diff --git a/db.sqlite3 b/db.sqlite3
index bc4f13b..fb0e914 100644
Binary files a/db.sqlite3 and b/db.sqlite3 differ
diff --git a/elastic/es_connect.py b/elastic/es_connect.py
index a8fce2c..46c2575 100644
--- a/elastic/es_connect.py
+++ b/elastic/es_connect.py
@@ -531,3 +531,37 @@ def update_user_permission(username, new_permission):
except Exception as e:
print(f"更新用户权限失败: {str(e)}")
return False
+
+def delete_user_by_id(user_id):
+ try:
+ search = UserDocument.search()
+ search = search.query("term", user_id=int(user_id))
+ response = search.execute()
+ if response.hits:
+ user = response.hits[0]
+ user.delete()
+ return True
+ return False
+ except Exception as e:
+ print(f"删除用户失败: {str(e)}")
+ return False
+
+def update_user_by_id(user_id, username=None, permission=None, password=None):
+ try:
+ search = UserDocument.search()
+ search = search.query("term", user_id=int(user_id))
+ response = search.execute()
+ if response.hits:
+ user = response.hits[0]
+ if username is not None:
+ user.username = username
+ if permission is not None:
+ user.permission = int(permission)
+ if password is not None:
+ user.password = password
+ user.save()
+ return True
+ return False
+ except Exception as e:
+ print(f"更新用户失败: {str(e)}")
+ return False
diff --git a/elastic/templates/elastic/users.html b/elastic/templates/elastic/users.html
index ea2008c..406dc68 100644
--- a/elastic/templates/elastic/users.html
+++ b/elastic/templates/elastic/users.html
@@ -322,8 +322,8 @@
@@ -408,7 +408,7 @@
const row = document.createElement('tr');
// 根据权限值显示权限名称
- const permissionText = user.permission === 1 ? '管理员' : '普通用户';
+ const permissionText = user.permission === 0 ? '管理员' : '普通用户';
row.innerHTML = `
${user.user_id} |
diff --git a/elastic/urls.py b/elastic/urls.py
index d5aa741..39ae962 100644
--- a/elastic/urls.py
+++ b/elastic/urls.py
@@ -24,6 +24,8 @@ urlpatterns = [
path('users/add/', views.add_user, name='add_user'),
path('users//delete/', views.delete_user, name='delete_user'),
path('users//update/', views.update_user, name='update_user'),
+ path('users//delete/', views.delete_user_by_id_view, name='delete_user_by_id'),
+ path('users//update/', views.update_user_by_id_view, name='update_user_by_id'),
# 图片上传与确认
path('upload-page/', views.upload_page, name='upload_page'),
diff --git a/elastic/views.py b/elastic/views.py
index 92678f5..19db34c 100644
--- a/elastic/views.py
+++ b/elastic/views.py
@@ -11,7 +11,7 @@ from django.http import JsonResponse
from django.shortcuts import render
from django.views.decorators.http import require_http_methods
from django.views.decorators.csrf import ensure_csrf_cookie
-from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
+from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie, csrf_protect
from .es_connect import *
from openai import OpenAI
from PIL import Image
@@ -184,25 +184,53 @@ def get_data(request, doc_id):
@require_http_methods(["POST"])
-@csrf_exempt
+@csrf_protect
def add_user(request):
- """添加用户"""
+ if request.session.get("user_id") is None:
+ return JsonResponse({"status": "error", "message": "未登录"}, status=401)
+ if request.session.get("permission", 1) != 0:
+ return JsonResponse({"status": "error", "message": "无权限"}, status=403)
try:
- data = json.loads(request.body.decode('utf-8'))
- success = write_user_data(data)
- if success:
- return JsonResponse({"status": "success", "message": "用户添加成功"})
- else:
- return JsonResponse({"status": "error", "message": "用户添加失败"}, status=500)
- except Exception as e:
- return JsonResponse({"status": "error", "message": str(e)}, status=500)
+ payload = json.loads(request.body.decode("utf-8"))
+ except Exception:
+ return JsonResponse({"status": "error", "message": "JSON无效"}, status=400)
+ username = (payload.get("username") or "").strip()
+ password = (payload.get("password") or "").strip()
+ try:
+ permission = int(payload.get("permission", 1))
+ except Exception:
+ permission = 1
+ if not username:
+ return JsonResponse({"status": "error", "message": "用户名不能为空"}, status=400)
+ if password and len(password) < 6:
+ return JsonResponse({"status": "error", "message": "密码长度至少为6位"}, status=400)
+ existing = get_user_by_username(username)
+ if existing:
+ return JsonResponse({"status": "error", "message": "用户名已存在"}, status=409)
+ users = get_all_users()
+ next_id = (max([int(u.get("user_id", 0)) for u in users]) + 1) if users else 1
