blockmine 1.18.4 → 1.19.1

package/backend/src/api/routes/bots.js

@@ -13,6 +13,7 @@ const { randomUUID } = require('crypto');
 const eventGraphsRouter = require('./eventGraphs');
 const pluginIdeRouter = require('./pluginIde');
 const { deepMergeSettings } = require('../../core/utils/settingsMerger');
+const { checkBotAccess } = require('../middleware/botAccess');
 
 const multer = require('multer');
 const archiver = require('archiver');
@@ -23,6 +24,8 @@ const upload = multer({ storage: multer.memoryStorage() });
 
 const router = express.Router();
 
+router.use('/:botId(\\d+)/*', authenticate, (req, res, next) => checkBotAccess(req, res, next));
+
 const conditionalRestartAuth = (req, res, next) => {
     if (process.env.DEBUG === 'true' || process.env.NODE_ENV === 'development') {
         console.log('[Debug] Роут перезапуска бота доступен без проверки прав');
@@ -60,18 +63,16 @@ const conditionalStartStopAuth = (req, res, next) => {
 };
 
 const conditionalListAuth = (req, res, next) => {
-    if (process.env.DEBUG === 'true' || process.env.NODE_ENV === 'development') {
-        console.log('[Debug] Роут списка ботов/состояния доступен без проверки прав');
-        return next();
-    }
-    
     return authenticate(req, res, (err) => {
         if (err) return next(err);
+        if (process.env.DEBUG === 'true' || process.env.NODE_ENV === 'development') {
+            return next();
+        }
         return authorize('bot:list')(req, res, next);
     });
 };
 
-router.post('/:id/restart', conditionalRestartAuth, async (req, res) => {
+router.post('/:id/restart', conditionalRestartAuth, authenticate, checkBotAccess, async (req, res) => {
     try {
         const botId = parseInt(req.params.id, 10);
         botManager.stopBot(botId);
@@ -89,7 +90,7 @@ router.post('/:id/restart', conditionalRestartAuth, async (req, res) => {
     }
 });
 
-router.post('/:id/chat', conditionalChatAuth, (req, res) => {
+router.post('/:id/chat', conditionalChatAuth, authenticate, checkBotAccess, (req, res) => {
     try {
         const botId = parseInt(req.params.id, 10);
         const { message } = req.body;
@@ -100,7 +101,7 @@ router.post('/:id/chat', conditionalChatAuth, (req, res) => {
     } catch (error) { res.status(500).json({ error: 'Внутренняя ошибка сервера: ' + error.message }); }
 });
 
-router.post('/:id/start', conditionalStartStopAuth, async (req, res) => {
+router.post('/:id/start', conditionalStartStopAuth, authenticate, checkBotAccess, async (req, res) => {
     try {
         const botId = parseInt(req.params.id, 10);
         const botConfig = await prisma.bot.findUnique({ where: { id: botId }, include: { server: true } });
@@ -115,7 +116,7 @@ router.post('/:id/start', conditionalStartStopAuth, async (req, res) => {
     }
 });
 
-router.post('/:id/stop', conditionalStartStopAuth, (req, res) => {
+router.post('/:id/stop', conditionalStartStopAuth, authenticate, checkBotAccess, (req, res) => {
     try {
         const botId = parseInt(req.params.id, 10);
         botManager.stopBot(botId);
@@ -135,15 +136,37 @@ router.get('/', conditionalListAuth, async (req, res) => {
         
         if (botsWithoutSortOrder.length > 0) {
             console.log(`[API] Обновляем sortOrder для ${botsWithoutSortOrder.length} ботов`);
+            
+            const maxSortOrder = await prisma.bot.aggregate({
+                _max: { sortOrder: true }
+            });
+            
+            let nextSortOrder = (maxSortOrder._max.sortOrder || 0) + 1;
+            
             for (const bot of botsWithoutSortOrder) {
                 await prisma.bot.update({
                     where: { id: bot.id },
-                    data: { sortOrder: bot.id }
+                    data: { sortOrder: nextSortOrder }
                 });
+                console.log(`[API] Установлен sortOrder ${nextSortOrder} для бота ${bot.id}`);
+                nextSortOrder++;
+            }
+        }
+
+        let whereFilter = {};
+        if (req.user && typeof req.user.userId === 'number') {
+            const panelUser = await prisma.panelUser.findUnique({
+                where: { id: req.user.userId },
+                include: { botAccess: { select: { botId: true } } }
+            });
+            if (panelUser && panelUser.allBots === false) {
+                const allowedIds = panelUser.botAccess.map(a => a.botId);
+                whereFilter = { id: { in: allowedIds.length ? allowedIds : [-1] } };
             }
         }
         
