EventHub/EventHubBack
1
1
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Ролевая модель и аудит Часть 1.

Browse Source
This commit is contained in:
Алексей Сабилин
2026-04-28 19:12:02 +03:00
parent 7ea4efd7d9
commit b2cea7896d
32 changed files with 369 additions and 320 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@@ -87,11 +87,11 @@ test: eunit ## Запустить все тесты (алиас для eunit)
eunit: ## Запустить EUnit тесты
@echo "Запуск EUnit тестов..."
@$(REBAR3) eunit --sname $(SNAME)_test
@$(REBAR3) eunit --sname $(SNAME)_test --verbose
eunit-module: ## Запустить тесты для модуля (make eunit-module MODULE=core_calendar_tests)
@echo "Запуск тестов для модуля $(MODULE)..."
@$(REBAR3) eunit --sname $(SNAME)_test --module=$(MODULE)
@$(REBAR3) eunit --sname $(SNAME)_test --module=$(MODULE) --verbose
eunit-verbose: ## Запустить EUnit тесты с подробным выводом
@echo "Запуск EUnit тестов (verbose)..."

21
include/records.hrl
View File

@@ -7,7 +7,7 @@
id :: binary(),
email :: binary(),
password_hash :: binary(),
role :: user | admin,
role :: user | bot,
status :: active | frozen | deleted,
created_at :: calendar:datetime(),
updated_at :: calendar:datetime()
@@ -20,6 +20,25 @@
type :: access | refresh
}).
%% ------------------- АДМИНИСТРАТОРЫ ------------------------------------
-record(admin, {
id :: binary(),
email :: binary(),
password_hash :: binary(),
role :: superadmin | moderator | support,
status :: active | blocked,
created_at :: calendar:datetime(),
updated_at :: calendar:datetime()
}).
%% ------------------- СЕССИИ АДМИНИСТРАТОРОВ ---------------------------
-record(admin_session, {
token :: binary(),
admin_id :: binary(),
expires_at :: calendar:datetime(),
type :: refresh
}).
%% ------------------- Календари ---------------------------------------
-record(calendar, {
id :: binary(),

63
src/core/core_admin.erl Normal file
View File

@@ -0,0 +1,63 @@
-module(core_admin).
-include("records.hrl").
-export([create/3, get_by_email/1, get_by_id/1, list_all/0,
update_role/2, block/1, unblock/1, generate_id/0]).
create(Email, Password, Role) ->
Id = generate_id(),
{ok, Hash} = argon2:hash(Password),
Now = calendar:universal_time(),
Admin = #admin{
id = Id,
email = Email,
password_hash = Hash,
role = Role,
status = active,
created_at = Now,
updated_at = Now
},
mnesia:dirty_write(Admin),
{ok, Admin}.
get_by_email(Email) ->
Match = #admin{email = Email, _ = '_'},
case mnesia:dirty_match_object(Match) of
[Admin] -> {ok, Admin};
[] -> {error, not_found}
end.
get_by_id(Id) ->
case mnesia:dirty_read({admin, Id}) of
[Admin] -> {ok, Admin};
[] -> {error, not_found}
end.
list_all() ->
mnesia:dirty_match_object(#admin{_ = '_'}).
update_role(Id, NewRole) when is_atom(NewRole) ->
case get_by_id(Id) of
{ok, Admin} ->
Updated = Admin#admin{role = NewRole, updated_at = calendar:universal_time()},
mnesia:dirty_write(Updated),
{ok, Updated};
Error -> Error
end.
block(Id) ->
update_status(Id, blocked).
unblock(Id) ->
update_status(Id, active).
update_status(Id, Status) ->
case get_by_id(Id) of
{ok, Admin} ->
Updated = Admin#admin{status = Status, updated_at = calendar:universal_time()},
mnesia:dirty_write(Updated),
{ok, Updated};
Error -> Error
end.
generate_id() ->
base64:encode(crypto:strong_rand_bytes(16), #{mode => urlsafe, padding => false}).

35
src/core/core_admin_session.erl Normal file
View File

@@ -0,0 +1,35 @@
-module(core_admin_session).
-include("records.hrl").
-export([create/2, validate/1, delete/1]).
-spec create(AdminId :: binary(), RefreshToken :: binary()) -> ok.
create(AdminId, RefreshToken) ->
Session = #admin_session{
token = RefreshToken,
admin_id = AdminId,
expires_at = calendar:gregorian_seconds_to_datetime(
calendar:datetime_to_gregorian_seconds(calendar:universal_time()) + 30 * 24 * 3600),
type = refresh
},
mnesia:dirty_write(Session),
ok.
-spec validate(Token :: binary()) -> {ok, AdminId :: binary()} | {error, not_found | expired}.
validate(Token) ->
case mnesia:dirty_read({admin_session, Token}) of
[Session] ->
case Session#admin_session.expires_at > calendar:universal_time() of
true ->
{ok, Session#admin_session.admin_id};
false ->
mnesia:dirty_delete({admin_session, Token}),
{error, expired}
end;
[] ->
{error, not_found}
end.
-spec delete(Token :: binary()) -> ok.
delete(Token) ->
mnesia:dirty_delete({admin_session, Token}),
ok.

