open-webui/backend/apps/web/routers/users.py

from fastapi import Response
from fastapi import Depends, FastAPI, HTTPException, status
from datetime import datetime, timedelta
from typing import List, Union, Optional

from fastapi import APIRouter
from pydantic import BaseModel
import time
import uuid

from apps.web.models.users import UserModel, UserUpdateForm, UserRoleUpdateForm, Users
from apps.web.models.auths import Auths

from utils.utils import get_current_user, get_password_hash
from constants import ERROR_MESSAGES

router = APIRouter()

############################
# GetUsers
############################


@router.get("/", response_model=List[UserModel])
async def get_users(skip: int = 0, limit: int = 50, user=Depends(get_current_user)):
    if user.role != "admin":
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )
    return Users.get_users(skip, limit)


############################
# UpdateUserById
############################


@router.post("/{user_id}/update", response_model=Optional[UserModel])
async def update_user_by_id(
    user_id: str, form_data: UserUpdateForm, session_user=Depends(get_current_user)
):
    if session_user.role != "admin":
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )

    user = Users.get_user_by_id(user_id)

    if user:
        if form_data.email != user.email:
            email_user = Users.get_user_by_email(form_data.email)
            if email_user:
                raise HTTPException(
                    status_code=status.HTTP_400_BAD_REQUEST,
                    detail=ERROR_MESSAGES.EMAIL_TAKEN,
                )

        if form_data.password:
            hashed = get_password_hash(form_data.password)
            print(hashed)
            Auths.update_user_password_by_id(user_id, hashed)

        Auths.update_email_by_id(user_id, form_data.email)
        updated_user = Users.update_user_by_id(
            user_id,
            {
                "name": form_data.name,
                "email": form_data.email,
                "profile_image_url": form_data.profile_image_url,
            },
        )

        if updated_user:
            return updated_user
        else:
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
                detail=ERROR_MESSAGES.DEFAULT(),
            )

    else:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.USER_NOT_FOUND,
        )


############################
# DeleteUserById
############################


@router.delete("/{user_id}", response_model=bool)
async def delete_user_by_id(user_id: str, user=Depends(get_current_user)):
    if user.role == "admin":
        if user.id != user_id:
            result = Auths.delete_auth_by_id(user_id)

            if result:
                return True
            else:
                raise HTTPException(
                    status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
                    detail=ERROR_MESSAGES.DELETE_USER_ERROR,
                )
        else:
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail=ERROR_MESSAGES.ACTION_PROHIBITED,
            )
    else:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )
feat: admin panel added 2023-11-19 09:13:59 +01:00			`from fastapi import Response`
			`from fastapi import Depends, FastAPI, HTTPException, status`
			`from datetime import datetime, timedelta`
			`from typing import List, Union, Optional`

			`from fastapi import APIRouter`
			`from pydantic import BaseModel`
			`import time`
			`import uuid`

feat: edit user support 2024-01-06 05:59:56 +01:00			`from apps.web.models.users import UserModel, UserUpdateForm, UserRoleUpdateForm, Users`
fix: delete auth with user 2023-12-29 08:24:51 +01:00			`from apps.web.models.auths import Auths`

feat: edit user support 2024-01-06 05:59:56 +01:00			`from utils.utils import get_current_user, get_password_hash`
feat: admin panel added 2023-11-19 09:13:59 +01:00			`from constants import ERROR_MESSAGES`

			`router = APIRouter()`

			`############################`
			`# GetUsers`
			`############################`


			`@router.get("/", response_model=List[UserModel])`
feat: edit user support 2024-01-06 05:59:56 +01:00			`async def get_users(skip: int = 0, limit: int = 50, user=Depends(get_current_user)):`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 11:53:33 +01:00			`if user.role != "admin":`
feat: admin panel added 2023-11-19 09:13:59 +01:00			`raise HTTPException(`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 11:53:33 +01:00			`status_code=status.HTTP_403_FORBIDDEN,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
feat: admin panel added 2023-11-19 09:13:59 +01:00			`)`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 11:53:33 +01:00			`return Users.get_users(skip, limit)`
feat: admin panel added 2023-11-19 09:13:59 +01:00

