update: Add Global Search on Header, Add Global Audit log for all actions.

backend/users/router.py

@@ -1,5 +1,6 @@
 from fastapi import APIRouter, Depends, Query, UploadFile, File
 from typing import Optional, List
+from sqlalchemy.ext.asyncio import AsyncSession
 from auth.models import TokenPayload
 from auth.dependencies import require_permission
 from users.models import (
@@ -7,6 +8,8 @@ from users.models import (
     SetPasswordRequest, ResetPasswordRequest,
 )
 from users import service
+from database.postgres import get_pg_session
+from shared.audit import log_action
 
 router = APIRouter(prefix="/api/users", tags=["users"])
 
@@ -33,8 +36,12 @@ async def get_user(
 async def create_user(
     body: UserCreate,
     _user: TokenPayload = Depends(require_permission("app_users", "add")),
+    db: AsyncSession = Depends(get_pg_session),
 ):
-    return service.create_user(body)
+    app_user = service.create_user(body)
+    await log_action(db, _user.sub, _user.name or _user.email, "CREATE", "app_user",
+                     app_user.id, app_user.display_name or app_user.email or app_user.id)
+    return app_user
 
 
 @router.put("/{user_id}", response_model=UserInDB)
@@ -42,32 +49,57 @@ async def update_user(
     user_id: str,
     body: UserUpdate,
     _user: TokenPayload = Depends(require_permission("app_users", "edit")),
+    db: AsyncSession = Depends(get_pg_session),
 ):
-    return service.update_user(user_id, body)
+    old = service.get_user(user_id)
+    app_user = service.update_user(user_id, body)
+    _SKIP = {"updated_at", "id", "photo_url"}
+    changes = {
+        k: {"old": getattr(old, k, None), "new": getattr(app_user, k, None)}
+        for k in body.model_fields_set
+        if k not in _SKIP and getattr(old, k, None) != getattr(app_user, k, None)
+    }
+    await log_action(db, _user.sub, _user.name or _user.email, "UPDATE", "app_user",
+                     user_id, app_user.display_name or app_user.email or user_id,
+                     changes=changes or None)
+    return app_user
 
 
 @router.delete("/{user_id}", status_code=204)
 async def delete_user(
     user_id: str,
     _user: TokenPayload = Depends(require_permission("app_users", "delete")),
+    db: AsyncSession = Depends(get_pg_session),
 ):
     service.delete_user(user_id)
+    await log_action(db, _user.sub, _user.name or _user.email, "DELETE", "app_user",
+                     user_id, user_id)
 
 
 @router.post("/{user_id}/block", response_model=UserInDB)
 async def block_user(
     user_id: str,
     _user: TokenPayload = Depends(require_permission("app_users", "edit")),
+    db: AsyncSession = Depends(get_pg_session),
 ):
-    return service.block_user(user_id)
+    app_user = service.block_user(user_id)
+    await log_action(db, _user.sub, _user.name or _user.email, "STATUS_CHANGE", "app_user",
+                     user_id, app_user.display_name or app_user.email or user_id,
+                     meta={"status": "blocked"})
+    return app_user
 
 
 @router.post("/{user_id}/unblock", response_model=UserInDB)
 async def unblock_user(
     user_id: str,
     _user: TokenPayload = Depends(require_permission("app_users", "edit")),
+    db: AsyncSession = Depends(get_pg_session),
 ):
-    return service.unblock_user(user_id)
+    app_user = service.unblock_user(user_id)
+    await log_action(db, _user.sub, _user.name or _user.email, "STATUS_CHANGE", "app_user",
+                     user_id, app_user.display_name or app_user.email or user_id,
+                     meta={"status": "unblocked"})
+    return app_user
 
 
 @router.get("/{user_id}/devices", response_model=List[dict])