41
src/core/core_session.erl Normal file
View File

@@ -0,0 +1,41 @@
-module(core_session).
-include("records.hrl").
-export([create/2, validate/1, delete/1]).
-spec create(UserId :: binary(), RefreshToken :: binary()) -> ok.
create(UserId, RefreshToken) ->
Session = #session{
token = RefreshToken,
user_id = UserId,
expires_at = calendar:gregorian_seconds_to_datetime(
calendar:datetime_to_gregorian_seconds(calendar:universal_time()) + 30 * 24 * 3600),
type = refresh
},
mnesia:dirty_write(Session),
ok.
-spec validate(Token :: binary()) -> {ok, UserId :: binary(), User :: #user{}} | {error, not_found | expired}.
validate(Token) ->
case mnesia:dirty_read({session, Token}) of
[Session] ->
case Session#session.expires_at > calendar:universal_time() of
true ->
% Получаем пользователя по ID из сессии
case mnesia:dirty_read({user, Session#session.user_id}) of
[User] ->
{ok, Session#session.user_id, User};
[] ->
{error, not_found}
end;
false ->
mnesia:dirty_delete({session, Token}),
{error, expired}
end;
[] ->
{error, not_found}
end.
-spec delete(Token :: binary()) -> ok.
delete(Token) ->
mnesia:dirty_delete({session, Token}),
ok.

11
src/handlers/admin/admin_handler_banned_words.erl
View File

@@ -95,7 +95,7 @@ update_banned_word(Word, Req) ->
auth_admin(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> {ok, AdminId, Req1};
false -> {error, 403, <<"Admin access required">>, Req1}
end;
@@ -103,15 +103,6 @@ auth_admin(Req) ->
{error, Code, Message, Req1}
end.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} ->
Role = User#user.role,
Role =:= admin orelse Role =:= superadmin orelse
Role =:= moderator orelse Role =:= support;
_ -> false
end.
banned_word_to_json(BW) ->
#{
id => BW#banned_word.id,

17
src/handlers/admin/admin_handler_health.erl
View File

@@ -1,15 +1,18 @@
-module(admin_handler_health).
-behaviour(cowboy_handler).
-export([init/2]).
init(Req, _Opts) ->
init(Req, State) ->
case cowboy_req:method(Req) of
<<"GET">> ->
Body = jsx:encode(#{status => <<"ok">>}),
Req1 = cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, Body, Req),
{ok, Req1, []};
Req2 = cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, Body, Req),
{ok, Req2, State};
_ ->
Body = jsx:encode(#{error => <<"Method not allowed">>}),
Req1 = cowboy_req:reply(405, #{<<"content-type">> => <<"application/json">>}, Body, Req),
{ok, Req1, []}
send_error(Req, 405, <<"Method not allowed">>)
end.
send_error(Req, Status, Message) ->
Body = jsx:encode(#{error => Message}),
Req2 = cowboy_req:reply(Status, #{<<"content-type">> => <<"application/json">>}, Body, Req),
{ok, Req2, []}.

15
src/handlers/admin/admin_handler_login.erl
View File

@@ -12,13 +12,18 @@ init(Req0, State) ->
#{<<"email">> := Email, <<"password">> := Password} ->
case eventhub_auth:authenticate_admin_request(Req1, Email, Password) of
{ok, Token, User} ->
% Генерация refresh-токена для администратора
{RefreshToken, _ExpiresAt} = eventhub_auth:generate_refresh_token(maps:get(id, User)),
% Сохранение refresh-токена в admin_session
core_admin_session:create(maps:get(id, User), RefreshToken),
Resp = jsx:encode(#{
<<"token">> => Token,
<<"user">> => #{
<<"id">> => maps:get(id, User),
<<"email">> => maps:get(email, User),
<<"role">> => maps:get(role, User)
}
},
<<"refresh_token">> => RefreshToken
}),
Req2 = cowboy_req:reply(200, #{
<<"content-type">> => <<"application/json">>,
@@ -26,14 +31,16 @@ init(Req0, State) ->
}, Resp, Req1),
{ok, Req2, State};
{error, insufficient_permissions} ->
error_response(403, insufficient_permissions, Req1, State);
error_response(403, <<"insufficient_permissions">>, Req1, State);
{error, Reason} when is_atom(Reason) ->
error_response(401, atom_to_binary(Reason, utf8), Req1, State);
{error, Reason} ->
error_response(401, Reason, Req1, State)
end;
_ ->
error_response(400, <<"invalid_request">>, Req1, State)
error_response(400, <<"Missing email or password">>, Req1, State)
catch
_:_ -> error_response(400, <<"invalid_request">>, Req1, State)
_:_ -> error_response(400, <<"Invalid JSON">>, Req1, State)
end;
false ->
error_response(400, <<"Missing request body">>, Req0, State)

11
src/handlers/admin/admin_handler_moderation.erl
View File

@@ -99,7 +99,7 @@ handle_user(_Id, _Action, Req) ->
auth_admin(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> {ok, AdminId, Req1};
false -> {error, 403, <<"Admin access required">>, Req1}
end;
@@ -107,15 +107,6 @@ auth_admin(Req) ->
{error, Code, Message, Req1}
end.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} ->
Role = User#user.role,
Role =:= admin orelse Role =:= superadmin orelse
Role =:= moderator orelse Role =:= support;
_ -> false
end.
calendar_to_json(C) ->
#{
id => C#calendar.id,

