Улучшение безопасности и обработки ошибок. Финал. #8

src/handlers/admin/admin_handler_user_by_id.erl

@@ -4,10 +4,10 @@
 
 init(Req, _Opts) ->
   case cowboy_req:method(Req) of
-    <<"GET">> -> get_user(Req);
-    <<"PUT">> -> update_user(Req);
+    <<"GET">>    -> get_user(Req);
+    <<"PUT">>    -> update_user(Req);
     <<"DELETE">> -> delete_user(Req);
-    _ -> send_error(Req, 405, <<"Method not allowed">>)
+    _            -> send_error(Req, 405, <<"Method not allowed">>)
   end.
 
 get_user(Req) ->
@@ -37,21 +37,23 @@ update_user(Req) ->
           UserId = cowboy_req:binding(id, Req1),
           {ok, Body, Req2} = cowboy_req:read_body(Req1),
           try jsx:decode(Body, [return_maps]) of
-            Decoded when is_map(Decoded) ->
-              Updates = maps:to_list(Decoded),
-              Converted = convert_updates(Updates),
-              case core_user:update(UserId, Converted) of
-                {ok, User} ->
-                  send_json(Req2, 200, user_to_json(User));
-                {error, not_found} ->
-                  send_error(Req2, 404, <<"User not found">>);
-                {error, _} ->
-                  send_error(Req2, 500, <<"Internal server error">>)
+            Updates when map_size(Updates) > 0 ->
+              % Проверка на наличие reason при изменении статуса
+              case maps:find(<<"status">>, Updates) of
+                {ok, NewStatus} when NewStatus =:= <<"blocked">> orelse NewStatus =:= <<"active">> ->
+                  case maps:find(<<"reason">>, Updates) of
+                    {ok, Reason} when byte_size(Reason) > 0 ->
+                      apply_updates(UserId, Updates, AdminId, Reason, Req2);
+                    _ ->
+                      send_error(Req2, 400, <<"Missing or empty reason">>)
+                  end;
+                _ ->
+                  apply_updates(UserId, Updates, AdminId, undefined, Req2)
               end;
             _ ->
-              send_error(Req2, 400, <<"Invalid JSON">>)
+              send_error(Req2, 400, <<"Request body is empty">>)
           catch
-            _:_ -> send_error(Req2, 400, <<"Invalid JSON format">>)
+            _:_ -> send_error(Req2, 400, <<"Invalid JSON">>)
           end;
         false ->
           send_error(Req1, 403, <<"Admin access required">>)
@@ -79,33 +81,72 @@ delete_user(Req) ->
       send_error(Req1, Code, Message)
   end.
 
-user_to_json(User) ->
-  #{
-    id         => User#user.id,
-    email      => User#user.email,
-    role       => User#user.role,
-    status     => User#user.status,
-    created_at => datetime_to_iso8601(User#user.created_at),
-    updated_at => datetime_to_iso8601(User#user.updated_at)
-  }.
-
-datetime_to_iso8601({{Year, Month, Day}, {Hour, Minute, Second}}) ->
-  iolist_to_binary(io_lib:format("~4..0B-~2..0B-~2..0BT~2..0B:~2..0B:~2..0BZ",
-    [Year, Month, Day, Hour, Minute, Second])).
+%% ── Вспомогательная функция обновления ────────────────────
+apply_updates(UserId, Updates, AdminId, Reason, Req) ->
+  Converted = convert_updates(maps:to_list(Updates)),
+  case core_user:update(UserId, Converted) of
+    {ok, User} ->
+      % Логируем, если был указан reason
+      case Reason of
+        undefined -> ok;
+        _ ->
+          case core_admin:get_by_id(AdminId) of
+            {ok, Admin} ->
+              Action = case maps:get(<<"status">>, Updates, undefined) of
+                         <<"blocked">> -> <<"block_user">>;
+                         <<"active">>  -> <<"unblock_user">>;
+                         _             -> <<"update_user">>
+                       end,
+              core_admin_audit:log(AdminId, Admin#admin.email, Admin#admin.role,
+                Action, <<"user">>, UserId, <<"127.0.0.1">>, Reason);
+            _ -> ok
+          end
+      end,
+      send_json(Req, 200, user_to_json(User));
+    {error, not_found} ->
+      send_error(Req, 404, <<"User not found">>);
+    {error, _} ->
+      send_error(Req, 500, <<"Internal server error">>)
+  end.
 
 convert_updates(Updates) ->
-  lists:map(fun
-              ({<<"status">>, Value}) -> {status, binary_to_existing_atom(Value)};
-              ({<<"role">>, Value})   -> {role, binary_to_existing_atom(Value)};
-              (Other)                 -> Other
+  lists:map(fun({<<"status">>, Value}) -> {status, binary_to_existing_atom(Value, utf8)};
+    ({<<"role">>, Value})   -> {role, binary_to_existing_atom(Value, utf8)};
+    ({<<"reason">>, Value}) -> {reason, Value};
+    (Other)                 -> Other
             end, Updates).
 
+user_to_json(User) ->
+  #{
+    id          => User#user.id,
+    email       => User#user.email,
+    role        => atom_to_binary(User#user.role, utf8),
+    status      => atom_to_binary(User#user.status, utf8),
+    reason      => User#user.reason,
+    created_at  => datetime_to_iso8601(User#user.created_at),
+    updated_at  => datetime_to_iso8601(User#user.updated_at)
+  }.
+
+datetime_to_iso8601({{Y,M,D},{H,Min,S}}) ->
+  iolist_to_binary(io_lib:format("~4..0B-~2..0B-~2..0BT~2..0B:~2..0B:~2..0BZ", [Y,M,D,H,Min,S]));
+datetime_to_iso8601(_) -> null.
+
 send_json(Req, Status, Data) ->
+  Headers = #{
+    <<"content-type">> => <<"application/json">>,
+    <<"access-control-allow-origin">> => <<"*">>,
+    <<"access-control-expose-headers">> => <<"Content-Range">>
+  },
   Body = jsx:encode(Data),
-  cowboy_req:reply(Status, #{<<"content-type">> => <<"application/json">>}, Body, Req),
+  cowboy_req:reply(Status, Headers, Body, Req),
   {ok, Body, []}.
 
-send_error(Req, Status, Message) ->
+send_error(Req, Code, Message) ->
+  Headers = #{
+    <<"content-type">> => <<"application/json">>,
+    <<"access-control-allow-origin">> => <<"*">>,
+    <<"access-control-expose-headers">> => <<"Content-Range">>
+  },
   Body = jsx:encode(#{error => Message}),
-  cowboy_req:reply(Status, #{<<"content-type">> => <<"application/json">>}, Body, Req),
+  cowboy_req:reply(Code, Headers, Body, Req),
   {ok, Body, []}.