Simon/MClogger
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

modified: web/blueprints/auth.py

Browse Source 
modified:   web/blueprints/group_admin.py
	modified:   web/config.py
	modified:   web/panel_db.py
	new file:   web/templates/auth/accept_invite.html
	modified:   web/templates/group_admin/base.html
	modified:   web/templates/group_admin/members.html
This commit is contained in:
simon
2026-04-13 10:26:47 +02:00
parent 484687a076
commit 6b13ea5c22
7 changed files with 404 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
web/blueprints/auth.py
View File

@@ -3,8 +3,9 @@ MCLogger Authentifizierung
Getrennte Login-Seiten für Site-Admins und normale Nutzer/Gruppen-Admins. Getrennte Login-Seiten für Site-Admins und normale Nutzer/Gruppen-Admins.
""" """
import json import json
from datetime import datetime
from flask import Blueprint, render_template, request, redirect, url_for, session, flash from flask import Blueprint, render_template, request, redirect, url_for, session, flash
from panel_db import check_login, get_user_groups from panel_db import accept_group_invite, check_login, get_invite_by_token, get_user_groups
auth = Blueprint("auth", __name__) auth = Blueprint("auth", __name__)
@@ -72,6 +73,42 @@ def switch_group(group_id):
return redirect(url_for("panel.dashboard")) return redirect(url_for("panel.dashboard"))
@auth.route("/invite/<token>", methods=["GET", "POST"])
def accept_invite(token):
if session.get("user_id"):
return redirect(url_for("panel.dashboard"))
invite = get_invite_by_token(token)
if not invite:
flash("Invitation not found.", "danger")
return redirect(url_for("auth.login"))
is_expired = invite["expires_at"] <= datetime.utcnow()
is_invalid = bool(invite.get("accepted_at") or invite.get("revoked_at") or is_expired)
error = None
if request.method == "POST" and not is_invalid:
password = request.form.get("password", "")
confirm_password = request.form.get("confirm_password", "")
if len(password) < 8:
error = "Password must be at least 8 characters long."
elif password != confirm_password:
error = "Passwords do not match."
else:
result = accept_group_invite(token, password)
if result is None:
flash("Invitation is no longer valid.", "danger")
return redirect(url_for("auth.login"))
if result.get("error") == "username_or_email_taken":
error = "The invited username or email is already in use. Please contact your administrator."
else:
flash("Your account has been created. You can now sign in.", "success")
return redirect(url_for("auth.login"))
return render_template("auth/accept_invite.html", invite=invite, is_invalid=is_invalid, is_expired=is_expired, error=error)
def _set_user_session(user, groups): def _set_user_session(user, groups):
session["user_id"] = user["id"] session["user_id"] = user["id"]
session["username"] = user["username"] session["username"] = user["username"]