         const bots = await prisma.bot.findMany({ 
+            where: whereFilter,
             include: { server: true }, 
             orderBy: { sortOrder: 'asc' } 
         });
@@ -161,7 +184,119 @@ router.get('/state', conditionalListAuth, (req, res) => {
     } catch (error) { res.status(500).json({ error: 'Не удалось получить состояние ботов' }); }
 });
 
-router.get('/:id/logs', conditionalListAuth, (req, res) => {
+router.put('/bulk-proxy-update', authenticate, authorize('bot:update'), async (req, res) => {
+    try {
+        const { botIds, proxySettings } = req.body;
+        
+        if (!Array.isArray(botIds) || botIds.length === 0) {
+            return res.status(400).json({ error: 'Bot IDs array is required and cannot be empty' });
+        }
+        
+        if (!proxySettings || !proxySettings.proxyHost || !proxySettings.proxyPort) {
+            return res.status(400).json({ error: 'Proxy host and port are required' });
+        }
+        
+        if (proxySettings.proxyPort < 1 || proxySettings.proxyPort > 65535) {
+            return res.status(400).json({ error: 'Proxy port must be between 1 and 65535' });
+        }
+        
+        const accessibleBots = [];
+        const inaccessibleBots = [];
+        
+        for (const botId of botIds) {
+            try {
+                const userId = req.user?.userId;
+                if (!userId) {
+                    inaccessibleBots.push(botId);
+                    continue;
+                }
+
+                const botIdInt = parseInt(botId, 10);
+                if (isNaN(botIdInt)) {
+                    inaccessibleBots.push(botId);
+                    continue;
+                }
+
+                const user = await prisma.panelUser.findUnique({
+                    where: { id: userId },
+                    include: { botAccess: { select: { botId: true } } }
+                });
+                
+                if (!user) {
+                    inaccessibleBots.push(botId);
+                    continue;
+                }
+
+                if (user.allBots !== false || user.botAccess.some((a) => a.botId === botIdInt)) {
+                    accessibleBots.push(botIdInt);
+                } else {
+                    inaccessibleBots.push(botId);
+                }
+            } catch (error) {
+                console.error(`Error checking access for bot ${botId}:`, error);
+                inaccessibleBots.push(botId);
+            }
+        }
+        
+        if (accessibleBots.length === 0) {
+            return res.status(403).json({ error: 'No accessible bots in the provided list' });
+        }
+        
+        const encryptedSettings = {
+            proxyHost: proxySettings.proxyHost.trim(),
+            proxyPort: parseInt(proxySettings.proxyPort),
+            proxyUsername: proxySettings.proxyUsername ? proxySettings.proxyUsername.trim() : null,
+            proxyPassword: proxySettings.proxyPassword ? encrypt(proxySettings.proxyPassword) : null
+        };
+        
+        const updatedBots = await prisma.$transaction(
+            accessibleBots.map(botId => 
+                prisma.bot.update({
+                    where: { id: parseInt(botId) },
+                    data: encryptedSettings,
+                    include: {
+                        server: {
+                            select: {
+                                id: true,
+                                name: true,
+                                host: true,
+                                port: true,
+                                version: true
+                            }
+                        }
+                    }
+                })
+            )
+        );
+        
+        if (req.io) {
+            req.io.emit('bots-updated', updatedBots);
+        }
+        
+        res.json({
+            success: true,
+            message: `Proxy settings updated for ${updatedBots.length} bot(s)`,
+            updatedBots: updatedBots.map(bot => ({
+                id: bot.id,
+                username: bot.username,
+                proxyHost: bot.proxyHost,
+                proxyPort: bot.proxyPort,
+                server: bot.server
+            })),
+            inaccessibleBots: inaccessibleBots,
+            errors: inaccessibleBots.length > 0 ? [`Access denied to ${inaccessibleBots.length} bot(s)`] : []
+        });
+        
+    } catch (error) {
+        console.error('Bulk proxy update error:', error);
+        res.status(500).json({ 
+            error: 'Failed to update proxy settings',
+            details: error.message 
+        });
+    }
+});
+
+router.get('/:id/logs', conditionalListAuth, authenticate, checkBotAccess, (req, res) => {
     try {
         const botId = parseInt(req.params.id, 10);
         const { limit = 50, offset = 0 } = req.query;
@@ -264,7 +399,7 @@ router.post('/', authorize('bot:create'), async (req, res) => {
     }
 });
 
