lockbot 2.2.0__tar.gz → 2.3.0__tar.gz

{lockbot-2.2.0/python/lockbot.egg-info → lockbot-2.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: lockbot
-Version: 2.2.0
+Version: 2.3.0
 Summary: Cluster resource management bot for IM platforms
 Author-email: Jianbang Yang <yangjianbang112@gmail.com>
 License: MIT

{lockbot-2.2.0 → lockbot-2.3.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "lockbot"
-version = "2.2.0"
+version = "2.3.0"
 description = "Cluster resource management bot for IM platforms"
 readme = "README.md"
 license = {text = "MIT"}

{lockbot-2.2.0 → lockbot-2.3.0}/python/lockbot/backend/app/admin/router.py

@@ -16,7 +16,13 @@ from fastapi.responses import FileResponse, Response
 from sqlalchemy.orm import Session
 from starlette.background import BackgroundTask
 
-from lockbot.backend.app.auth.dependencies import can_manage_user, require_admin, require_super_admin
+from lockbot.backend.app.auth.dependencies import (
+    can_assign_role,
+    can_create_user_with_role,
+    can_manage_user,
+    require_admin,
+    require_super_admin,
+)
 from lockbot.backend.app.auth.models import User
 from lockbot.backend.app.auth.router import _generate_password, _hash_password
 from lockbot.backend.app.auth.schemas import (
@@ -31,10 +37,6 @@ from lockbot.backend.app.database import get_db
 
 router = APIRouter(prefix="/api/admin", tags=["admin"])
 
-ADMIN_VISIBLE_ROLES = ("admin", "user")
-SUPER_ADMIN_VISIBLE_ROLES = ("super_admin", "admin", "user")
-ADMIN_CREATABLE_ROLES = ("user",)
-
 
 @router.post("/users", response_model=PasswordResetOut, status_code=201)
 def admin_create_user(
@@ -43,12 +45,10 @@ def admin_create_user(
     db: Session = Depends(get_db),
 ):
     """Admin creates a user. Super_admin can create admin/user; admin can only create user."""
-    # Non-super_admin can only create regular users
-    if operator.role != "super_admin" and body.role not in ADMIN_CREATABLE_ROLES:
-        raise HTTPException(status_code=403, detail="Cannot create user with this role")
-
-    if body.role not in SUPER_ADMIN_VISIBLE_ROLES:
-        raise HTTPException(status_code=400, detail=f"Invalid role, must be one of {SUPER_ADMIN_VISIBLE_ROLES}")
+    # Use unified permission check
+    allowed, status_code, error_msg = can_create_user_with_role(operator, body.role)
+    if not allowed:
+        raise HTTPException(status_code=status_code, detail=error_msg)
 
     exists = db.query(User).filter(User.username == body.username).first()
     if exists:
@@ -133,11 +133,13 @@ def admin_edit_user(
         target.email = body.email
 
     if body.role is not None:
-        if body.role not in SUPER_ADMIN_VISIBLE_ROLES:
-            raise HTTPException(status_code=400, detail="Invalid role")
-        # Only super_admin can promote to admin
-        if body.role in ("admin", "super_admin") and operator.role != "super_admin":
-            raise HTTPException(status_code=403, detail="Only super admin can set this role")
+        # Use unified permission check
+        allowed, status_code, error_msg = can_assign_role(operator, target, body.role)
+        if not allowed:
+            raise HTTPException(status_code=status_code, detail=error_msg)
+        # Force logout when role changes
+        if target.role != body.role:
+            target.token_version = target.effective_token_version + 1
         target.role = body.role
 
     if body.max_running_bots is not None:
@@ -181,11 +183,30 @@ def admin_reset_password(
     raw_password = _generate_password()
     target.password_hash = _hash_password(raw_password)
     target.must_change_password = True
+    # Force logout - invalidate all existing tokens
+    target.token_version = target.effective_token_version + 1
     db.commit()
     db.refresh(target)
     return PasswordResetOut(id=target.id, username=target.username, new_password=raw_password)
 
 
+@router.post("/users/{user_id}/force-logout")
+def force_logout_user(
+    user_id: int,
+    operator: User = Depends(require_admin),
+    db: Session = Depends(get_db),
+):
+    """Force a user to logout by invalidating all their tokens."""
+    target = db.get(User, user_id)
+    if not target:
+        raise HTTPException(status_code=404, detail="User not found")
+    if not can_manage_user(operator, target.role):
+        raise HTTPException(status_code=403, detail="Cannot manage this user")
+    target.token_version = target.effective_token_version + 1
+    db.commit()
+    return {"id": target.id, "username": target.username, "message": "User logged out successfully"}
+
+
 @router.get("/bots")
 def list_all_bots(
     _admin: User = Depends(require_admin),

{lockbot-2.2.0 → lockbot-2.3.0}/python/lockbot/backend/app/auth/dependencies.py

@@ -23,10 +23,11 @@ _security = HTTPBearer(auto_error=False)
 _ROLE_LEVELS = {"super_admin": 0, "admin": 1, "user": 2}
 