49
web/blueprints/group_admin.py
View File

@@ -63,11 +63,12 @@ def members():
group_id = session["group_id"] group_id = session["group_id"]
group = db.get_group_by_id(group_id) group = db.get_group_by_id(group_id)
members = db.get_group_members(group_id) members = db.get_group_members(group_id)
pending_invites = db.list_active_group_invites(group_id)
all_users = db.list_all_users() all_users = db.list_all_users()
member_ids = {m["id"] for m in members} member_ids = {m["id"] for m in members}
non_members = [u for u in all_users if u["id"] not in member_ids and not u["is_site_admin"]] non_members = [u for u in all_users if u["id"] not in member_ids and not u["is_site_admin"]]
return render_template("group_admin/members.html", return render_template("group_admin/members.html",
group=group, members=members, non_members=non_members, group=group, members=members, non_members=non_members, pending_invites=pending_invites,
all_permissions=ALL_PERMISSIONS) all_permissions=ALL_PERMISSIONS)
@@ -83,6 +84,52 @@ def member_add():
return redirect(url_for("group_admin.members")) return redirect(url_for("group_admin.members"))
@group_admin.route("/members/invite", methods=["POST"])
@group_admin_required
def member_invite():
group_id = session["group_id"]
username = request.form.get("username", "").strip()
email = request.form.get("email", "").strip()
role = request.form.get("role", "member")
if not username or not email:
flash("Username and email are required.", "danger")
return redirect(url_for("group_admin.members"))
if "@" not in email:
flash("Please provide a valid email address.", "danger")
return redirect(url_for("group_admin.members"))
if role not in {"member", "admin"}:
flash("Invalid role selected.", "danger")
return redirect(url_for("group_admin.members"))
if db.get_user_by_username(username):
flash("Username already exists.", "danger")
return redirect(url_for("group_admin.members"))
if db.get_user_by_email(email):
flash("Email address is already in use.", "danger")
return redirect(url_for("group_admin.members"))
if db.get_active_invite_by_email(group_id, email):
flash("There is already an active invitation for this email in the group.", "danger")
return redirect(url_for("group_admin.members"))
token = db.create_group_invite(group_id, username, email, role, session["user_id"])
invite_url = url_for("auth.accept_invite", token=token, _external=True)
flash(f"Invitation created for '{username}'. Share this link: {invite_url}", "success")
return redirect(url_for("group_admin.members"))
@group_admin.route("/invites/<int:invite_id>/revoke", methods=["POST"])
@group_admin_required
def revoke_invite(invite_id):
db.revoke_group_invite(invite_id, session["group_id"])
flash("Invitation revoked.", "success")
return redirect(url_for("group_admin.members"))
@group_admin.route("/members/<int:user_id>/edit", methods=["GET", "POST"]) @group_admin.route("/members/<int:user_id>/edit", methods=["GET", "POST"])
@group_admin_required @group_admin_required
def member_edit(user_id): def member_edit(user_id):

2
web/config.py
View File

@@ -49,6 +49,8 @@ class Config:
FERNET_KEY = os.getenv("FERNET_KEY", "") FERNET_KEY = os.getenv("FERNET_KEY", "")
# ── Standard-Berechtigungen neuer Gruppenmitglieder ─────── # ── Standard-Berechtigungen neuer Gruppenmitglieder ───────
INVITE_EXPIRY_HOURS = int(os.getenv("INVITE_EXPIRY_HOURS") or "72")
DEFAULT_PERMISSIONS = { DEFAULT_PERMISSIONS = {
"view_dashboard": True, "view_dashboard": True,
"view_players": True, "view_players": True,