+ ok = write_user_data({
+ "user_id": next_id,
+ "username": username,
+ "password": password,
+ "permission": permission,
+ })
+ if not ok:
+ return JsonResponse({"status": "error", "message": "用户添加失败"}, status=500)
+ return JsonResponse({"status": "success", "message": "用户添加成功"})
@require_http_methods(["GET"])
def get_users(request):
- """获取所有用户"""
+ if request.session.get("user_id") is None:
+ return JsonResponse({"status": "error", "message": "未登录"}, status=401)
+ if request.session.get("permission", 1) != 0:
+ return JsonResponse({"status": "error", "message": "无权限"}, status=403)
try:
+ q = (request.GET.get("search") or "").strip()
users = get_all_users()
+ if q:
+ users = [u for u in users if q in str(u.get("username", ""))]
return JsonResponse({"status": "success", "data": users})
except Exception as e:
return JsonResponse({"status": "error", "message": str(e)}, status=500)
@@ -228,7 +256,7 @@ def update_user(request, username):
"""更新用户权限"""
try:
data = json.loads(request.body.decode('utf-8'))
- new_permission = data.get('permission', 1)
+ new_permission = int(data.get('permission', 1))
success = update_user_permission(username, new_permission)
if success:
return JsonResponse({"status": "success", "message": "用户权限更新成功"})
@@ -237,6 +265,48 @@ def update_user(request, username):
except Exception as e:
return JsonResponse({"status": "error", "message": str(e)}, status=500)
+@require_http_methods(["POST"])
+@csrf_protect
+def update_user_by_id_view(request, user_id):
+ if request.session.get("user_id") is None:
+ return JsonResponse({"status": "error", "message": "未登录"}, status=401)
+ if request.session.get("permission", 1) != 0:
+ return JsonResponse({"status": "error", "message": "无权限"}, status=403)
+ try:
+ payload = json.loads(request.body.decode("utf-8"))
+ except Exception:
+ return JsonResponse({"status": "error", "message": "JSON无效"}, status=400)
+ new_username = (payload.get("username") or "").strip()
+ new_permission = payload.get("permission")
+ new_password = (payload.get("password") or "").strip()
+ if new_username:
+ other = get_user_by_username(new_username)
+ if other and int(other.get("user_id", -1)) != int(user_id):
+ return JsonResponse({"status": "error", "message": "用户名已存在"}, status=409)
+ if new_password and len(new_password) < 6:
+ return JsonResponse({"status": "error", "message": "密码长度至少为6位"}, status=400)
+ ok = update_user_by_id(
+ user_id,
+ username=new_username if new_username else None,
+ permission=int(new_permission) if new_permission is not None else None,
+ password=new_password if new_password else None,
+ )
+ if not ok:
+ return JsonResponse({"status": "error", "message": "用户更新失败"}, status=500)
+ return JsonResponse({"status": "success", "message": "用户更新成功"})
+
+@require_http_methods(["POST"])
+@csrf_protect
+def delete_user_by_id_view(request, user_id):
+ if request.session.get("user_id") is None:
+ return JsonResponse({"status": "error", "message": "未登录"}, status=401)
+ if request.session.get("permission", 1) != 0:
+ return JsonResponse({"status": "error", "message": "无权限"}, status=403)
+ ok = delete_user_by_id(user_id)
+ if not ok:
+ return JsonResponse({"status": "error", "message": "用户删除失败"}, status=500)
+ return JsonResponse({"status": "success", "message": "用户删除成功"})
+
# 辅助:JSON 转换(兼容 a.py 行为)
def json_to_string(obj):
@@ -466,3 +536,17 @@ def manage_page(request):
user_id_qs = request.GET.get("user_id")
context = {"items": results, "user_id": user_id_qs or session_user_id}
return render(request, "elastic/manage.html", context)
+
+@require_http_methods(["GET"])
+@ensure_csrf_cookie
+def user_manage(request):
+ session_user_id = request.session.get("user_id")
+ if session_user_id is None:
+ from django.shortcuts import redirect
+ return redirect("/accounts/login/")
+ if request.session.get("permission", 1) != 0:
+ from django.shortcuts import redirect
+ return redirect("/main/home/")
+ user_id_qs = request.GET.get("user_id")
+ context = {"user_id": user_id_qs or session_user_id}
+ return render(request, "elastic/users.html", context)
diff --git a/main/templates/main/home.html b/main/templates/main/home.html
index 83ba9bc..6bef3af 100644
--- a/main/templates/main/home.html
+++ b/main/templates/main/home.html
@@ -141,6 +141,9 @@
主页
图片上传与识别
数据管理
+ {% if is_admin %}
+ 用户管理
+ {% endif %}
{% csrf_token %}