			`############################`
feat: edit user support 2024-01-06 05:59:56 +01:00			`# UpdateUserById`
feat: admin panel added 2023-11-19 09:13:59 +01:00			`############################`


feat: edit user support 2024-01-06 05:59:56 +01:00			`@router.post("/{user_id}/update", response_model=Optional[UserModel])`
			`async def update_user_by_id(`
			`user_id: str, form_data: UserUpdateForm, session_user=Depends(get_current_user)`
			`):`
			`if session_user.role != "admin":`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 11:53:33 +01:00			`raise HTTPException(`
			`status_code=status.HTTP_403_FORBIDDEN,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
			`)`
feat: admin panel added 2023-11-19 09:13:59 +01:00
feat: edit user support 2024-01-06 05:59:56 +01:00			`user = Users.get_user_by_id(user_id)`

			`if user:`
			`if form_data.email != user.email:`
			`email_user = Users.get_user_by_email(form_data.email)`
			`if email_user:`
			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail=ERROR_MESSAGES.EMAIL_TAKEN,`
			`)`

			`if form_data.password:`
			`hashed = get_password_hash(form_data.password)`
			`print(hashed)`
			`Auths.update_user_password_by_id(user_id, hashed)`

			`Auths.update_email_by_id(user_id, form_data.email)`
			`updated_user = Users.update_user_by_id(`
			`user_id,`
			`{`
			`"name": form_data.name,`
			`"email": form_data.email,`
			`"profile_image_url": form_data.profile_image_url,`
			`},`
			`)`

			`if updated_user:`
			`return updated_user`
			`else:`
			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail=ERROR_MESSAGES.DEFAULT(),`
			`)`

feat: admin panel added 2023-11-19 09:13:59 +01:00			`else:`
			`raise HTTPException(`
feat: edit user support 2024-01-06 05:59:56 +01:00			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail=ERROR_MESSAGES.USER_NOT_FOUND,`
feat: admin panel added 2023-11-19 09:13:59 +01:00			`)`
feat: delete user backend support 2023-12-29 08:02:49 +01:00

			`############################`
fix: delete auth with user 2023-12-29 08:24:51 +01:00			`# DeleteUserById`
feat: delete user backend support 2023-12-29 08:02:49 +01:00			`############################`


			`@router.delete("/{user_id}", response_model=bool)`
fix: merge conflicts 2023-12-30 12:00:21 +01:00			`async def delete_user_by_id(user_id: str, user=Depends(get_current_user)):`
			`if user.role == "admin":`
			`if user.id != user_id:`
			`result = Auths.delete_auth_by_id(user_id)`

			`if result:`
			`return True`
feat: delete user backend support 2023-12-29 08:02:49 +01:00			`else:`
			`raise HTTPException(`
fix: merge conflicts 2023-12-30 12:00:21 +01:00			`status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,`
			`detail=ERROR_MESSAGES.DELETE_USER_ERROR,`
feat: delete user backend support 2023-12-29 08:02:49 +01:00			`)`
			`else:`
			`raise HTTPException(`
			`status_code=status.HTTP_403_FORBIDDEN,`
fix: merge conflicts 2023-12-30 12:00:21 +01:00			`detail=ERROR_MESSAGES.ACTION_PROHIBITED,`
feat: delete user backend support 2023-12-29 08:02:49 +01:00			`)`
			`else:`
			`raise HTTPException(`
fix: merge conflicts 2023-12-30 12:00:21 +01:00			`status_code=status.HTTP_403_FORBIDDEN,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
feat: delete user backend support 2023-12-29 08:02:49 +01:00			`)`