-router.put('/:id', authorize('bot:update'), async (req, res) => {
+router.put('/:id', authenticate, checkBotAccess, authorize('bot:update'), async (req, res) => {
     try {
         const { 
             username, password, prefix, serverId, note, owners,
@@ -337,76 +472,58 @@ router.put('/:id', authorize('bot:update'), async (req, res) => {
     }
 });
 
-router.put('/:id/sort-order', authorize('bot:update'), async (req, res) => {
+router.put('/:id/sort-order', authenticate, checkBotAccess, authorize('bot:update'), async (req, res) => {
     try {
-        const { newPosition } = req.body;
+        const { newPosition, oldIndex, newIndex } = req.body;
         const botId = parseInt(req.params.id, 10);
         
-        console.log(`[API] Запрос на изменение порядка бота ${botId} на позицию ${newPosition}`);
+        console.log(`[API] Запрос на изменение порядка бота ${botId}: oldIndex=${oldIndex}, newIndex=${newIndex}, newPosition=${newPosition}`);
         
-        if (isNaN(botId) || typeof newPosition !== 'number') {
-            console.log(`[API] Неверные параметры: botId=${botId}, newPosition=${newPosition}`);
-            return res.status(400).json({ error: 'Неверные параметры' });
+        if (isNaN(botId)) {
+            console.log(`[API] Неверный botId: ${botId}`);
+            return res.status(400).json({ error: 'Неверный ID бота' });
         }
 
-        const currentBot = await prisma.bot.findUnique({
-            where: { id: botId },
-            select: { sortOrder: true }
+        const allBots = await prisma.bot.findMany({
+            orderBy: { sortOrder: 'asc' },
+            select: { id: true, sortOrder: true }
         });
 
-        if (!currentBot) {
+        console.log(`[API] Всего ботов: ${allBots.length}`);
+        const currentBotIndex = allBots.findIndex(bot => bot.id === botId);
+        if (currentBotIndex === -1) {
             console.log(`[API] Бот ${botId} не найден`);
             return res.status(404).json({ error: 'Бот не найден' });
         }
 
-        const currentPosition = currentBot.sortOrder;
-        console.log(`[API] Текущая позиция бота ${botId}: ${currentPosition}, новая позиция: ${newPosition}`);
-        
-        if (newPosition === currentPosition) {
+        if (newIndex < 0 || newIndex >= allBots.length) {
+            console.log(`[API] Неверная новая позиция: ${newIndex}`);
+            return res.status(400).json({ error: 'Неверная позиция' });
+        }
+
+        if (currentBotIndex === newIndex) {
             console.log(`[API] Позиция не изменилась для бота ${botId}`);
             return res.json({ success: true, message: 'Позиция не изменилась' });
         }
+        const reorderedBots = [...allBots];
+        const [movedBot] = reorderedBots.splice(currentBotIndex, 1);
+        reorderedBots.splice(newIndex, 0, movedBot);
 
-        if (newPosition > currentPosition) {
-            console.log(`[API] Перемещаем бота ${botId} вниз с позиции ${currentPosition} на ${newPosition}`);
-            const updateResult = await prisma.bot.updateMany({
-                where: {
-                    sortOrder: {
-                        gt: currentPosition,
-                        lte: newPosition
-                    }
-                },
-                data: {
-                    sortOrder: {
-                        decrement: 1
-                    }
-                }
-            });
-            console.log(`[API] Обновлено ${updateResult.count} ботов при перемещении вниз`);
-        } else {
-            console.log(`[API] Перемещаем бота ${botId} вверх с позиции ${currentPosition} на ${newPosition}`);
-            const updateResult = await prisma.bot.updateMany({
-                where: {
-                    sortOrder: {
-                        gte: newPosition,
-                        lt: currentPosition
-                    }
-                },
-                data: {
-                    sortOrder: {
-                        increment: 1
-                    }
-                }
-            });
-            console.log(`[API] Обновлено ${updateResult.count} ботов при перемещении вверх`);
+        console.log(`[API] Обновляем порядок для всех ботов`);
+        for (let i = 0; i < reorderedBots.length; i++) {
+            const bot = reorderedBots[i];
+            const newSortOrder = i + 1; // 1-based позиции
+            
+            if (bot.sortOrder !== newSortOrder) {
+                await prisma.bot.update({
+                    where: { id: bot.id },
+                    data: { sortOrder: newSortOrder }
+                });
+                console.log(`[API] Обновлен бот ${bot.id}: sortOrder ${bot.sortOrder} -> ${newSortOrder}`);
+            }
         }
 
