Ролевая модель и аудит Часть 2. Финал. #6

src/handlers/admin/admin_handler_admins.erl

@@ -0,0 +1,115 @@
+-module(admin_handler_admins).
+-behaviour(cowboy_handler).
+
+-include("records.hrl").
+
+-export([init/2]).
+
+init(Req, _Opts) ->
+  case cowboy_req:method(Req) of
+    <<"GET">> -> list_admins(Req);
+    <<"POST">> -> create_admin(Req);
+    <<"PUT">> -> update_admin_role(Req);
+    _ -> send_error(Req, 405, <<"Method not allowed">>)
+  end.
+
+list_admins(Req) ->
+  case handler_auth:authenticate(Req) of
+    {ok, AdminId, Req1} ->
+      case admin_utils:check_role(AdminId, superadmin) of
+        true ->
+          Admins = core_admin:list_all(),
+          Json = [admin_to_json(A) || A <- Admins],
+          send_json(Req1, 200, Json);
+        false ->
+          send_error(Req1, 403, <<"Superadmin access required">>)
+      end;
+    {error, Code, Message, Req1} ->
+      send_error(Req1, Code, Message)
+  end.
+
+create_admin(Req) ->
+  case handler_auth:authenticate(Req) of
+    {ok, AdminId, Req1} ->
+      case admin_utils:check_role(AdminId, superadmin) of
+        true ->
+          {ok, Body, Req2} = cowboy_req:read_body(Req1),
+          try jsx:decode(Body, [return_maps]) of
+            #{<<"email">> := Email, <<"password">> := Password, <<"role">> := RoleBin} ->
+              Role = binary_to_atom(RoleBin, utf8),
+              case core_admin:create(Email, Password, Role) of
+                {ok, Admin} ->
+                  % Заглушка отправки email
+                  % send_invitation_email(Email),
+                  core_admin_audit:log(AdminId, Admin#admin.email, Admin#admin.role,
+                    <<"create_admin">>, <<"admin">>, Admin,
+                    admin_utils:client_ip(Req)),
+                  send_json(Req2, 201, admin_to_json(Admin));
+                {error, Reason} ->
+                  send_error(Req2, 500, Reason)
+              end;
+            _ ->
+              send_error(Req2, 400, <<"Missing required fields (email, password, role)">>)
+          catch
+            _:_ -> send_error(Req2, 400, <<"Invalid JSON">>)
+          end;
+        false ->
+          send_error(Req1, 403, <<"Superadmin access required">>)
+      end;
+    {error, Code, Message, Req1} ->
+      send_error(Req1, Code, Message)
+  end.
+
+update_admin_role(Req) ->
+  case handler_auth:authenticate(Req) of
+    {ok, AdminId, Req1} ->
+      case admin_utils:check_role(AdminId, superadmin) of
+        true ->
+          AdminIdToUpdate = cowboy_req:binding(id, Req1),
+          {ok, Body, Req2} = cowboy_req:read_body(Req1),
+          try jsx:decode(Body, [return_maps]) of
+            #{<<"role">> := RoleBin} ->
+              NewRole = binary_to_atom(RoleBin, utf8),
+              case core_admin:update_role(AdminIdToUpdate, NewRole) of
+                {ok, Admin} ->
+                  send_json(Req2, 200, admin_to_json(Admin));
+                {error, not_found} ->
+                  send_error(Req2, 404, <<"Admin not found">>);
+                {error, Reason} ->
+                  send_error(Req2, 500, Reason)
+              end;
+            _ ->
+              send_error(Req2, 400, <<"Missing 'role' field">>)
+          catch
+            _:_ -> send_error(Req2, 400, <<"Invalid JSON">>)
+          end;
+        false ->
+          send_error(Req1, 403, <<"Superadmin access required">>)
+      end;
+    {error, Code, Message, Req1} ->
+      send_error(Req1, Code, Message)
+  end.
+
+admin_to_json(A) ->
+  #{
+    id => A#admin.id,
+    email => A#admin.email,
+    role => A#admin.role,
+    status => A#admin.status,
+    created_at => datetime_to_iso8601(A#admin.created_at),
+    updated_at => datetime_to_iso8601(A#admin.updated_at)
+  }.
+
+datetime_to_iso8601({{Y,M,D},{H,Min,S}}) ->
+  iolist_to_binary(io_lib:format("~4..0B-~2..0B-~2..0BT~2..0B:~2..0B:~2..0BZ", [Y,M,D,H,Min,S]));
+datetime_to_iso8601(_) -> null.
+
+send_json(Req, Status, Data) ->
+  Body = jsx:encode(Data),
+  Req2 = cowboy_req:reply(Status, #{<<"content-type">> => <<"application/json">>}, Body, Req),
+  {ok, Req2, []}.
+
+send_error(Req, Code, Message) ->
+  Body = jsx:encode(#{error => Message}),
+  Req2 = cowboy_req:reply(Code, #{<<"content-type">> => <<"application/json">>}, Body, Req),
+  {ok, Req2, []}.

