SWL Library Management System implements a comprehensive user management system with four distinct user roles, each with specific permissions and capabilities. The system handles authentication, registration, and role-based access control to ensure secure and efficient library operations.
Document ID as Username: Users log in using their document ID (e.g., student ID, national ID) instead of email, making the system accessible for users without email addresses.
Authentication uses Flask-Login with document ID-based login:
app/auth/routes.py
@bp.route('/login', methods=['GET', 'POST'])def login(): form = LoginForm() if form.validate_on_submit(): user = User.query.filter_by(document_id=form.document_id.data).first() if user is None or not user.check_password(form.password.data): flash('Documento o contraseña inválidos.', 'danger') return render_template('auth/login.html', form=form) login_user(user, remember=False) # Role-based redirect if user.role == 'admin': return redirect(url_for('admin.manage_users')) elif user.role == 'bibliotecario': return redirect(url_for('admin.admin_dashboard')) elif user.role in ['premium', 'cliente']: return redirect(url_for('main.premium_dashboard'))
Sessions do not persist across browser closures (remember=False). Users must log in each session for security.
@bp.route('/request/laptop', methods=['GET', 'POST'])@role_required('premium', 'cliente')def request_laptop(): # Only premium and cliente users can access this route pass
@bp.route('/users/edit/<int:id>', methods=['POST'])@role_required('admin')def edit_user(id): user = User.query.get_or_404(id) form = EditUserForm() if form.validate_on_submit(): user.full_name = form.full_name.data user.phone = form.phone.data user.role = form.role.data # Optional password update if form.password.data: user.set_password(form.password.data) db.session.commit() flash(f'Usuario {user.full_name} actualizado.', 'success')
app/admin/routes.py
@bp.route('/users/delete/<int:id>', methods=['POST'])@role_required('admin')def delete_user(id): if id == current_user.id: flash('No puedes eliminar tu propio usuario.', 'danger') return redirect(url_for('admin.manage_users')) user = User.query.get_or_404(id) db.session.delete(user) db.session.commit() flash(f'Usuario {user.full_name} eliminado.', 'success')
Self-Deletion Protection: Admins cannot delete their own user account to prevent accidental lockouts.