143
web/panel_db.py
View File

@@ -4,6 +4,8 @@ Verwaltet Nutzer, Gruppen, Mitgliedschaften (PANEL_DB)
und verschlüsselte MC-DB-Zugangsdaten (CREDS_DB). und verschlüsselte MC-DB-Zugangsdaten (CREDS_DB).
""" """
import json import json
import secrets
from datetime import datetime, timedelta
import pymysql import pymysql
import pymysql.cursors import pymysql.cursors
from config import Config from config import Config
@@ -98,6 +100,23 @@ PANEL_SCHEMA = [
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
FOREIGN KEY (group_id) REFERENCES user_groups(id) ON DELETE CASCADE FOREIGN KEY (group_id) REFERENCES user_groups(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4""", ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4""",
"""CREATE TABLE IF NOT EXISTS group_invites (
id INT AUTO_INCREMENT PRIMARY KEY,
group_id INT NOT NULL,
invited_username VARCHAR(50) NOT NULL,
invited_email VARCHAR(255) NOT NULL,
role ENUM('admin','member') DEFAULT 'member',
token VARCHAR(128) UNIQUE NOT NULL,
created_by_user_id INT NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
expires_at DATETIME NOT NULL,
accepted_at DATETIME NULL,
revoked_at DATETIME NULL,
UNIQUE KEY uq_group_pending_invite_email (group_id, invited_email, revoked_at, accepted_at),
FOREIGN KEY (group_id) REFERENCES user_groups(id) ON DELETE CASCADE,
FOREIGN KEY (created_by_user_id) REFERENCES users(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4""",
] ]
CREDS_SCHEMA = [ CREDS_SCHEMA = [
@@ -146,6 +165,130 @@ def create_user(username: str, email: str, password: str, is_site_admin: bool =
) )
def create_user_for_group(username: str, email: str, password: str, group_id: int, role: str = "member") -> int:
"""Create a non-site-admin user and assign them to a group atomically."""
permissions = Config.DEFAULT_PERMISSIONS
salt = generate_salt()
pw_hash = hash_password(password, salt)
conn = get_panel_db()
conn.autocommit(False)
try:
with conn.cursor() as cur:
cur.execute(
"INSERT INTO users (username, email, password_hash, salt, is_site_admin) VALUES (%s,%s,%s,%s,%s)",
(username, email, pw_hash, salt, 0),
)
user_id = cur.lastrowid
cur.execute(
"INSERT INTO group_members (user_id, group_id, role, permissions) VALUES (%s,%s,%s,%s)",
(user_id, group_id, role, json.dumps(permissions)),
)
conn.commit()
return user_id
except Exception:
conn.rollback()
raise
finally:
conn.close()
def create_group_invite(group_id: int, username: str, email: str, role: str, created_by_user_id: int) -> str:
expires_at = datetime.utcnow() + timedelta(hours=Config.INVITE_EXPIRY_HOURS)
token = secrets.token_urlsafe(32)
_panel_query(
"INSERT INTO group_invites (group_id, invited_username, invited_email, role, token, created_by_user_id, expires_at) "
"VALUES (%s,%s,%s,%s,%s,%s,%s)",
(group_id, username, email, role, token, created_by_user_id, expires_at),
write=True,
)
return token
def list_active_group_invites(group_id: int):
return _panel_query(
"SELECT gi.*, u.username AS created_by_username "
"FROM group_invites gi "
"JOIN users u ON u.id = gi.created_by_user_id "
"WHERE gi.group_id=%s AND gi.accepted_at IS NULL AND gi.revoked_at IS NULL AND gi.expires_at > UTC_TIMESTAMP() "
"ORDER BY gi.created_at DESC",
(group_id,),
)
def get_active_invite_by_email(group_id: int, email: str):
return _panel_query(
"SELECT * FROM group_invites WHERE group_id=%s AND invited_email=%s "
"AND accepted_at IS NULL AND revoked_at IS NULL AND expires_at > UTC_TIMESTAMP()",
(group_id, email),
fetchone=True,
)
def get_invite_by_token(token: str):
return _panel_query(
"SELECT gi.*, g.name AS group_name, u.username AS created_by_username "
"FROM group_invites gi "
"JOIN user_groups g ON g.id = gi.group_id "
"JOIN users u ON u.id = gi.created_by_user_id "
"WHERE gi.token=%s",
(token,),
fetchone=True,
)
def revoke_group_invite(invite_id: int, group_id: int):
_panel_query(
"UPDATE group_invites SET revoked_at=UTC_TIMESTAMP() WHERE id=%s AND group_id=%s AND accepted_at IS NULL AND revoked_at IS NULL",
(invite_id, group_id),
write=True,
)
def accept_group_invite(token: str, password: str) -> dict | None:
invite = get_invite_by_token(token)
if not invite:
return None
if invite.get("accepted_at") or invite.get("revoked_at"):
return None
if invite["expires_at"] <= datetime.utcnow():
return None
permissions = Config.DEFAULT_PERMISSIONS
salt = generate_salt()
pw_hash = hash_password(password, salt)
conn = get_panel_db()
conn.autocommit(False)
try:
with conn.cursor() as cur:
cur.execute("SELECT id FROM users WHERE username=%s OR email=%s", (invite["invited_username"], invite["invited_email"]))
if cur.fetchone():
conn.rollback()
return {"error": "username_or_email_taken"}
cur.execute(
"INSERT INTO users (username, email, password_hash, salt, is_site_admin) VALUES (%s,%s,%s,%s,%s)",
(invite["invited_username"], invite["invited_email"], pw_hash, salt, 0),
)
user_id = cur.lastrowid
cur.execute(
"INSERT INTO group_members (user_id, group_id, role, permissions) VALUES (%s,%s,%s,%s)",
(user_id, invite["group_id"], invite["role"], json.dumps(permissions)),
)
cur.execute(
"UPDATE group_invites SET accepted_at=UTC_TIMESTAMP() WHERE id=%s AND accepted_at IS NULL AND revoked_at IS NULL",
(invite["id"],),
)
conn.commit()
return {"user_id": user_id, "group_id": invite["group_id"]}
except Exception:
conn.rollback()
raise
finally:
conn.close()
def get_user_by_username(username: str): def get_user_by_username(username: str):
return _panel_query("SELECT * FROM users WHERE username=%s", (username,), fetchone=True) return _panel_query("SELECT * FROM users WHERE username=%s", (username,), fetchone=True)