-        await prisma.bot.update({
-            where: { id: botId },
-            data: { sortOrder: newPosition }
-        });
-
-        console.log(`[API] Успешно обновлен порядок бота ${botId} на позицию ${newPosition}`);
+        console.log(`[API] Успешно обновлен порядок бота ${botId}`);
         res.json({ success: true, message: 'Порядок ботов обновлен' });
     } catch (error) {
         console.error("[API Error] /bots sort-order PUT:", error);
@@ -414,7 +531,7 @@ router.put('/:id/sort-order', authorize('bot:update'), async (req, res) => {
     }
 });
 
-router.delete('/:id', authorize('bot:delete'), async (req, res) => {
+router.delete('/:id', authenticate, checkBotAccess, authorize('bot:delete'), async (req, res) => {
     try {
         const botId = parseInt(req.params.id, 10);
         if (botManager.bots.has(botId)) return res.status(400).json({ error: 'Нельзя удалить запущенного бота' });
@@ -433,7 +550,7 @@ router.get('/servers', authorize('bot:list'), async (req, res) => {
     }
 });
 
-router.get('/:botId/plugins', authorize('plugin:list'), async (req, res) => {
+router.get('/:botId/plugins', authenticate, checkBotAccess, authorize('plugin:list'), async (req, res) => {
     try {
         const botId = parseInt(req.params.botId);
         const plugins = await prisma.installedPlugin.findMany({ where: { botId } });
@@ -441,7 +558,7 @@ router.get('/:botId/plugins', authorize('plugin:list'), async (req, res) => {
     } catch (error) { res.status(500).json({ error: 'Не удалось получить плагины бота' }); }
 });
 
-router.post('/:botId/plugins/install/github', authorize('plugin:install'), async (req, res) => {
+router.post('/:botId/plugins/install/github', authenticate, checkBotAccess, authorize('plugin:install'), async (req, res) => {
     const { botId } = req.params;
     const { repoUrl } = req.body;
     try {
@@ -452,7 +569,7 @@ router.post('/:botId/plugins/install/github', authorize('plugin:install'), async
     }
 });
 
-router.post('/:botId/plugins/install/local', authorize('plugin:install'), async (req, res) => {
+router.post('/:botId/plugins/install/local', authenticate, checkBotAccess, authorize('plugin:install'), async (req, res) => {
     const { botId } = req.params;
     const { path } = req.body;
     try {
@@ -463,7 +580,7 @@ router.post('/:botId/plugins/install/local', authorize('plugin:install'), async
     }
 });
 
-router.delete('/:botId/plugins/:pluginId', authorize('plugin:delete'), async (req, res) => {
+router.delete('/:botId/plugins/:pluginId', authenticate, checkBotAccess, authorize('plugin:delete'), async (req, res) => {
     const { pluginId } = req.params;
     try {
         await pluginManager.deletePlugin(parseInt(pluginId));
@@ -473,7 +590,7 @@ router.delete('/:botId/plugins/:pluginId', authorize('plugin:delete'), async (re
     }
 });
 
-router.get('/:botId/plugins/:pluginId/settings', authorize('plugin:settings:view'), async (req, res) => {
+router.get('/:botId/plugins/:pluginId/settings', authenticate, checkBotAccess, authorize('plugin:settings:view'), async (req, res) => {
 	try {
 		const pluginId = parseInt(req.params.pluginId);
 		const plugin = await prisma.installedPlugin.findUnique({ where: { id: pluginId } });
@@ -531,120 +648,107 @@ router.get('/:botId/plugins/:pluginId/settings', authorize('plugin:settings:view
 	}
 });
 
