In [10]:
import sqlite3
conn = sqlite3.connect('users.db')
cur = conn.cursor()

# Show all admins
cur.execute("SELECT * FROM admins")
admins = cur.fetchall()
print("Admins table:", admins)

# Get full user info for each admin
for cid, in admins:
    cur.execute("SELECT * FROM users WHERE customer_id = ?", (cid,))
    print(cur.fetchone())

conn.close()


Admins table: [('admin001',)]
(1, 'Administrator', 'admin001', 'Other', 30, '$2b$12$s8BhM3kbiILPdllu2jMBOeWWxvdAeQk8Wb.5qK8leCwjggQr3c3Ie')


In [None]:
import os
import sqlite3
from datetime import datetime
from functools import wraps

from flask import (
    Flask, render_template, request, redirect, url_for,
    session, flash
)
from werkzeug.utils import secure_filename
import pandas as pd
import pymongo
import bcrypt

# ---------------- Config (Jupyter-friendly) ----------------
BASE_DIR = os.getcwd()
DB_PATH = os.path.join(BASE_DIR, "users.db")
UPLOAD_FOLDER = os.path.join(BASE_DIR, "uploads")
ALLOWED_EXTENSIONS = {"csv"}
os.makedirs(UPLOAD_FOLDER, exist_ok=True)

app = Flask(__name__)
app.secret_key = os.environ.get("SECRET_KEY", "change_me_dev_key")

# ---------------- MongoDB ----------------
mongo_client = pymongo.MongoClient("mongodb+srv://xlu:1234@cluster0.u6y0aic.mongodb.net")
mdb = mongo_client["shopping_db"]
shopping_collection = mdb["shopping_data"]
logs_collection = mdb["logs"]

# ---------------- SQLite helpers ----------------
def get_db():
    conn = sqlite3.connect(DB_PATH)
    conn.row_factory = sqlite3.Row
    return conn

def init_sqlite_db():
    conn = get_db()
    cur = conn.cursor()
    # Users table
    cur.execute("""
        CREATE TABLE IF NOT EXISTS users (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            username TEXT NOT NULL,
            customer_id TEXT NOT NULL UNIQUE,
            gender TEXT NOT NULL,
            age INTEGER NOT NULL,
            password_hash TEXT NOT NULL
        )
    """)
    # Make username unique so login-by-username is unambiguous
    cur.execute("""
        CREATE UNIQUE INDEX IF NOT EXISTS idx_users_username_unique
        ON users(username)
    """)
    # Admin table (role mapping)
    cur.execute("""
        CREATE TABLE IF NOT EXISTS admins (
            customer_id TEXT PRIMARY KEY
        )
    """)
    conn.commit()
    conn.close()

def is_admin(customer_id: str) -> bool:
    conn = get_db()
    cur = conn.cursor()
    cur.execute("SELECT 1 FROM admins WHERE customer_id = ?", (customer_id,))
    row = cur.fetchone()
    conn.close()
    return row is not None

def allowed_file(filename):
    return "." in filename and filename.rsplit(".", 1)[1].lower() in ALLOWED_EXTENSIONS

def log_action(action, actor_cid, details=None):
    try:
        logs_collection.insert_one({
            "action": action,
            "actor_customer_id": actor_cid,
            "details": details or {},
            "ts": datetime.utcnow(),
        })
    except Exception as e:
        # Do not break app if logging fails
        print("Log insert failed:", e)

# ---------------- Decorators ----------------
def login_required(f):
    @wraps(f)
    def inner(*args, **kwargs):
        if "customer_id" not in session:
            flash("Please log in first.", "warning")
            return redirect(url_for("login"))
        return f(*args, **kwargs)
    return inner

def admin_required(f):
    @wraps(f)
    def inner(*args, **kwargs):
        cid = session.get("customer_id")
        if not cid:
            flash("Please log in first.", "warning")
            return redirect(url_for("login"))
        if not is_admin(cid):
            flash("Admin access required.", "danger")
            return redirect(url_for("home"))
        return f(*args, **kwargs)
    return inner

# ---------------- Bootstrap (Flask 3.x safe) ----------------
def bootstrap_once():
    """Run-once bootstrap to init DB and ensure a default admin exists."""
    if app.config.get("BOOTSTRAPPED"):
        return
    init_sqlite_db()

    conn = get_db()
    cur = conn.cursor()
    cur.execute("SELECT COUNT(1) FROM admins")
    has_admin = cur.fetchone()[0] > 0
    if not has_admin:
        username = "Administrator"
        customer_id = "admin001"
        gender = "Other"
        age = 30
        pw_hash = bcrypt.hashpw("AdminPass123!".encode("utf-8"), bcrypt.gensalt()).decode("utf-8")

        # Insert admin user if not exists
        cur.execute("SELECT 1 FROM users WHERE customer_id = ?", (customer_id,))
        if not cur.fetchone():
            cur.execute(
                "INSERT INTO users (username, customer_id, gender, age, password_hash) VALUES (?, ?, ?, ?, ?)",
                (username, customer_id, gender, age, pw_hash)
            )
        # Grant admin role
        cur.execute("INSERT OR IGNORE INTO admins (customer_id) VALUES (?)", (customer_id,))
        conn.commit()
        log_action("CREATE_DEFAULT_ADMIN", customer_id, {})
    conn.close()

    app.config["BOOTSTRAPPED"] = True

@app.before_request
def _ensure_bootstrap():
    # In Flask 3.x we emulate before_first_request with a guard flag
    if not app.config.get("BOOTSTRAPPED"):
        bootstrap_once()

