""" Superadmin endpoints for user management. """ from typing import Annotated from fastapi import APIRouter, Depends, HTTPException, Query, status from pydantic import BaseModel from sqlalchemy.ext.asyncio import AsyncSession from app.api.deps import get_current_superadmin from app.core.database import get_db from app.models.user import User from app.schemas.user import UserCreate, UserListResponse, UserResponse, UserUpdate from app.services import user_service router = APIRouter() class ChangePasswordRequest(BaseModel): """Request schema for changing user password.""" new_password: str @router.get("", response_model=UserListResponse) async def list_users( db: Annotated[AsyncSession, Depends(get_db)], current_user: Annotated[User, Depends(get_current_superadmin)], skip: int = Query(0, ge=0, description="Number of records to skip"), limit: int = Query(100, ge=1, le=1000, description="Max records to return"), organization_id: int | None = Query(None, description="Filter by organization"), role: str | None = Query(None, description="Filter by role"), status: str | None = Query(None, description="Filter by status"), ): """ List all users (superadmin only). Returns paginated list of users with optional filters. """ users, total = await user_service.list_users( db, skip=skip, limit=limit, organization_id=organization_id, role=role, status=status, ) return UserListResponse( users=users, total=total, ) @router.get("/{user_id}", response_model=UserResponse) async def get_user( user_id: int, db: Annotated[AsyncSession, Depends(get_db)], current_user: Annotated[User, Depends(get_current_superadmin)], ): """ Get user by ID (superadmin only). """ user = await user_service.get_user(db, user_id) if not user: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail="User not found", ) return user @router.post("", response_model=UserResponse, status_code=status.HTTP_201_CREATED) async def create_user( data: UserCreate, db: Annotated[AsyncSession, Depends(get_db)], current_user: Annotated[User, Depends(get_current_superadmin)], ): """ Create a new user (superadmin only). Creates an active user with email verified. """ # Check if email already exists existing_user = await user_service.get_user_by_email(db, data.email) if existing_user: raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, detail="Email already registered", ) user = await user_service.create_user(db, data) return user @router.patch("/{user_id}", response_model=UserResponse) async def update_user( user_id: int, data: UserUpdate, db: Annotated[AsyncSession, Depends(get_db)], current_user: Annotated[User, Depends(get_current_superadmin)], ): """ Update user (superadmin only). Can update user details, role, and status. """ user = await user_service.update_user(db, user_id, data) if not user: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail="User not found", ) return user @router.delete("/{user_id}", status_code=status.HTTP_204_NO_CONTENT) async def delete_user( user_id: int, db: Annotated[AsyncSession, Depends(get_db)], current_user: Annotated[User, Depends(get_current_superadmin)], ): """ Delete user (superadmin only). Warning: This permanently deletes the user. """ # Prevent deleting yourself if user_id == current_user.id: raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, detail="Cannot delete yourself", ) deleted = await user_service.delete_user(db, user_id) if not deleted: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail="User not found", ) @router.post("/{user_id}/change-password", response_model=UserResponse) async def change_user_password( user_id: int, data: ChangePasswordRequest, db: Annotated[AsyncSession, Depends(get_db)], current_user: Annotated[User, Depends(get_current_superadmin)], ): """ Change user password (superadmin only). Allows superadmin to reset any user's password. """ user = await user_service.change_user_password(db, user_id, data.new_password) if not user: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail="User not found", ) return user