13
src/handlers/admin/admin_handler_report_by_id.erl
View File

@@ -14,7 +14,7 @@ init(Req, _Opts) ->
get_report(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
ReportId = cowboy_req:binding(id, Req1),
case core_report:get_by_id(ReportId) of
@@ -33,7 +33,7 @@ get_report(Req) ->
update_report(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
ReportId = cowboy_req:binding(id, Req1),
{ok, Body, Req2} = cowboy_req:read_body(Req1),
@@ -60,15 +60,6 @@ update_report(Req) ->
send_error(Req1, Code, Message)
end.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} ->
Role = User#user.role,
Role =:= admin orelse Role =:= superadmin orelse
Role =:= moderator orelse Role =:= support;
_ -> false
end.
report_to_json(R) ->
#{
id => R#report.id,

15
src/handlers/admin/admin_handler_reports.erl
View File

@@ -8,13 +8,13 @@ init(Req, _Opts) ->
case cowboy_req:method(Req) of
<<"GET">> -> list_reports(Req);
<<"PUT">> -> update_report(Req);
_ -> send_error(Req, 405, <<"Method not allowed">>)
_ -> send_error(Req, 405, <<"Method not allowed">>)
end.
list_reports(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
{ok, Reports} = core_report:list_all(),
send_json(Req1, 200, [report_to_json(R) || R <- Reports]);
@@ -28,7 +28,7 @@ list_reports(Req) ->
update_report(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
ReportId = cowboy_req:binding(id, Req1),
{ok, Body, Req2} = cowboy_req:read_body(Req1),
@@ -54,15 +54,6 @@ update_report(Req) ->
send_error(Req1, Code, Message)
end.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} ->
Role = User#user.role,
Role =:= admin orelse Role =:= superadmin orelse
Role =:= moderator orelse Role =:= support;
_ -> false
end.
report_to_json(R) ->
#{
id => R#report.id,

13
src/handlers/admin/admin_handler_reviews.erl
View File

@@ -14,7 +14,7 @@ init(Req, _Opts) ->
get_review(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
ReviewId = cowboy_req:binding(id, Req1),
case core_review:get_by_id(ReviewId) of
@@ -33,7 +33,7 @@ get_review(Req) ->
update_review(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
ReviewId = cowboy_req:binding(id, Req1),
{ok, Body, Req2} = cowboy_req:read_body(Req1),
@@ -59,15 +59,6 @@ update_review(Req) ->
send_error(Req1, Code, Message)
end.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} ->
Role = User#user.role,
Role =:= admin orelse Role =:= superadmin orelse
Role =:= moderator orelse Role =:= support;
_ -> false
end.
review_to_json(R) ->
#{
id => R#review.id,

20
src/handlers/admin/admin_handler_stats.erl
View File

@@ -1,14 +1,8 @@
-module(admin_handler_stats).
-include("records.hrl").
-export([init/2]).
-export([count_users/0, count_calendars/0, count_events/0, count_bookings/0,
count_reviews/0, count_reports/0, count_tickets/0, count_subscriptions/0]).
-export([is_admin/1]).
init(Req, Opts) ->
handle(Req, Opts).
handle(Req, _Opts) ->
init(Req, _Opts) ->
case cowboy_req:method(Req) of
<<"GET">> -> get_stats(Req);
_ -> send_error(Req, 405, <<"Method not allowed">>)
@@ -17,7 +11,7 @@ handle(Req, _Opts) ->
get_stats(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
Stats = #{
users => count_users(),
@@ -37,16 +31,6 @@ get_stats(Req) ->
send_error(Req1, Code, Message)
end.
%% Вспомогательные функции
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} ->
Role = User#user.role,
Role =:= admin orelse Role =:= superadmin orelse
Role =:= moderator orelse Role =:= support;
_ -> false
end.
count_users() -> length(mnesia:dirty_match_object(#user{_ = '_'})).
count_calendars() -> length(mnesia:dirty_match_object(#calendar{_ = '_'})).
count_events() -> length(mnesia:dirty_match_object(#event{is_instance = false, _ = '_'})).

11
src/handlers/admin/admin_handler_subscriptions.erl
View File

@@ -114,7 +114,7 @@ delete_subscription(SubscriptionId, Req) ->
auth_admin(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> {ok, AdminId, Req1};
false -> {error, 403, <<"Admin access required">>, Req1}
end;
@@ -122,15 +122,6 @@ auth_admin(Req) ->
{error, Code, Message, Req1}
end.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} ->
Role = User#user.role,
Role =:= admin orelse Role =:= superadmin orelse
Role =:= moderator orelse Role =:= support;
_ -> false
end.
subscription_to_json(S) ->
#{
id => S#subscription.id,

11
src/handlers/admin/admin_handler_ticket_by_id.erl
View File

@@ -67,7 +67,7 @@ delete_ticket(Req) ->
auth_admin(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> {ok, AdminId, Req1};
false -> {error, 403, <<"Admin access required">>, Req1}
end;
@@ -75,15 +75,6 @@ auth_admin(Req) ->
{error, Code, Message, Req1}
end.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} ->
Role = User#user.role,
Role =:= admin orelse Role =:= superadmin orelse
Role =:= moderator orelse Role =:= support;
_ -> false
end.
ticket_to_json(T) ->
#{
id => T#ticket.id,