72
web/templates/auth/accept_invite.html Normal file
View File

@@ -0,0 +1,72 @@
<!DOCTYPE html>
<html lang="en" data-bs-theme="dark">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Accept Invitation</title>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css">
<style>
body { display: flex; align-items: center; justify-content: center; min-height: 100vh; background: #0d1117; }
.invite-card { width: 100%; max-width: 460px; }
</style>
</head>
<body>
<div class="invite-card p-4">
<div class="text-center mb-4">
<i class="bi bi-envelope-open-heart-fill fs-1 text-success"></i>
<h3 class="fw-bold mt-2">Accept Invitation</h3>
<p class="text-muted small mb-0">Join {{ invite.group_name }} on MCLogger</p>
</div>
<div class="card border-secondary">
<div class="card-body">
<div class="mb-3 small text-muted">
<div><strong>Username:</strong> {{ invite.invited_username }}</div>
<div><strong>Email:</strong> {{ invite.invited_email }}</div>
<div><strong>Role:</strong> {{ invite.role|capitalize }}</div>
<div><strong>Expires:</strong> {{ invite.expires_at | fmt_dt }}</div>
</div>
{% if error %}
<div class="alert alert-danger py-2">{{ error }}</div>
{% endif %}
{% if is_invalid %}
<div class="alert alert-warning mb-0">
{% if is_expired %}
This invitation has expired.
{% elif invite.revoked_at %}
This invitation has been revoked.
{% else %}
This invitation has already been used.
{% endif %}
</div>
{% else %}
<form method="post">
<input type="hidden" name="_csrf_token" value="{{ csrf_token() }}">
<div class="mb-3">
<label class="form-label">Choose Password</label>
<input type="password" name="password" class="form-control" minlength="8" required>
</div>
<div class="mb-3">
<label class="form-label">Confirm Password</label>
<input type="password" name="confirm_password" class="form-control" minlength="8" required>
</div>
<button type="submit" class="btn btn-success w-100">
<i class="bi bi-check2-circle me-1"></i>Create Account
</button>
</form>
{% endif %}
</div>
</div>
<div class="text-center mt-3">
<a href="{{ url_for('auth.login') }}" class="text-muted small">
<i class="bi bi-arrow-left me-1"></i>Back to login
</a>
</div>
</div>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js"></script>
</body>
</html>

1
web/templates/group_admin/base.html
View File

@@ -44,6 +44,7 @@
{% block content %}{% endblock %} {% block content %}{% endblock %}
</div> </div>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js"></script>
<script src="{{ url_for('static', filename='js/main.js') }}"></script>
{% block scripts %}{% endblock %} {% block scripts %}{% endblock %}
</body> </body>
</html> </html>