 
-def create_access_token(user_id: int, must_change_password: bool = False) -> str:
+def create_access_token(user_id: int, token_version: int = 0, must_change_password: bool = False) -> str:
     payload = {
         "sub": str(user_id),
         "exp": datetime.now(timezone.utc) + timedelta(minutes=JWT_EXPIRE_MINUTES),
+        "ver": token_version,
         "mcp": must_change_password,
     }
     return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
@@ -42,12 +43,18 @@ def get_current_user(
     try:
         payload = jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM])
         user_id = int(payload["sub"])
+        token_version = payload.get("ver", 0)  # Default to 0 for old tokens without version
     except (jwt.PyJWTError, KeyError, ValueError):
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token") from None
 
     user = db.get(User, user_id)
     if user is None:
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="User not found")
+
+    # Check token version - invalidate token if version mismatch
+    if user.effective_token_version != token_version:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Token expired, please login again")
+
     return user
 
 
@@ -70,3 +77,44 @@ def can_manage_user(operator: User, target_role: str) -> bool:
     op_level = _ROLE_LEVELS.get(operator.role, 3)
     tgt_level = _ROLE_LEVELS.get(target_role, 3)
     return op_level < tgt_level
+
+
+def can_assign_role(operator: User, target: User, new_role: str) -> tuple[bool, int, str]:
+    """
+    Check if operator can change target's role to new_role.
+
+    Returns (allowed, http_status_code, error_message).
+    This consolidates all role assignment permission checks in one place.
+    """
+    # Validate role
+    valid_roles = ("super_admin", "admin", "user")
+    if new_role not in valid_roles:
+        return False, 400, f"Invalid role, must be one of {valid_roles}"
+
+    # Cannot manage users at or above your own level
+    if not can_manage_user(operator, target.role):
+        return False, 403, "Cannot manage this user"
+
+    # Only super_admin can assign admin or super_admin role
+    if new_role in ("admin", "super_admin") and operator.role != "super_admin":
+        return False, 403, "Only super admin can assign this role"
+
+    return True, 200, ""
+
+
+def can_create_user_with_role(operator: User, role: str) -> tuple[bool, int, str]:
+    """
+    Check if operator can create a user with the given role.
+
+    Returns (allowed, http_status_code, error_message).
+    """
+    # Validate role
+    valid_roles = ("admin", "user")
+    if role not in valid_roles:
+        return False, 400, f"Invalid role, must be one of {valid_roles}"
+
+    # Only super_admin can create admin
+    if role == "admin" and operator.role != "super_admin":
+        return False, 403, "Only super admin can create user with this role"
+
+    return True, 200, ""

{lockbot-2.2.0 → lockbot-2.3.0}/python/lockbot/backend/app/auth/models.py

@@ -20,5 +20,11 @@ class User(Base):
     role: Mapped[str] = mapped_column(String(16), nullable=False, default="user")
     max_running_bots: Mapped[int] = mapped_column(Integer, default=10)
     must_change_password: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
+    token_version: Mapped[int] = mapped_column(Integer, nullable=False, default=0)
     created_at: Mapped[datetime] = mapped_column(DateTime, server_default=func.now())
     updated_at: Mapped[datetime] = mapped_column(DateTime, server_default=func.now(), onupdate=func.now())
+
+    @property
+    def effective_token_version(self) -> int:
+        """Return token_version, treating NULL (from pre-migration rows) as 0."""
+        return self.token_version if self.token_version is not None else 0

{lockbot-2.2.0 → lockbot-2.3.0}/python/lockbot/backend/app/auth/router.py

@@ -75,7 +75,7 @@ def login(body: UserLogin, db: Session = Depends(get_db)):
     if not user or not _verify_password(body.password, user.password_hash):
         raise HTTPException(status_code=401, detail="Invalid credentials")
     return TokenOut(
-        access_token=create_access_token(user.id, user.must_change_password),
+        access_token=create_access_token(user.id, user.effective_token_version, user.must_change_password),
         must_change_password=user.must_change_password,
     )
 
@@ -99,7 +99,7 @@ def change_password(
     user.must_change_password = False
     db.commit()
     return TokenOut(
-        access_token=create_access_token(user.id, False),
+        access_token=create_access_token(user.id, user.effective_token_version, False),
         must_change_password=False,
     )
 
@@ -120,7 +120,7 @@ def force_change_password(
     user.must_change_password = False
     db.commit()
     return TokenOut(
-        access_token=create_access_token(user.id, False),
+        access_token=create_access_token(user.id, user.effective_token_version, False),
         must_change_password=False,
     )
 

{lockbot-2.2.0 → lockbot-2.3.0}/python/lockbot/backend/app/bots/router.py

@@ -400,6 +400,10 @@ def start_bot(
 ):
     bot = _get_user_bot(bot_id, user, db)
 
+    # Only owner or super_admin can start
+    if user.role != "super_admin" and bot.user_id != user.id:
+        raise HTTPException(status_code=403, detail="Cannot start another user's bot")
+
     if bot.status == "running":
         return BotStatusOut(
             id=bot.id,
@@ -462,6 +466,10 @@ def stop_bot(
 ):
     bot = _get_user_bot(bot_id, user, db)
 
