feat(dashboard): เพมสวนจดการ user

2025-10-04 16:07:22 +07:00
parent 7f41c35cb8
commit 772239e708
19 changed files with 2477 additions and 1230 deletions
--- a/backend/src/routes/users.js
+++ b/backend/src/routes/users.js
@@ -1,55 +1,136 @@
-// FILE: backend/src/routes/users.js
+// File: backend/src/routes/users.js
 import { Router } from "express";
-import sql from "../db/index.js";
-import { requirePerm } from "../middleware/requirePerm.js";
+import { User, Role } from "../db/index.js";
+import { authJwt, permGuard } from "../middleware/index.js";
+import { hashPassword } from "../utils/passwords.js";

-const r = Router();
+const router = Router();

-// ME (ทุกคน)
-r.get("/me", async (req, res) => {
-  const p = req.principal;
-  const [[u]] = await sql.query(
-    `SELECT user_id, username, email, first_name, last_name, org_id FROM users WHERE user_id=?`,
-    [p.user_id]
-  );
-  if (!u) return res.status(404).json({ error: "User not found" });
-  const [roles] = await sql.query(
-    `SELECT r.role_code, r.role_name, ur.org_id, ur.project_id
-       FROM user_roles ur JOIN roles r ON r.role_id = ur.role_id
-      WHERE ur.user_id=?`,
-    [p.user_id]
-  );
-  res.json({
-    ...u,
-    roles,
-    role_codes: roles.map((r) => r.role_code),
-    permissions: [...(p.permissions || [])],
-    project_ids: p.project_ids,
-    org_ids: p.org_ids,
-    is_superadmin: p.is_superadmin,
-  });
-});
+// Middleware สำหรับทุก route ในไฟล์นี้
+router.use(authJwt.verifyToken);

-// USERS LIST (ORG scope) — admin.access
-r.get(
+// GET /api/users - ดึงรายชื่อผู้ใช้ทั้งหมด
+router.get(
  "/",
-  requirePerm("admin.access", { orgParam: "org_id" }),
-  async (req, res) => {
-    const P = req.principal;
-    let rows = [];
-    if (P.is_superadmin) {
-      [rows] = await sql.query(
-        "SELECT user_id, username, email, org_id FROM users ORDER BY user_id DESC LIMIT 500"
-      );
-    } else if (P.org_ids?.length) {
-      const inSql = P.org_ids.map(() => "?").join(",");
-      [rows] = await sql.query(
-        `SELECT user_id, username, email, org_id FROM users WHERE org_id IN (${inSql}) ORDER BY user_id DESC LIMIT 500`,
-        P.org_ids
-      );
+  permGuard("manage_users"), // ตรวจสอบสิทธิ์
+  async (req, res, next) => {
+    try {
+      const users = await User.findAll({
+        attributes: { exclude: ["password_hash"] }, // **สำคัญมาก: ห้ามส่ง password hash ออกไป**
+        include: [
+          {
+            model: Role,
+            attributes: ["id", "name"],
+            through: { attributes: [] }, // ไม่ต้องเอาข้อมูลจากตาราง join (UserRoles) มา
+          },
+        ],
+        order: [["username", "ASC"]],
+      });
+      res.json(users);
+    } catch (error) {
+      next(error);
    }
-    res.json(rows);
  }
 );

-export default r;
+// POST /api/users - สร้างผู้ใช้ใหม่
+router.post("/", permGuard("manage_users"), async (req, res, next) => {
+  const { username, email, password, first_name, last_name, is_active, roles } =
+    req.body;
+
+  if (!username || !email || !password) {
+    return res
+      .status(400)
+      .json({ message: "Username, email, and password are required" });
+  }
+
+  try {
+    const password_hash = await hashPassword(password);
+    const newUser = await User.create({
+      username,
+      email,
+      password_hash,
+      first_name,
+      last_name,
+      is_active: is_active !== false,
+    });
+
+    if (roles && roles.length > 0) {
+      await newUser.setRoles(roles);
+    }
+
+    const userWithRoles = await User.findByPk(newUser.id, {
+      attributes: { exclude: ["password_hash"] },
+      include: [
+        {
+          model: Role,
+          attributes: ["id", "name"],
+          through: { attributes: [] },
+        },
+      ],
+    });
+
+    res.status(201).json(userWithRoles);
+  } catch (error) {
+    if (error.name === "SequelizeUniqueConstraintError") {
+      return res
+        .status(409)
+        .json({ message: "Username or email already exists." });
+    }
+    next(error);
+  }
+});
+
+// PUT /api/users/:id - อัปเดตข้อมูลผู้ใช้
+router.put("/:id", permGuard("manage_users"), async (req, res, next) => {
+  const { id } = req.params;
+  const { email, first_name, last_name, is_active, roles } = req.body;
+
+  try {
+    const user = await User.findByPk(id);
+    if (!user) {
+      return res.status(404).json({ message: "User not found" });
+    }
+
+    user.email = email ?? user.email;
+    user.first_name = first_name ?? user.first_name;
+    user.last_name = last_name ?? user.last_name;
+    user.is_active = is_active ?? user.is_active;
+    await user.save();
+
+    if (roles) {
+      await user.setRoles(roles);
+    }
+
+    const updatedUser = await User.findByPk(id, {
+      attributes: { exclude: ["password_hash"] },
+      include: [
+        {
+          model: Role,
+          attributes: ["id", "name"],
+          through: { attributes: [] },
+        },
+      ],
+    });
+    res.json(updatedUser);
+  } catch (error) {
+    next(error);
+  }
+});
+
+// DELETE /api/users/:id - ลบผู้ใช้ (Soft Delete)
+router.delete("/:id", permGuard("manage_users"), async (req, res, next) => {
+  try {
+    const user = await User.findByPk(req.params.id);
+    if (!user) {
+      return res.status(404).json({ message: "User not found" });
+    }
+    user.is_active = false; // Soft Delete
+    await user.save();
+    res.status(204).send();
+  } catch (error) {
+    next(error);
+  }
+});
+
+export default router;