from flask import Blueprint, render_template, request, redirect, url_for, flash, jsonify, session from datetime import datetime import uuid from database import db from models import User, Company, AnalysisJob, AnalysisResult, ActivityLog, Invitation from auth_routes import admin_required, company_admin_required, login_required, log_activity # Create a Blueprint for company admin routes company_admin_bp = Blueprint('company_admin', __name__, url_prefix='/company-admin') # Company admin dashboard @company_admin_bp.route('/') @company_admin_required def dashboard(): # Get current user and their company user_id = session.get('user_id') current_user = User.query.get(user_id) company_id = current_user.company_id # Get statistics user_count = User.query.filter_by(company_id=company_id).count() analysis_count = AnalysisJob.query.filter_by(company_id=company_id).count() active_analyses = AnalysisJob.query.filter_by(company_id=company_id, status='processing').count() # Get recent activity recent_activity = ActivityLog.query.filter_by(company_id=company_id).order_by(ActivityLog.created_at.desc()).limit(10).all() # Get recent users recent_users = User.query.filter_by(company_id=company_id).order_by(User.created_at.desc()).limit(5).all() # Get recent analyses recent_analyses = AnalysisJob.query.filter_by(company_id=company_id).order_by(AnalysisJob.created_at.desc()).limit(5).all() # Get company information company = Company.query.get(company_id) return render_template( 'company_admin/dashboard.html', user_count=user_count, analysis_count=analysis_count, active_analyses=active_analyses, recent_activity=recent_activity, recent_users=recent_users, recent_analyses=recent_analyses, company=company ) # Company user management routes @company_admin_bp.route('/users') @company_admin_required def users(): # Get current user's company user_id = session.get('user_id') current_user = User.query.get(user_id) company_id = current_user.company_id # Get all users in the company users = User.query.filter_by(company_id=company_id).order_by(User.username).all() return render_template('company_admin/users.html', users=users) @company_admin_bp.route('/users/edit/', methods=['GET', 'POST']) @company_admin_required def edit_user(user_id): # Get current user's company current_user_id = session.get('user_id') current_user = User.query.get(current_user_id) company_id = current_user.company_id # Get the user to edit user = User.query.get_or_404(user_id) # Make sure the user is in the same company if user.company_id != company_id: flash('You can only edit users in your company', 'danger') return redirect(url_for('company_admin.users')) # Don't allow changing own role if user.id == current_user_id and 'role' in request.form: flash('You cannot change your own role', 'danger') return redirect(url_for('company_admin.users')) if request.method == 'POST': first_name = request.form.get('first_name') last_name = request.form.get('last_name') active = 'active' in request.form # Only allow setting role to company_admin or user (not system admin) role = request.form.get('role') if role and role not in ['company_admin', 'user']: role = 'user' # Update user if role: user.role = role user.first_name = first_name user.last_name = last_name user.active = active # Update password if provided password = request.form.get('password') if password: confirm_password = request.form.get('confirm_password') if password != confirm_password: flash('Passwords do not match', 'danger') return render_template('company_admin/edit_user.html', user=user) user.set_password(password) db.session.commit() # Log the activity log_activity( current_user_id, 'user_update', f"Company admin updated user: {user.username}", 'user', user.id ) flash('User updated successfully', 'success') return redirect(url_for('company_admin.users')) return render_template('company_admin/edit_user.html', user=user) # Invitation management @company_admin_bp.route('/invitations') @company_admin_required def invitations(): # Get current user's company user_id = session.get('user_id') current_user = User.query.get(user_id) company_id = current_user.company_id # Get invitations for this company invitations = Invitation.query.filter_by(company_id=company_id).order_by(Invitation.created_at.desc()).all() return render_template('company_admin/invitations.html', invitations=invitations) @company_admin_bp.route('/invitations/new', methods=['GET', 'POST']) @company_admin_required def new_invitation(): # Get current user's company user_id = session.get('user_id') current_user = User.query.get(user_id) company_id = current_user.company_id if request.method == 'POST': email = request.form.get('email') role = request.form.get('role', 'user') # Validation if not email: flash('Email is required', 'danger') return render_template('company_admin/new_invitation.html') # Only allow setting role to company_admin or user (not system admin) if role not in ['company_admin', 'user']: role = 'user' # Check if user already exists with this email if User.query.filter_by(email=email).first(): flash('A user with this email already exists', 'danger') return render_template('company_admin/new_invitation.html') # Check if invitation already exists for this email if Invitation.query.filter_by(email=email, accepted=False).first(): flash('An invitation has already been sent to this email', 'danger') return render_template('company_admin/new_invitation.html') # Create invitation invitation = Invitation.create_invitation( email=email, company_id=company_id, role=role, created_by=user_id ) db.session.add(invitation) db.session.commit() # Generate invitation URL with HTTPS forcing print("🔧 Debug: Company admin generating invitation URL...") invitation_url = url_for( 'auth.accept_invitation', token=invitation.invitation_token, _external=True ) print(f"🔗 Original URL: {invitation_url}") # FORCE HTTPS if it's HTTP (fix for anti-spam issues) if invitation_url.startswith('http://'): invitation_url = invitation_url.replace('http://', 'https://', 1) print(f"🔗 Forced HTTPS URL: {invitation_url}") else: print(f"🔗 URL already HTTPS: {invitation_url}") print(f"Final invitation URL for {email}: {invitation_url}") # Send the invitation email # Get company name for the email company = Company.query.get(company_id) company_name = company.name if company else "Your Organization" # Import and call the email function from email_config import send_invitation_email try: if send_invitation_email(email, invitation_url, company_name): flash('Invitation sent successfully', 'success') else: flash(f'Invitation created but email failed. Manual URL: {invitation_url}', 'warning') print(f"Invitation URL for {email}: {invitation_url}") except Exception as e: flash(f'Invitation created but email error: {str(e)}', 'warning') print(f"Invitation URL for {email}: {invitation_url}") # Log the activity log_activity( user_id, 'invitation_sent', f"Company admin sent invitation to: {email}", 'invitation', invitation.id ) flash('Invitation sent successfully', 'success') return redirect(url_for('company_admin.invitations')) return render_template('company_admin/new_invitation.html') @company_admin_bp.route('/invitations/cancel/', methods=['POST']) @company_admin_required def cancel_invitation(invitation_id): # Get current user's company user_id = session.get('user_id') current_user = User.query.get(user_id) company_id = current_user.company_id invitation = Invitation.query.get_or_404(invitation_id) # Make sure the invitation is for this company if invitation.company_id != company_id: flash('You can only cancel invitations for your company', 'danger') return redirect(url_for('company_admin.invitations')) # Only cancel if not already accepted if not invitation.accepted: email = invitation.email # Delete invitation db.session.delete(invitation) db.session.commit() # Log the activity log_activity( user_id, 'invitation_cancelled', f"Company admin cancelled invitation to: {email}" ) flash('Invitation cancelled successfully', 'success') else: flash('This invitation has already been accepted', 'warning') return redirect(url_for('company_admin.invitations')) # Company analyses management @company_admin_bp.route('/analyses') @company_admin_required def analyses(): # Get current user's company user_id = session.get('user_id') current_user = User.query.get(user_id) company_id = current_user.company_id # Get all analyses for this company analyses = AnalysisJob.query.filter_by(company_id=company_id).order_by(AnalysisJob.created_at.desc()).all() return render_template('company_admin/analyses.html', analyses=analyses) @company_admin_bp.route('/analyses/view/') @company_admin_required def view_analysis(job_uuid): # Get current user's company user_id = session.get('user_id') current_user = User.query.get(user_id) company_id = current_user.company_id # Get the analysis analysis = AnalysisJob.query.filter_by(job_uuid=job_uuid).first_or_404() # Make sure the analysis is for this company if analysis.company_id != company_id: flash('You can only view analyses for your company', 'danger') return redirect(url_for('company_admin.analyses')) return redirect(url_for('view_analysis', job_id=job_uuid)) @company_admin_bp.route('/analyses/delete/', methods=['POST']) @company_admin_required def delete_analysis(job_uuid): # Get current user's company user_id = session.get('user_id') current_user = User.query.get(user_id) company_id = current_user.company_id # Get the analysis analysis = AnalysisJob.query.filter_by(job_uuid=job_uuid).first_or_404() # Make sure the analysis is for this company if analysis.company_id != company_id: flash('You can only delete analyses for your company', 'danger') return redirect(url_for('company_admin.analyses')) # Save info for logging filename = analysis.filename # Delete associated results if they exist if analysis.results: db.session.delete(analysis.results) # Delete analysis job db.session.delete(analysis) db.session.commit() # Log the activity log_activity( user_id, 'analysis_deletion', f"Company admin deleted analysis: {filename}" ) flash('Analysis deleted successfully', 'success') return redirect(url_for('company_admin.analyses')) # Company activity logs @company_admin_bp.route('/activity') @company_admin_required def activity(): # Get current user's company user_id = session.get('user_id') current_user = User.query.get(user_id) company_id = current_user.company_id page = request.args.get('page', 1, type=int) per_page = 50 # Manual pagination for company's activity logs logs_query = ActivityLog.query.filter_by(company_id=company_id).order_by(ActivityLog.created_at.desc()) total = logs_query.count() offset = (page - 1) * per_page logs = logs_query.limit(per_page).offset(offset).all() return render_template('company_admin/activity.html', logs=logs) # Company profile @company_admin_bp.route('/profile', methods=['GET', 'POST']) @company_admin_required def profile(): # Get current user's company user_id = session.get('user_id') current_user = User.query.get(user_id) company_id = current_user.company_id company = Company.query.get(company_id) if request.method == 'POST': # Company admins can update some company details but not subscription tier name = request.form.get('name') description = request.form.get('description') # Check if name changed and already exists if name != company.name and Company.query.filter_by(name=name).first(): flash('Company name already exists', 'danger') return render_template('company_admin/profile.html', company=company) # Update company company.name = name company.description = description db.session.commit() # Log the activity log_activity( user_id, 'company_update', f"Company admin updated company profile: {name}", 'company', company.id ) flash('Company profile updated successfully', 'success') return redirect(url_for('company_admin.profile')) return render_template('company_admin/profile.html', company=company)