11
src/handlers/admin/admin_handler_ticket_stats.erl
View File

@@ -22,7 +22,7 @@ get_stats(Req) ->
auth_admin(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> {ok, AdminId, Req1};
false -> {error, 403, <<"Admin access required">>, Req1}
end;
@@ -30,15 +30,6 @@ auth_admin(Req) ->
{error, Code, Message, Req1}
end.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} ->
Role = User#user.role,
Role =:= admin orelse Role =:= superadmin orelse
Role =:= moderator orelse Role =:= support;
_ -> false
end.
send_json(Req, Status, Data) ->
Body = jsx:encode(Data),
cowboy_req:reply(Status, #{<<"content-type">> => <<"application/json">>}, Body, Req),

11
src/handlers/admin/admin_handler_tickets.erl
View File

@@ -112,7 +112,7 @@ delete_ticket(TicketId, Req) ->
auth_admin(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> {ok, AdminId, Req1};
false -> {error, 403, <<"Admin access required">>, Req1}
end;
@@ -120,15 +120,6 @@ auth_admin(Req) ->
{error, Code, Message, Req1}
end.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} ->
Role = User#user.role,
Role =:= admin orelse Role =:= superadmin orelse
Role =:= moderator orelse Role =:= support;
_ -> false
end.
ticket_to_json(T) ->
#{
id => T#ticket.id,

26
src/handlers/admin/admin_handler_user_by_id.erl
View File

@@ -1,28 +1,22 @@
-module(admin_handler_user_by_id).
-include("records.hrl").
-export([init/2]).
-export([user_to_json/1, convert_updates/1]).
init(Req, Opts) ->
handle(Req, Opts).
handle(Req, _Opts) ->
init(Req, _Opts) ->
case cowboy_req:method(Req) of
<<"GET">> -> get_user(Req);
<<"PUT">> -> update_user(Req);
<<"GET">> -> get_user(Req);
<<"PUT">> -> update_user(Req);
<<"DELETE">> -> delete_user(Req);
_ -> send_error(Req, 405, <<"Method not allowed">>)
_ -> send_error(Req, 405, <<"Method not allowed">>)
end.
get_user(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
UserId = cowboy_req:binding(id, Req1),
case core_user:get_by_id(UserId) of
{ok, User} when User#user.status =:= deleted ->
send_error(Req1, 404, <<"User not found">>);
{ok, User} ->
send_json(Req1, 200, user_to_json(User));
{error, not_found} ->
@@ -38,7 +32,7 @@ get_user(Req) ->
update_user(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
UserId = cowboy_req:binding(id, Req1),
{ok, Body, Req2} = cowboy_req:read_body(Req1),
@@ -69,7 +63,7 @@ update_user(Req) ->
delete_user(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
UserId = cowboy_req:binding(id, Req1),
case core_user:delete(UserId) of
@@ -85,12 +79,6 @@ delete_user(Req) ->
send_error(Req1, Code, Message)
end.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} -> User#user.role =:= admin;
_ -> false
end.
user_to_json(User) ->
#{
id => User#user.id,

49
src/handlers/admin/admin_handler_users.erl
View File

@@ -1,35 +1,40 @@
-module(admin_handler_users).
-behaviour(cowboy_handler).
-include("records.hrl").
-export([init/2]).
init(Req, _Opts) ->
case cowboy_req:method(Req) of
<<"GET">> ->
case handler_auth:authenticate(Req) of
{ok, _UserId, Req1} ->
{ok, Users} = core_user:list_users(),
Response = [user_to_map(U) || U <- Users],
send_json(Req1, 200, Response);
{error, Code, Message, Req1} ->
send_error(Req1, Code, Message)
end;
_ ->
send_error(Req, 405, <<"Method not allowed">>)
<<"GET">> -> list_users(Req);
_ -> send_error(Req, 405, <<"Method not allowed">>)
end.
user_to_map(User) ->
list_users(Req) ->
case handler_auth:authenticate(Req) of
{ok, AdminId, Req1} ->
case admin_utils:is_admin(AdminId) of
true ->
Users = core_user:list_users(),
send_json(Req1, 200, [user_to_json(U) || U <- Users]);
false ->
send_error(Req1, 403, <<"Admin access required">>)
end;
{error, Code, Message, Req1} ->
send_error(Req1, Code, Message)
end.
user_to_json(U) ->
#{
id => maps:get(id, User),
email => maps:get(email, User),
role => maps:get(role, User),
status => maps:get(status, User),
created_at => datetime_to_iso8601(maps:get(created_at, User)),
updated_at => datetime_to_iso8601(maps:get(updated_at, User))
id => U#user.id,
email => U#user.email,
role => U#user.role,
status => U#user.status,
created_at => datetime_to_iso8601(U#user.created_at),
updated_at => datetime_to_iso8601(U#user.updated_at)
}.
datetime_to_iso8601({{Year, Month, Day}, {Hour, Minute, Second}}) ->
iolist_to_binary(io_lib:format("~4..0B-~2..0B-~2..0BT~2..0B:~2..0B:~2..0BZ",
[Year, Month, Day, Hour, Minute, Second])).
datetime_to_iso8601({{Y,M,D},{H,Min,S}}) ->
iolist_to_binary(io_lib:format("~4..0B-~2..0B-~2..0BT~2..0B:~2..0B:~2..0BZ", [Y,M,D,H,Min,S]));
datetime_to_iso8601(_) -> null.
send_json(Req, Status, Data) ->
Body = jsx:encode(Data),

