From 85dd7bc9910a96110429a530f95d2e9fd1b01486 Mon Sep 17 00:00:00 2001
From: DSQ <d1594965367@qq.com>
Date: Sun, 15 Mar 2026 17:49:53 +0800
Subject: [PATCH] [0.2.7.3][ci]

---
 accounts/templates/accounts/profile.html |  3 +-
 elastic/templates/elastic/users.html     |  4 ++
 elastic/views.py                         | 60 ++++++++++++++++++++----
 3 files changed, 55 insertions(+), 12 deletions(-)

diff --git a/accounts/templates/accounts/profile.html b/accounts/templates/accounts/profile.html
index 67cb4b0..2431e5b 100644
--- a/accounts/templates/accounts/profile.html
+++ b/accounts/templates/accounts/profile.html
@@ -36,7 +36,6 @@
     .msg { margin-top: 10px; font-size: 13px; }
     .msg.error { color: #b91c1c; }
     .msg.success { color: #166534; }
-    .profile-card.pwd-card { max-width: 560px; padding: 24px; }
     
     /* 图片放大模态框 */
     .image-modal { position: fixed; inset: 0; background: rgba(0,0,0,0.8); display: none; align-items: center; justify-content: center; z-index: 2000; }
@@ -74,7 +73,7 @@
     </div>
 
     {% if permission_name != "管理员" and not profile_user.manage_key %}
-    <div class="profile-card pwd-card">
+    <div class="profile-card">
       <div class="profile-header">
         <div class="profile-info">
           <h2>修改密码</h2>
diff --git a/elastic/templates/elastic/users.html b/elastic/templates/elastic/users.html
index e501af4..ebf86f4 100644
--- a/elastic/templates/elastic/users.html
+++ b/elastic/templates/elastic/users.html
@@ -282,6 +282,7 @@
               <th>用户ID</th>
               <th>用户名</th>
               <th>Key</th>
+              <th>Manage Key</th>
               <th>权限</th>
               <th>操作</th>
             </tr>
@@ -398,11 +399,14 @@
                 const permissionText = Number(user.permission) === 0 ? '管理员' : '普通用户';
                 const keys = Array.isArray(user.key) ? user.key : (user.key ? [user.key] : []);
                 const keysText = keys.map(k => String(k || '').trim()).filter(Boolean).join('、') || '-';
+                const manageKeys = Array.isArray(user.manage_key) ? user.manage_key : (user.manage_key ? [user.manage_key] : []);
+                const manageKeysText = manageKeys.map(k => String(k || '').trim()).filter(Boolean).join('、') || '-';
 
                     row.innerHTML = `
                         <td>${user.user_id}</td>
                         <td>${user.username}</td>
                         <td>${keysText}</td>
+                        <td>${manageKeysText}</td>
                         <td>${permissionText}</td>
                         <td class="action-buttons">
                             <button class="btn btn-success edit-btn" data-user='${JSON.stringify(user)}'>编辑</button>
diff --git a/elastic/views.py b/elastic/views.py
index b282624..1cab903 100644
--- a/elastic/views.py
+++ b/elastic/views.py
@@ -463,7 +463,11 @@ def get_users(request):
                     ukeys = {str(x).strip() for x in (user.get("key") or []) if str(x).strip()}
                 except Exception:
                     ukeys = set()
-                return k in ukeys
+                try:
+                    umkeys = {str(x).strip() for x in (user.get("manage_key") or []) if str(x).strip()}
+                except Exception:
+                    umkeys = set()
+                return (k in ukeys) or (k in umkeys)
             filtered = [u for u in filtered if match_key(u)]
         if q:
             filtered = [u for u in filtered if q in str(u.get("username", ""))]
@@ -1139,18 +1143,54 @@ def keys_for_filter_view(request):
     if uid is None:
         return JsonResponse({"status": "error", "message": "未登录"}, status=401)
     is_admin = int(request.session.get("permission", 1)) == 0
-    if is_admin:
-        lst = get_keys_list()
-        return JsonResponse({"status": "success", "data": lst})
-    me = get_user_by_id(uid) or {}
-    seen = set()
-    out = []
-    for v in list(me.get("manage_key") or []) + list(me.get("key") or []):
-        s = str(v).strip()
+    try:
+        users = get_all_users() or []
+    except Exception:
+        users = []
+
+    def norm(v):
+        return str(v).strip().strip(";")
+
+    def add(out, seen, v):
+        s = norm(v)
         if not s or s in seen:
-            continue
+            return
         seen.add(s)
         out.append(s)
+
+    if is_admin:
+        out = []
+        seen = set()
+        for v in get_keys_list() or []:
+            add(out, seen, v)
+        for u in users:
+            for v in list(u.get("manage_key") or []) + list(u.get("key") or []):
+                add(out, seen, v)
+        return JsonResponse({"status": "success", "data": out})
+
+    me = get_user_by_id(uid) or {}
+    mgr_keys = {norm(x) for x in (me.get("manage_key") or []) if norm(x)}
+    visible_users = []
+    if mgr_keys:
+        for u in users:
+            try:
+                ukeys = {norm(x) for x in (u.get("key") or []) if norm(x)}
+            except Exception:
+                ukeys = set()
+            if ukeys & mgr_keys:
+                visible_users.append(u)
+        if str(me.get("user_id")) not in {str(u.get("user_id")) for u in visible_users}:
+            visible_users.append(me)
+    else:
+        visible_users = [me]
+
+    out = []
+    seen = set()
+    for v in list(me.get("manage_key") or []) + list(me.get("key") or []):
+        add(out, seen, v)
+    for u in visible_users:
+        for v in list(u.get("manage_key") or []) + list(u.get("key") or []):
+            add(out, seen, v)
     return JsonResponse({"status": "success", "data": out})
 
 @require_http_methods(["POST"])