-// Вкладка Данные плагина (PluginDataStore)
-router.get('/:botId/plugins/:pluginId/data', authorize('plugin:settings:view'), async (req, res) => {
-	try {
-		const pluginId = parseInt(req.params.pluginId);
-		const plugin = await prisma.installedPlugin.findUnique({ where: { id: pluginId } });
-		if (!plugin) return res.status(404).json({ error: 'Установленный плагин не найден' });
-
-		const rows = await prisma.pluginDataStore.findMany({
-			where: { botId: plugin.botId, pluginName: plugin.name },
-			orderBy: { updatedAt: 'desc' }
-		});
-
-		const result = rows.map(r => {
-			let value;
-			try { value = JSON.parse(r.value); } catch { value = r.value; }
-			return { key: r.key, value, createdAt: r.createdAt, updatedAt: r.updatedAt };
-		});
-		res.json(result);
-	} catch (error) {
-		console.error('[API Error] GET plugin data:', error);
-		res.status(500).json({ error: 'Не удалось получить данные плагина' });
-	}
-});
+router.get('/:botId/plugins/:pluginId/data', authenticate, checkBotAccess, authorize('plugin:settings:view'), async (req, res) => {
+    try {
+        const pluginId = parseInt(req.params.pluginId);
+        const plugin = await prisma.installedPlugin.findUnique({ where: { id: pluginId } });
+        if (!plugin) return res.status(404).json({ error: 'Установленный плагин не найден' });
 
-router.get('/:botId/plugins/:pluginId/data/:key', authorize('plugin:settings:view'), async (req, res) => {
-	try {
-		const pluginId = parseInt(req.params.pluginId);
-		const { key } = req.params;
-		const plugin = await prisma.installedPlugin.findUnique({ where: { id: pluginId } });
-		if (!plugin) return res.status(404).json({ error: 'Установленный плагин не найден' });
+        const rows = await prisma.pluginDataStore.findMany({
+            where: { botId: plugin.botId, pluginName: plugin.name },
+            orderBy: { updatedAt: 'desc' }
+        });
 
-		const row = await prisma.pluginDataStore.findUnique({
-			where: {
-				pluginName_botId_key: {
-					pluginName: plugin.name,
-					botId: plugin.botId,
-					key
-				}
-			}
-		});
-		if (!row) return res.status(404).json({ error: 'Ключ не найден' });
-		let value; try { value = JSON.parse(row.value); } catch { value = row.value; }
-		res.json({ key: row.key, value, createdAt: row.createdAt, updatedAt: row.updatedAt });
-	} catch (error) {
-		console.error('[API Error] GET plugin data by key:', error);
-		res.status(500).json({ error: 'Не удалось получить значение по ключу' });
-	}
+        const result = rows.map(r => {
+            let value;
+            try { value = JSON.parse(r.value); } catch { value = r.value; }
+            return { key: r.key, value, createdAt: r.createdAt, updatedAt: r.updatedAt };
+        });
+        res.json(result);
+    } catch (error) { res.status(500).json({ error: 'Не удалось получить данные плагина' }); }
 });
 
-router.put('/:botId/plugins/:pluginId/data/:key', authorize('plugin:settings:edit'), async (req, res) => {
-	try {
-		const pluginId = parseInt(req.params.pluginId);
-		const { key } = req.params;
-		const { value } = req.body;
-		const plugin = await prisma.installedPlugin.findUnique({ where: { id: pluginId } });
-		if (!plugin) return res.status(404).json({ error: 'Установленный плагин не найден' });
-
-		const jsonValue = JSON.stringify(value ?? null);
-		const upserted = await prisma.pluginDataStore.upsert({
-			where: {
-				pluginName_botId_key: {
-					pluginName: plugin.name,
-					botId: plugin.botId,
-					key
-				}
-			},
-			update: { value: jsonValue },
-			create: { pluginName: plugin.name, botId: plugin.botId, key, value: jsonValue }
-		});
-		let parsed; try { parsed = JSON.parse(upserted.value); } catch { parsed = upserted.value; }
-		res.json({ key: upserted.key, value: parsed, createdAt: upserted.createdAt, updatedAt: upserted.updatedAt });
-	} catch (error) {
-		console.error('[API Error] PUT plugin data by key:', error);
-		res.status(500).json({ error: 'Не удалось сохранить значение' });
-	}
+router.get('/:botId/plugins/:pluginId/data/:key', authenticate, checkBotAccess, authorize('plugin:settings:view'), async (req, res) => {
+    try {
+        const pluginId = parseInt(req.params.pluginId);
+        const { key } = req.params;
+        const plugin = await prisma.installedPlugin.findUnique({ where: { id: pluginId } });
+        if (!plugin) return res.status(404).json({ error: 'Установленный плагин не найден' });
+
+        const row = await prisma.pluginDataStore.findUnique({
+            where: {
+                pluginName_botId_key: {
+                    pluginName: plugin.name,
+                    botId: plugin.botId,
+                    key
+                }
+            }
+        });
+        if (!row) return res.status(404).json({ error: 'Ключ не найден' });
+        let value; try { value = JSON.parse(row.value); } catch { value = row.value; }
+        res.json({ key: row.key, value, createdAt: row.createdAt, updatedAt: row.updatedAt });
+    } catch (error) { res.status(500).json({ error: 'Не удалось получить значение по ключу' }); }
 });
 