5
src/handlers/admin/admin_ws_handler.erl
View File

@@ -22,7 +22,7 @@ init(Req, _Opts) ->
case logic_auth:verify_jwt(Token) of
{ok, UserId, Role} ->
io:format("[ADMIN_WS] UserId: ~s, Role: ~s~n", [UserId, Role]),
case is_admin_role(Role) of
case admin_utils:is_admin(Role) of
true ->
io:format("[ADMIN_WS] Admin access granted~n"),
{cowboy_websocket, Req, #state{admin_id = UserId}};
@@ -82,6 +82,3 @@ websocket_info(_Info, State) ->
terminate(_Reason, _Req, _State) ->
pg:leave(eventhub_admin_ws, self()),
ok.
is_admin_role(Role) ->
lists:member(Role, [<<"admin">>, <<"superadmin">>, <<"moderator">>, <<"support">>]).

15
src/handlers/handler_login.erl
View File

@@ -2,7 +2,7 @@
-behaviour(cowboy_handler).
-export([init/2]).
-include("records.hrl"). %% ← необходим для #session{}
-include("records.hrl").
init(Req0, State) ->
handle(Req0, State).
@@ -21,8 +21,8 @@ handle(Req, _Opts) ->
#{<<"email">> := Email, <<"password">> := Password} ->
case eventhub_auth:authenticate_user_request(Req1, Email, Password) of
{ok, Token, User} ->
{RefreshToken, ExpiresAt} = eventhub_auth:generate_refresh_token(maps:get(id, User)),
save_refresh_token(maps:get(id, User), RefreshToken, ExpiresAt),
{RefreshToken, _ExpiresAt} = eventhub_auth:generate_refresh_token(maps:get(id, User)),
core_session:create(maps:get(id, User), RefreshToken),
Response = #{
user => #{
id => maps:get(id, User),
@@ -53,15 +53,6 @@ handle(Req, _Opts) ->
send_error(Req, 405, <<"Method not allowed">>)
end.
save_refresh_token(UserId, Token, ExpiresAt) ->
Session = #session{ %% record определён в records.hrl
token = Token,
user_id = UserId,
expires_at = ExpiresAt,
type = refresh
},
mnesia:dirty_write(Session).
send_json(Req, Status, Data) ->
Body = jsx:encode(Data),
cowboy_req:reply(Status, #{

90
src/handlers/handler_refresh.erl
View File

@@ -8,41 +8,12 @@ init(Req0, _Opts) ->
{ok, Body, Req1} = cowboy_req:read_body(Req0),
try jsx:decode(Body, [return_maps]) of
#{<<"refresh_token">> := RefreshToken} ->
case get_session(RefreshToken) of
{ok, Session} ->
% Проверяем, не истекла ли сессия
case Session#session.expires_at > calendar:universal_time() of
true ->
% Генерируем новый access-токен и refresh-токен
User = get_user(Session#session.user_id),
NewToken = eventhub_auth:generate_user_token(
User#user.id,
atom_to_binary(User#user.role, utf8)
),
{NewRefreshToken, ExpiresAt} =
eventhub_auth:generate_refresh_token(User#user.id),
% Удаляем старую сессию и сохраняем новую
mnesia:dirty_delete_object(Session),
NewSession = #session{
token = NewRefreshToken,
user_id = User#user.id,
expires_at = ExpiresAt,
type = refresh
},
mnesia:dirty_write(NewSession),
Resp = jsx:encode(#{
token => NewToken,
refresh_token => NewRefreshToken
}),
cowboy_req:reply(200, #{
<<"content-type">> => <<"application/json">>
}, Resp, Req1);
false ->
mnesia:dirty_delete_object(Session),
send_error(Req1, 401, <<"Refresh token expired">>)
end;
{error, not_found} ->
send_error(Req1, 401, <<"Refresh token not found">>)
case find_and_refresh(RefreshToken) of
{ok, NewTokenPair} ->
Resp = jsx:encode(NewTokenPair),
cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, Resp, Req1);
{error, Reason} ->
send_error(Req1, 401, Reason)
end;
_ ->
send_error(Req1, 400, <<"Missing refresh_token field">>)
@@ -53,15 +24,50 @@ init(Req0, _Opts) ->
send_error(Req0, 405, <<"Method not allowed">>)
end.
get_session(Token) ->
case mnesia:dirty_read({session, Token}) of
[Session] -> {ok, Session};
[] -> {error, not_found}
%% --------------------------------------------------------
%% Общая логика: проверяет обе таблицы сессий
%% --------------------------------------------------------
find_and_refresh(RefreshToken) ->
case core_session:validate(RefreshToken) of
{ok, UserId, User} ->
user_refresh(UserId, User, RefreshToken);
{error, not_found} ->
case core_admin_session:validate(RefreshToken) of
{ok, AdminId} ->
admin_refresh(AdminId, RefreshToken);
{error, not_found} ->
{error, <<"Refresh token not found">>};
{error, expired} ->
{error, <<"Refresh token expired">>}
end;
{error, expired} ->
{error, <<"Refresh token expired">>}
end.
get_user(UserId) ->
[User] = mnesia:dirty_read({user, UserId}),
User.
user_refresh(UserId, User, OldToken) ->
% Удаляем старый refresh-токен
core_session:delete(OldToken),
% Генерируем новый access-токен и refresh-токен
Role = atom_to_binary(User#user.role, utf8),
NewToken = eventhub_auth:generate_user_token(UserId, Role),
{NewRefreshToken, _ExpiresAt} = eventhub_auth:generate_refresh_token(UserId),
% Сохраняем новый refresh-токен в таблице session
core_session:create(UserId, NewRefreshToken),
{ok, #{token => NewToken, refresh_token => NewRefreshToken}}.
admin_refresh(AdminId, OldToken) ->
% Удаляем старый refresh-токен
core_admin_session:delete(OldToken),
% Получаем роль админа
{ok, Admin} = core_admin:get_by_id(AdminId),
Role = atom_to_binary(Admin#admin.role, utf8),
% Генерируем новый access-токен и refresh-токен
NewToken = eventhub_auth:generate_admin_token(AdminId, Role),
{NewRefreshToken, _ExpiresAt} = eventhub_auth:generate_refresh_token(AdminId),
% Сохраняем новый refresh-токен в таблице admin_session
core_admin_session:create(AdminId, NewRefreshToken),
{ok, #{token => NewToken, refresh_token => NewRefreshToken}}.
send_error(Req, Status, Message) ->
Body = jsx:encode(#{error => Message}),