+    # Only owner or super_admin can stop
+    if user.role != "super_admin" and bot.user_id != user.id:
+        raise HTTPException(status_code=403, detail="Cannot stop another user's bot")
+
     if bot.status not in ("running", "error"):
         raise HTTPException(status_code=409, detail=f"Bot is not running (status={bot.status})")
 
@@ -485,6 +493,10 @@ def restart_bot(
 ):
     bot = _get_user_bot(bot_id, user, db)
 
+    # Only owner or super_admin can restart
+    if user.role != "super_admin" and bot.user_id != user.id:
+        raise HTTPException(status_code=403, detail="Cannot restart another user's bot")
+
     config_dict = _build_config_dict(bot, db)
 
     try:
@@ -785,11 +797,9 @@ def update_bot_state(
 
     bot = _get_user_bot(bot_id, user, db)
 
-    # Admin cannot edit other admins' bot state
-    if user.role == "admin" and bot.user_id != user.id:
-        owner = db.get(User, bot.user_id)
-        if owner and owner.role in ("admin", "super_admin"):
-            raise HTTPException(status_code=403, detail="Cannot edit another admin's bot state")
+    # Admin can only edit own bot state, super_admin can edit any
+    if user.role != "super_admin" and bot.user_id != user.id:
+        raise HTTPException(status_code=403, detail="Cannot edit another user's bot state")
 
     if bot.status == "running":
         raise HTTPException(status_code=409, detail="Stop the bot before editing state")

{lockbot-2.2.0 → lockbot-2.3.0}/python/lockbot/backend/app/main.py

@@ -91,6 +91,21 @@ def _migrate_bot_soft_delete():
         logger.info("Migrated bots: added 'deleted_at' column")
 
 
+def _migrate_users_token_version():
+    """Add 'token_version' column to users if it doesn't exist (SQLite migration)."""
+    from sqlalchemy import inspect as sa_inspect
+    from sqlalchemy import text
+
+    insp = sa_inspect(engine)
+    if "users" not in insp.get_table_names():
+        return
+    columns = [c["name"] for c in insp.get_columns("users")]
+    if "token_version" not in columns:
+        with engine.begin() as conn:
+            conn.execute(text("ALTER TABLE users ADD COLUMN token_version INTEGER NOT NULL DEFAULT 0"))
+        logger.info("Migrated users: added 'token_version' column")
+
+
 def _seed_dev_admin():
     """Create admin user in dev mode if it doesn't exist."""
     from lockbot.backend.app.config import (
@@ -172,6 +187,7 @@ async def lifespan(app: FastAPI):
     _migrate_bot_logs_category()
     _migrate_bot_consecutive_failures()
     _migrate_users_must_change_password()
+    _migrate_users_token_version()
     _migrate_bot_soft_delete()
     _seed_dev_admin()
     _seed_dev_users()

{lockbot-2.2.0 → lockbot-2.3.0}/python/lockbot/backend/app/settings/router.py

@@ -7,10 +7,12 @@ from datetime import datetime
 
 from fastapi import APIRouter, Depends, HTTPException
 from pydantic import BaseModel
+from sqlalchemy import func as sa_func
 from sqlalchemy.orm import Session
 
-from lockbot.backend.app.auth.dependencies import require_super_admin
+from lockbot.backend.app.auth.dependencies import get_current_user, require_super_admin
 from lockbot.backend.app.auth.models import User
+from lockbot.backend.app.bots.models import Bot
 from lockbot.backend.app.database import get_db
 from lockbot.backend.app.settings.models import SiteSetting
 
@@ -64,6 +66,30 @@ def public_settings(db: Session = Depends(get_db)):
     return [SettingOut(key=k, value=_get_setting(db, k)) for k in sorted(PUBLIC_KEYS)]
 
 
+class PlatformStats(BaseModel):
+    """Public platform statistics."""
+
+    total_users: int
+    total_bots: int
+    running_bots: int
+
+
+@router.get("/api/public/stats", response_model=PlatformStats)
+def get_public_stats(
+    _user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    """Return platform statistics (requires login)."""
+    total_users = db.query(sa_func.count(User.id)).scalar()
+    total_bots = db.query(sa_func.count(Bot.id)).filter(Bot.is_deleted.is_(False)).scalar()
+    running_bots = db.query(sa_func.count(Bot.id)).filter(Bot.is_deleted.is_(False), Bot.status == "running").scalar()
+    return PlatformStats(
+        total_users=total_users,
+        total_bots=total_bots,
+        running_bots=running_bots,
+    )
+
+
 # ── Admin endpoints (super_admin only) ──────────────────
 
 

{lockbot-2.2.0 → lockbot-2.3.0/python/lockbot.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: lockbot
-Version: 2.2.0
+Version: 2.3.0
 Summary: Cluster resource management bot for IM platforms
 Author-email: Jianbang Yang <yangjianbang112@gmail.com>
 License: MIT