-router.delete('/:botId/plugins/:pluginId/data/:key', authorize('plugin:settings:edit'), async (req, res) => {
-	try {
-		const pluginId = parseInt(req.params.pluginId);
-		const { key } = req.params;
-		const plugin = await prisma.installedPlugin.findUnique({ where: { id: pluginId } });
-		if (!plugin) return res.status(404).json({ error: 'Установленный плагин не найден' });
+router.put('/:botId/plugins/:pluginId/data/:key', authenticate, checkBotAccess, authorize('plugin:settings:edit'), async (req, res) => {
+    try {
+        const pluginId = parseInt(req.params.pluginId);
+        const { key } = req.params;
+        const { value } = req.body;
+        const plugin = await prisma.installedPlugin.findUnique({ where: { id: pluginId } });
+        if (!plugin) return res.status(404).json({ error: 'Установленный плагин не найден' });
+
+        const jsonValue = JSON.stringify(value ?? null);
+        const upserted = await prisma.pluginDataStore.upsert({
+            where: {
+                pluginName_botId_key: {
+                    pluginName: plugin.name,
+                    botId: plugin.botId,
+                    key
+                }
+            },
+            update: { value: jsonValue },
+            create: { pluginName: plugin.name, botId: plugin.botId, key, value: jsonValue }
+        });
+        let parsed; try { parsed = JSON.parse(upserted.value); } catch { parsed = upserted.value; }
+        res.json({ key: upserted.key, value: parsed, createdAt: upserted.createdAt, updatedAt: upserted.updatedAt });
+    } catch (error) { res.status(500).json({ error: 'Не удалось сохранить значение' }); }
+});
 
-		await prisma.pluginDataStore.delete({
-			where: {
-				pluginName_botId_key: {
-					pluginName: plugin.name,
-					botId: plugin.botId,
-					key
-				}
-			}
-		});
-		res.status(204).send();
-	} catch (error) {
-		console.error('[API Error] DELETE plugin data by key:', error);
-		res.status(500).json({ error: 'Не удалось удалить значение' });
-	}
+router.delete('/:botId/plugins/:pluginId/data/:key', authenticate, checkBotAccess, authorize('plugin:settings:edit'), async (req, res) => {
+    try {
+        const pluginId = parseInt(req.params.pluginId);
+        const { key } = req.params;
+        const plugin = await prisma.installedPlugin.findUnique({ where: { id: pluginId } });
+        if (!plugin) return res.status(404).json({ error: 'Установленный плагин не найден' });
+
+        await prisma.pluginDataStore.delete({
+            where: {
+                pluginName_botId_key: {
+                    pluginName: plugin.name,
+                    botId: plugin.botId,
+                    key
+                }
+            }
+        });
+        res.status(204).send();
+    } catch (error) { res.status(500).json({ error: 'Не удалось удалить значение' }); }
 });
 