10
src/handlers/handler_ticket_by_id.erl
View File

@@ -19,7 +19,7 @@ get_ticket(Req) ->
case core_ticket:get_by_id(TicketId) of
{ok, Ticket} ->
io:format("[TICKET_BY_ID] Found ticket, reporter_id: ~s~n", [Ticket#ticket.reporter_id]),
case is_admin(UserId) orelse Ticket#ticket.reporter_id =:= UserId of
case Ticket#ticket.reporter_id =:= UserId of
true ->
io:format("[TICKET_BY_ID] Access granted~n"),
send_json(Req1, 200, ticket_to_json(Ticket));
@@ -45,7 +45,7 @@ update_ticket(Req) ->
Updates when is_map(Updates) ->
case core_ticket:get_by_id(TicketId) of
{ok, Ticket} ->
case is_admin(UserId) orelse Ticket#ticket.reporter_id =:= UserId of
case Ticket#ticket.reporter_id =:= UserId of
true ->
case core_ticket:update_ticket(TicketId, Updates) of
{ok, Updated} -> send_json(Req2, 200, ticket_to_json(Updated));
@@ -63,12 +63,6 @@ update_ticket(Req) ->
send_error(Req1, Code, Message)
end.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, U} -> lists:member(U#user.role, [admin, superadmin, moderator, support]);
_ -> false
end.
ticket_to_json(T) ->
#{
id => T#ticket.id,

9
src/handlers/handler_tickets.erl
View File

@@ -17,7 +17,7 @@ handle(Req, _Opts) ->
list_tickets(Req) ->
case handler_auth:authenticate(Req) of
{ok, UserId, Req1} ->
case is_admin(UserId) of
case admin_utils:is_admin(UserId) of
true ->
Tickets = core_ticket:list_all(),
send_json(Req1, 200, [ticket_to_json(T) || T <- Tickets]);
@@ -51,13 +51,6 @@ create_ticket(Req) ->
send_error(Req1, Code, Message)
end.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} ->
lists:member(User#user.role, [admin, superadmin, moderator, support]);
_ -> false
end.
ticket_to_json(T) ->
#{
id => T#ticket.id,

13
src/infra/admin_utils.erl Normal file
View File

@@ -0,0 +1,13 @@
-module(admin_utils).
-include("records.hrl").
-export([is_admin/1]).
is_admin(UserId) ->
case core_admin:get_by_id(UserId) of
{ok, User} ->
Role = User#admin.role,
Role =:= admin orelse Role =:= superadmin orelse
Role =:= moderator orelse Role =:= support;
_ -> false
end.

19
src/infra/eventhub_auth.erl
View File

@@ -130,14 +130,14 @@ authenticate_user_request(_Req, Email, Password) ->
-spec authenticate_admin_request(Req :: cowboy_req:req(), Email :: binary(), Password :: binary()) ->
{ok, Token :: binary(), User :: map()} | {error, atom()}.
authenticate_admin_request(_Req, Email, Password) ->
case logic_auth:authenticate_user(Email, Password) of
{ok, User} ->
Role = maps:get(role, User, <<"admin">>),
case is_admin_role(Role) of
case logic_auth:authenticate_admin(Email, Password) of
{ok, AdminMap} ->
Role = maps:get(role, AdminMap, <<"admin">>),
case admin_utils:is_admin(Role) of
true ->
UserId = maps:get(id, User),
Token = generate_admin_token(UserId, Role),
{ok, Token, User};
AdminId = maps:get(id, AdminMap),
Token = generate_admin_token(AdminId, Role),
{ok, Token, AdminMap};
false -> {error, insufficient_permissions}
end;
Error -> Error
@@ -153,8 +153,3 @@ generate_refresh_token(_UserId) ->
calendar:datetime_to_gregorian_seconds(Now) + 30 * 24 * 3600
),
{RefreshToken, ExpiresAt}.
%% ========== ВНУТРЕННИЕ ==========
is_admin_role(Role) ->
lists:member(Role, [<<"admin">>, <<"superadmin">>, <<"moderator">>, <<"support">>]).

