str = "system") -> User:
        update_data = obj_in.dict(exclude_unset=True)
        changes = []
        if "password" in update_data:
            update_data["password"] = get_password_hash(update_data["password"])
            changes.append("password changed")
        for field, value in update_data.items():
            old_value = getattr(db_obj, field)
            if field == "password" or old_value != value:
                if field != "password":  # Don't log actual password values
                    changes.append(f"{field} changed from '{old_value}' to '{value}'")
                setattr(db_obj, field, value)
        db.add(db_obj)
        db.commit()
        db.refresh(db_obj)
        
        # Log user update in journal
        if changes:
            journal.log_change(
                db,
                EntityType.USER,
                db_obj.id,
                "; ".join(changes),
                admin_user,
                None
            )
        
        return db_obj

    def authenticate(self, db: Session, username: str, password: str) -> Optional[User]:
        user = self.get_by_username(db, username=username)
        if not user:
            return None
        if not verify_password(password, user.password):
            return None
        return user

    def is_active(self, user: User) -> bool:
        # For future use if we add user status
        return True

    def change_password(self, db: Session, db_obj: User, new_password: str, admin_user: str = "system") -> User:
        """Change a user's password (typically used by admins to reset another user's password)"""
        hashed_password = get_password_hash(new_password)
        db_obj.password = hashed_password
        db.add(db_obj)
        db.commit()
        db.refresh(db_obj)
        
        # Log password change in journal (security audit)
        journal.log_change(
            db,
            EntityType.USER,
            db_obj.id,
            f"Password changed by {admin_user}",
            admin_user,
            None
        )
        
        return db_obj


user = CRUDUser()