110
web/templates/group_admin/members.html
View File

@@ -4,7 +4,7 @@
<h2 class="mb-4"><i class="bi bi-people-fill me-2"></i>Members</h2> <h2 class="mb-4"><i class="bi bi-people-fill me-2"></i>Members</h2>
<div class="row g-3"> <div class="row g-3">
<!-- Mitgliederliste --> <!-- Member list -->
<div class="col-md-8"> <div class="col-md-8">
<div class="card border-secondary"> <div class="card border-secondary">
<div class="card-header">Current Members ({{ members|length }})</div> <div class="card-header">Current Members ({{ members|length }})</div>
@@ -46,19 +46,109 @@
</table> </table>
</div> </div>
</div> </div>
<div class="card border-secondary mt-3">
<div class="card-header"><i class="bi bi-envelope-paper-fill me-2"></i>Pending Invitations ({{ pending_invites|length }})</div>
<div class="card-body p-0">
<table class="table table-hover mb-0">
<thead><tr><th>User</th><th>Role</th><th>Expires</th><th class="text-end">Actions</th></tr></thead>
<tbody>
{% for invite in pending_invites %}
{% set invite_url = url_for('auth.accept_invite', token=invite.token, _external=True) %}
<tr>
<td>
<div>{{ invite.invited_username }}</div>
<div class="small text-muted" id="invite-link-{{ invite.id }}">{{ invite.invited_email }}</div>
</td>
<td>
{% if invite.role == 'admin' %}
<span class="badge bg-warning text-dark"><i class="bi bi-star-fill me-1"></i>Admin</span>
{% else %}
<span class="badge bg-secondary">Member</span>
{% endif %}
</td>
<td class="small text-muted">{{ invite.expires_at | fmt_dt }}</td>
<td class="text-end">
<button type="button" class="btn btn-sm btn-outline-primary copy-btn" data-target="#invite-url-{{ invite.id }}" title="Copy invite link">
<i class="bi bi-clipboard"></i>
</button>
<form method="post" action="{{ url_for('group_admin.revoke_invite', invite_id=invite.id) }}" class="d-inline"
onsubmit="return confirm('Revoke invitation for {{ invite.invited_username }}?')">
<input type="hidden" name="_csrf_token" value="{{ csrf_token() }}">
<button type="submit" class="btn btn-sm btn-outline-danger" title="Revoke">
<i class="bi bi-x-lg"></i>
</button>
</form>
<div class="d-none" id="invite-url-{{ invite.id }}">{{ invite_url }}</div>
</td>
</tr>
{% else %}
<tr><td colspan="4" class="text-muted text-center py-3">No pending invitations</td></tr>
{% endfor %}
</tbody>
</table>
</div>
</div>
</div> </div>
<!-- Member invitation note: only Site Admin can add new users to groups --> <!-- Group management actions -->
<div class="col-md-4"> <div class="col-md-4">
<div class="card border-secondary"> <div class="card border-secondary mb-3">
<div class="card-header"><i class="bi bi-info-circle me-2"></i>Note</div> <div class="card-header"><i class="bi bi-person-plus-fill me-2"></i>Add Existing User</div>
<div class="card-body"> <div class="card-body">
<p class="text-muted small"> {% if non_members %}
New members must be added by the <strong>Site Admin</strong>. <form method="post" action="{{ url_for('group_admin.member_add') }}">
</p> <input type="hidden" name="_csrf_token" value="{{ csrf_token() }}">
<p class="text-muted small"> <div class="mb-3">
As group admin you can manage permissions of existing members and remove members. <label class="form-label">User</label>
</p> <select name="user_id" class="form-select" required>
{% for user in non_members %}
<option value="{{ user.id }}">{{ user.username }} ({{ user.email }})</option>
{% endfor %}
</select>
</div>
<div class="mb-3">
<label class="form-label">Role</label>
<select name="role" class="form-select">
<option value="member">Member</option>
<option value="admin">Admin</option>
</select>
</div>
<button type="submit" class="btn btn-outline-success w-100">
<i class="bi bi-person-plus-fill me-1"></i>Add to Group
</button>
</form>
{% else %}
<p class="text-muted small mb-0">No existing users are available to add.</p>
{% endif %}
</div>
</div>
<div class="card border-secondary">
<div class="card-header"><i class="bi bi-envelope-plus-fill me-2"></i>Invite New User</div>
<div class="card-body">
<form method="post" action="{{ url_for('group_admin.member_invite') }}">
<input type="hidden" name="_csrf_token" value="{{ csrf_token() }}">
<div class="mb-3">
<label class="form-label">Username</label>
<input type="text" name="username" class="form-control" maxlength="50" required>
</div>
<div class="mb-3">
<label class="form-label">Email</label>
<input type="email" name="email" class="form-control" maxlength="255" required>
<div class="form-text">The user will receive an invite link and set their own password.</div>
</div>
<div class="mb-3">
<label class="form-label">Role</label>
<select name="role" class="form-select">
<option value="member">Member</option>
<option value="admin">Admin</option>
</select>
</div>
<button type="submit" class="btn btn-success w-100">
<i class="bi bi-envelope-plus-fill me-1"></i>Create Invitation
</button>
</form>
</div> </div>
</div> </div>
</div> </div>