14
src/infra/infra_mnesia.erl
View File

@@ -8,7 +8,7 @@
-export([init/1, handle_call/3, handle_cast/2, handle_info/2, terminate/2, code_change/3]).
-define(TABLES, [
user, session, calendar, calendar_share, event, recurrence_exception,
user, session, admin, admin_session, calendar, calendar_share, event, recurrence_exception,
booking, review, report, banned_word, ticket, subscription, audit_log
]).
@@ -62,7 +62,7 @@ create_table(Table) ->
{atomic, ok} ->
ok;
{aborted, {already_exists, _}} ->
ok;
ok; % таблица уже существует пропускаем
{aborted, Reason} ->
error({table_creation_failed, Table, Reason})
end.
@@ -78,6 +78,16 @@ table_opts(session) ->
{attributes, record_info(fields, session)},
{ram_copies, [node()]}
];
table_opts(admin) ->
[
{attributes, record_info(fields, admin)},
{ram_copies, [node()]}
];
table_opts(admin_session) ->
[
{attributes, record_info(fields, admin_session)},
{ram_copies, [node()]}
];
table_opts(calendar) ->
[
{attributes, record_info(fields, calendar)},

36
src/logic/logic_auth.erl
View File

@@ -2,7 +2,8 @@
-export([hash_password/1, verify_password/2,
generate_jwt/2, verify_jwt/1,
generate_refresh_token/1,
authenticate_user/2]).
authenticate_user/2,
authenticate_admin/2]).
-include("records.hrl").
@@ -26,18 +27,27 @@ authenticate_user(Email, Password) ->
{ok, User} ->
case verify_password(Password, User#user.password_hash) of
{ok, true} ->
{ok, user_to_map(User)};
_ ->
{error, invalid_credentials}
{ok, #{
id => User#user.id,
email => User#user.email,
role => atom_to_binary(User#user.role, utf8)
}};
_ -> {error, invalid_credentials}
end;
{error, not_found} ->
{error, invalid_credentials}
{error, not_found} -> {error, invalid_credentials}
end.
user_to_map(User) ->
#{
id => User#user.id,
email => User#user.email,
role => atom_to_binary(User#user.role, utf8),
status => atom_to_binary(User#user.status, utf8)
}.
authenticate_admin(Email, Password) ->
case core_admin:get_by_email(Email) of
{ok, Admin} ->
case verify_password(Password, Admin#admin.password_hash) of
{ok, true} ->
{ok, #{
id => Admin#admin.id,
email => Admin#admin.email,
role => atom_to_binary(Admin#admin.role, utf8)
}};
_ -> {error, invalid_credentials}
end;
{error, not_found} -> {error, invalid_credentials}
end.

26
src/logic/logic_moderation.erl
View File

@@ -43,20 +43,20 @@ create_report(ReporterId, TargetType, TargetId, Reason) ->
end.
get_reports(AdminId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> core_report:list_all();
false -> {error, access_denied}
end.
get_reports_by_target(AdminId, TargetType, TargetId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> core_report:list_by_target(TargetType, TargetId);
false -> {error, access_denied}
end.
resolve_report(AdminId, ReportId, Action)
when Action =:= reviewed; Action =:= dismissed ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
case core_report:get_by_id(ReportId) of
{ok, Report} ->
@@ -99,19 +99,19 @@ auto_freeze(_, _) -> ok.
%% ============ Бан-лист ===================================
add_banned_word(AdminId, Word) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> core_banned_words:add_banned_word(Word, AdminId);
false -> {error, access_denied}
end.
remove_banned_word(AdminId, Word) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> core_banned_words:remove_banned_word(Word);
false -> {error, access_denied}
end.
list_banned_words(AdminId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> {ok, core_banned_words:list_banned_words()};
false -> {error, access_denied}
end.
@@ -143,7 +143,7 @@ auto_moderate(Text) ->
%% ============ Заморозка/разморозка =======================
freeze_calendar(AdminId, CalendarId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
case core_calendar:get_by_id(CalendarId) of
{ok, _Calendar} ->
@@ -154,7 +154,7 @@ freeze_calendar(AdminId, CalendarId) ->
end.
unfreeze_calendar(AdminId, CalendarId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
case core_calendar:get_by_id(CalendarId) of
{ok, _Calendar} ->
@@ -165,7 +165,7 @@ unfreeze_calendar(AdminId, CalendarId) ->
end.
freeze_event(AdminId, EventId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
case core_event:get_by_id(EventId) of
{ok, _Event} ->
@@ -176,7 +176,7 @@ freeze_event(AdminId, EventId) ->
end.
unfreeze_event(AdminId, EventId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
case core_event:get_by_id(EventId) of
{ok, _Event} ->
@@ -199,9 +199,3 @@ target_exists(calendar, CalendarId) ->
_ -> false
end;
target_exists(_, _) -> false.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} -> User#user.role =:= admin;
_ -> false
end.