-router.put('/:botId/plugins/:pluginId', authorize('plugin:settings:edit'), async (req, res) => {
-	try {
-		const pluginId = parseInt(req.params.pluginId);
-		const { isEnabled, settings } = req.body;
-		const dataToUpdate = {};
-		if (typeof isEnabled === 'boolean') dataToUpdate.isEnabled = isEnabled;
-		if (settings) dataToUpdate.settings = JSON.stringify(settings);
-		if (Object.keys(dataToUpdate).length === 0) return res.status(400).json({ error: "Нет данных для обновления" });
-		const updated = await prisma.installedPlugin.update({ where: { id: pluginId }, data: dataToUpdate });
-		res.json(updated);
-	} catch (error) { res.status(500).json({ error: 'Не удалось обновить плагин' }); }
+router.put('/:botId/plugins/:pluginId', authenticate, checkBotAccess, authorize('plugin:settings:edit'), async (req, res) => {
+    try {
+        const pluginId = parseInt(req.params.pluginId);
+        const { isEnabled, settings } = req.body;
+        const dataToUpdate = {};
+        if (typeof isEnabled === 'boolean') dataToUpdate.isEnabled = isEnabled;
+        if (settings) dataToUpdate.settings = JSON.stringify(settings);
+        if (Object.keys(dataToUpdate).length === 0) return res.status(400).json({ error: "Нет данных для обновления" });
+        const updated = await prisma.installedPlugin.update({ where: { id: pluginId }, data: dataToUpdate });
+        res.json(updated);
+    } catch (error) { res.status(500).json({ error: 'Не удалось обновить плагин' }); }
 });
 
-router.get('/:botId/management-data', authorize('management:view'), async (req, res) => {
+router.get('/:botId/management-data', authenticate, checkBotAccess, authorize('management:view'), async (req, res) => {
     try {
         const botId = parseInt(req.params.botId, 10);
         if (isNaN(botId)) return res.status(400).json({ error: 'Неверный ID бота' });
@@ -1007,7 +1111,7 @@ router.post('/stop-all', authorize('bot:start_stop'), (req, res) => {
     }
 });
 
-router.get('/:id/settings/all', authorize('bot:update'), async (req, res) => {
+router.get('/:id/settings/all', authenticate, checkBotAccess, authorize('bot:update'), async (req, res) => {
     try {
         const botId = parseInt(req.params.id, 10);
 
@@ -1086,7 +1190,7 @@ router.get('/:id/settings/all', authorize('bot:update'), async (req, res) => {
 
 const nodeRegistry = require('../../core/NodeRegistry'); 
 
-router.get('/:botId/visual-editor/nodes', authorize('management:view'), (req, res) => {
+router.get('/:botId/visual-editor/nodes', authenticate, checkBotAccess, authorize('management:view'), (req, res) => {
     try {
         const { graphType } = req.query;
         const nodesByCategory = nodeRegistry.getNodesByCategory(graphType);
@@ -1097,7 +1201,7 @@ router.get('/:botId/visual-editor/nodes', authorize('management:view'), (req, re
     }
 });
 
-router.get('/:botId/visual-editor/node-config', authorize('management:view'), (req, res) => {
+router.get('/:botId/visual-editor/node-config', authenticate, checkBotAccess, authorize('management:view'), (req, res) => {
     try {
         const { types } = req.query;
         if (!types) {
@@ -1112,7 +1216,7 @@ router.get('/:botId/visual-editor/node-config', authorize('management:view'), (r
     }
 });
 
-router.get('/:botId/visual-editor/permissions', authorize('management:view'), async (req, res) => {
+router.get('/:botId/visual-editor/permissions', authenticate, checkBotAccess, authorize('management:view'), async (req, res) => {
     try {
         const botId = parseInt(req.params.botId, 10);
         const permissions = await prisma.permission.findMany({ 
@@ -1733,7 +1837,7 @@ router.post('/:botId/plugins/:pluginName/action', authorize('plugin:list'), asyn
 });
 
 
-router.get('/:botId/export', authorize('bot:export'), async (req, res) => {
+router.get('/:botId/export', authenticate, checkBotAccess, authorize('bot:export'), async (req, res) => {
     try {
         const botId = parseInt(req.params.botId, 10);
         const {
@@ -1964,7 +2068,18 @@ router.post('/import', authorize('bot:create'), upload.single('file'), async (re
                     }
                 }
                 
-                const newPlugin = await prisma.installedPlugin.create({ data: pluginData });
+                try {
+                    await pluginManager._installDependencies(newPluginPath);
+                } catch (e) {
+                    console.warn(`[Import] Не удалось установить зависимости для плагина ${pluginName}: ${e.message}`);
+                }
+                
+                let newPlugin;
+                try {
+                    newPlugin = await pluginManager.registerPlugin(newBot.id, newPluginPath, 'LOCAL', newPluginPath);
+                } catch (e) {
+                    newPlugin = await prisma.installedPlugin.create({ data: pluginData });
+                }
                 pluginMap.set(oldPluginId, newPlugin.id);
             }
         }