src/handlers/admin/admin_handler_audit.erl

@@ -0,0 +1,63 @@
+-module(admin_handler_audit).
+-behaviour(cowboy_handler).
+
+-include("records.hrl").
+
+-export([init/2]).
+
+init(Req, _Opts) ->
+  case cowboy_req:method(Req) of
+    <<"GET">> ->
+      case handler_auth:authenticate(Req) of
+        {ok, AdminId, Req1} ->
+          case admin_utils:check_role(AdminId, superadmin) of
+            true ->
+              Filters = parse_filters(Req1),
+              Entries = core_admin_audit:list(Filters),
+              Json = [audit_to_json(E) || E <- Entries],
+              send_json(Req1, 200, Json);
+            false ->
+              send_error(Req1, 403, <<"Superadmin access required">>)
+          end;
+        {error, Code, Message, Req1} ->
+          send_error(Req1, Code, Message)
+      end;
+    _ ->
+      send_error(Req, 405, <<"Method not allowed">>)
+  end.
+
+parse_filters(Req) ->
+  Qs = cowboy_req:parse_qs(Req),
+  lists:filtermap(fun
+                    ({<<"admin_id">>, Val}) -> {true, {admin_id, Val}};
+                    ({<<"action">>, Val}) -> {true, {action, Val}};
+                    (_) -> false
+                  end, Qs).
+
+audit_to_json(E) ->
+  #{
+    id => E#admin_audit.id,
+    admin_id => E#admin_audit.admin_id,
+    email => E#admin_audit.email,
+    role => E#admin_audit.role,
+    action => E#admin_audit.action,
+    entity_type => E#admin_audit.entity_type,
+    entity_id => E#admin_audit.entity_id,
+    timestamp => datetime_to_iso8601(E#admin_audit.timestamp),
+    ip => E#admin_audit.ip,
+    reason => E#admin_audit.reason
+  }.
+
+datetime_to_iso8601({{Y,M,D},{H,Min,S}}) ->
+  iolist_to_binary(io_lib:format("~4..0B-~2..0B-~2..0BT~2..0B:~2..0B:~2..0BZ", [Y,M,D,H,Min,S]));
+datetime_to_iso8601(_) -> null.
+
+send_json(Req, Status, Data) ->
+  Body = jsx:encode(Data),
+  Req2 = cowboy_req:reply(Status, #{<<"content-type">> => <<"application/json">>}, Body, Req),
+  {ok, Req2, []}.
+
+send_error(Req, Code, Message) ->
+  Body = jsx:encode(#{error => Message}),
+  Req2 = cowboy_req:reply(Code, #{<<"content-type">> => <<"application/json">>}, Body, Req),
+  {ok, Req2, []}.

src/handlers/admin/admin_handler_me.erl

@@ -0,0 +1,37 @@
+-module(admin_handler_me).
+-behaviour(cowboy_handler).
+
+-include("records.hrl").
+
+-export([init/2]).
+
+init(Req, _Opts) ->
+  case cowboy_req:method(Req) of
+    <<"GET">> ->
+      case handler_auth:authenticate(Req) of
+        {ok, AdminId, Req1} ->
+          case core_admin:get_by_id(AdminId) of
+            {ok, Admin} ->
+              Permissions = admin_utils:get_permissions(Admin#admin.role),
+              Resp = jsx:encode(#{
+                id => Admin#admin.id,
+                email => Admin#admin.email,
+                role => Admin#admin.role,
+                permissions => Permissions
+              }),
+              Req2 = cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, Resp, Req1),
+              {ok, Req2, []};
+            {error, not_found} ->
+              send_error(Req1, 404, <<"Admin not found">>)
+          end;
+        {error, Code, Message, Req1} ->
+          send_error(Req1, Code, Message)
+      end;
+    _ ->
+      send_error(Req, 405, <<"Method not allowed">>)
+  end.
+
+send_error(Req, Code, Message) ->
+  Body = jsx:encode(#{error => Message}),
+  Req2 = cowboy_req:reply(Code, #{<<"content-type">> => <<"application/json">>}, Body, Req),
+  {ok, Req2, []}.