14
src/logic/logic_review.erl
View File

@@ -36,7 +36,7 @@ create_review(UserId, TargetType, TargetId, Rating, Comment) ->
get_review(UserId, ReviewId) ->
case core_review:get_by_id(ReviewId) of
{ok, Review} ->
case is_admin(UserId) orelse Review#review.status =:= visible of
case admin_utils:is_admin(UserId) orelse Review#review.status =:= visible of
true -> {ok, Review};
false -> {error, access_denied}
end;
@@ -48,7 +48,7 @@ get_review(UserId, ReviewId) ->
list_reviews(UserId, TargetType, TargetId) ->
case core_review:list_by_target(TargetType, TargetId) of
{ok, Reviews} ->
case is_admin(UserId) of
case admin_utils:is_admin(UserId) of
true -> {ok, Reviews};
false -> {ok, [R || R <- Reviews, R#review.status =:= visible]}
end;
@@ -95,7 +95,7 @@ update_review(UserId, ReviewId, Updates) ->
delete_review(UserId, ReviewId) ->
case core_review:get_by_id(ReviewId) of
{ok, Review} ->
case Review#review.user_id =:= UserId orelse is_admin(UserId) of
case Review#review.user_id =:= UserId orelse admin_utils:is_admin(UserId) of
true ->
TargetType = Review#review.target_type,
TargetId = Review#review.target_id,
@@ -159,7 +159,7 @@ can_review(UserId, TargetType, TargetId) ->
%% Проверка, может ли пользователь модерировать отзыв (скрыть/раскрыть)
can_moderate_review(UserId, ReviewId) ->
case is_admin(UserId) of
case admin_utils:is_admin(UserId) of
true ->
true;
false ->
@@ -200,12 +200,6 @@ target_exists(calendar, CalendarId) ->
end;
target_exists(_, _) -> false.
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} -> User#user.role =:= admin;
_ -> false
end.
update_target_rating(event, EventId) ->
{Avg, Count} = core_review:get_average_rating(event, EventId),
io:format("Updating event ~p rating: avg=~p, count=~p~n", [EventId, Avg, Count]),

10
src/logic/logic_subscription.erl
View File

@@ -57,7 +57,7 @@ activate_subscription(UserId, Plan, PaymentInfo) ->
%% Отменить подписку
cancel_subscription(AdminId, SubscriptionId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
case core_subscription:get_by_id(SubscriptionId) of
{ok, _Subscription} ->
@@ -80,7 +80,7 @@ get_user_subscription(UserId) ->
%% Получить подписку по ID (только админ)
get_subscription(AdminId, SubscriptionId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> core_subscription:get_by_id(SubscriptionId);
false -> {error, access_denied}
end.
@@ -137,12 +137,6 @@ handle_expired_subscriptions() ->
%% ============ Внутренние функции ============
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} -> User#user.role =:= admin;
_ -> false
end.
plan_price(monthly) -> 999; % $9.99
plan_price(quarterly) -> 2499; % $24.99
plan_price(biannual) -> 4499; % $44.99

22
src/logic/logic_ticket.erl
View File

@@ -40,21 +40,21 @@ report_error(ErrorMessage, Stacktrace, Context) ->
%% Получить тикет (только для админов)
get_ticket(AdminId, TicketId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> core_ticket:get_by_id(TicketId);
false -> {error, access_denied}
end.
%% Список всех тикетов (только для админов)
list_tickets(AdminId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> core_ticket:list_all();
false -> {error, access_denied}
end.
%% Список тикетов по статусу (только для админов)
list_tickets_by_status(AdminId, Status) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
All = core_ticket:list_all(),
[T || T <- All, T#ticket.status =:= Status];
@@ -63,21 +63,21 @@ list_tickets_by_status(AdminId, Status) ->
%% Обновить статус тикета
update_status(AdminId, TicketId, Status) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> core_ticket:update_ticket(TicketId, #{<<"status">> => Status});
false -> {error, access_denied}
end.
%% Назначить тикет администратору
assign_ticket(AdminId, TicketId, AssignToId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> core_ticket:update_ticket(TicketId, #{<<"assigned_to">> => AssignToId});
false -> {error, access_denied}
end.
%% Отметить тикет как решённый с примечанием
resolve_ticket(AdminId, TicketId, ResolutionNote) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
core_ticket:update_ticket(TicketId, #{
<<"status">> => <<"closed">>,
@@ -88,14 +88,14 @@ resolve_ticket(AdminId, TicketId, ResolutionNote) ->
%% Закрыть тикет
close_ticket(AdminId, TicketId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true -> core_ticket:update_ticket(TicketId, #{<<"status">> => <<"closed">>});
false -> {error, access_denied}
end.
%% Получить статистику по тикетам
get_statistics(AdminId) ->
case is_admin(AdminId) of
case admin_utils:is_admin(AdminId) of
true ->
All = core_ticket:list_all(),
Open = length([T || T <- All, T#ticket.status =:= open]),
@@ -116,11 +116,5 @@ get_statistics(AdminId) ->
%% ============ Вспомогательные функции ============
is_admin(UserId) ->
case core_user:get_by_id(UserId) of
{ok, User} -> User#user.role =:= admin;
_ -> false
end.
notify_admins(_Ticket) ->
ok.