# ---------------- Routes ----------------
@app.route("/")
def home():
    return render_template("home.html")

# ---------- Registration ----------
@app.route("/register", methods=["GET", "POST"])
def register():
    if request.method == "POST":
        username = request.form.get("username", "").strip()
        customer_id = request.form.get("customer_id", "").strip()
        gender = request.form.get("gender", "").strip()
        age = request.form.get("age", "").strip()
        password = request.form.get("password", "")
        confirm = request.form.get("confirm", "")

        if not (username and customer_id and gender and age and password):
            flash("All fields are required.", "danger")
            return redirect(url_for("register"))
        if not age.isdigit() or int(age) <= 0:
            flash("Age must be a positive integer.", "danger")
            return redirect(url_for("register"))
        if password != confirm:
            flash("Passwords do not match.", "danger")
            return redirect(url_for("register"))
        if len(password) < 8:
            flash("Password must be at least 8 characters.", "danger")
            return redirect(url_for("register"))

        pw_hash = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt()).decode("utf-8")

        try:
            conn = get_db()
            cur = conn.cursor()
            cur.execute(
                "INSERT INTO users (username, customer_id, gender, age, password_hash) VALUES (?, ?, ?, ?, ?)",
                (username, customer_id, gender, int(age), pw_hash)
            )
            conn.commit()
            conn.close()
            flash("Registration successful. Please log in.", "success")
            log_action("REGISTER", customer_id, {"username": username})
            return redirect(url_for("login"))
        except sqlite3.IntegrityError as e:
            # Could be duplicate customer_id or username due to the unique index
            msg = "Customer ID or username already exists. Choose unique values."
            flash(msg, "danger")
            return redirect(url_for("register"))

    return render_template("register.html")

# ---------- Login / Logout (BY USERNAME) ----------
@app.route("/login", methods=["GET", "POST"])
def login():
    if request.method == "POST":
        username = request.form.get("username", "").strip()  # <- use username now
        password = request.form.get("password", "")

        conn = get_db()
        cur = conn.cursor()
        cur.execute("""
            SELECT id, username, customer_id, password_hash
            FROM users
            WHERE username = ?
        """, (username,))
        user = cur.fetchone()
        conn.close()

        if user and bcrypt.checkpw(password.encode("utf-8"), user["password_hash"].encode("utf-8")):
            session["user_id"] = user["id"]
            session["customer_id"] = user["customer_id"]  # still needed for admin role + ownership
            session["username"] = user["username"]
            session["is_admin"] = is_admin(user["customer_id"])
            flash("Logged in successfully.", "success")
            log_action("LOGIN", user["customer_id"], {})
            return redirect(url_for("admin_dashboard" if session["is_admin"] else "profile"))
        else:
            flash("Invalid credentials.", "danger")
            return redirect(url_for("login"))
    return render_template("login.html")

@app.route("/logout")
def logout():
    cid = session.get("customer_id")
    session.clear()
    flash("Logged out.", "info")
    if cid:
        log_action("LOGOUT", cid, {})
    return redirect(url_for("home"))

# ---------- Normal user: update own info ----------
@app.route("/profile", methods=["GET", "POST"])
@login_required
def profile():
    uid = session["user_id"]
    conn = get_db()
    cur = conn.cursor()
    if request.method == "POST":
        username = request.form.get("username", "").strip()
        gender = request.form.get("gender", "").strip()
        age = request.form.get("age", "").strip()
        new_password = request.form.get("new_password", "")

        if not (username and gender and age and age.isdigit() and int(age) > 0):
            flash("Please provide valid username, gender, and age.", "danger")
            return redirect(url_for("profile"))

        try:
            if new_password:
                if len(new_password) < 8:
                    flash("New password must be at least 8 characters.", "danger")
                    return redirect(url_for("profile"))
                pw_hash = bcrypt.hashpw(new_password.encode("utf-8"), bcrypt.gensalt()).decode("utf-8")
                cur.execute("UPDATE users SET username = ?, gender = ?, age = ?, password_hash = ? WHERE id = ?",
                            (username, gender, int(age), pw_hash, uid))
            else:
                cur.execute("UPDATE users SET username = ?, gender = ?, age = ? WHERE id = ?",
                            (username, gender, int(age), uid))
            conn.commit()
        except sqlite3.IntegrityError:
            flash("Username already exists. Please choose another.", "danger")
            conn.close()
            return redirect(url_for("profile"))

        session["username"] = username
        flash("Profile updated.", "success")
        log_action("UPDATE_PROFILE", session.get("customer_id"), {"username": username})

    cur.execute("SELECT id, username, customer_id, gender, age FROM users WHERE id = ?", (uid,))
    user = cur.fetchone()
    conn.close()
    return render_template("profile.html", user=user)

# ---------- Normal user: view own shopping records ----------
@app.route("/my_shopping")
@login_required
def my_shopping():
    customer_id = session.get("customer_id")
    try:
        records = list(shopping_collection.find({"customer_id": customer_id}).sort("date", -1))
    except Exception:
        records = []
    return render_template("my_shopping.html", records=records)

# ---------- Admin-only ----------
@app.route("/admin")
@admin_required
def admin_dashboard():
    return render_template("admin_dashboard.html")

@app.route("/admin/users")
@admin_required
def admin_users():
    conn = get_db()
    cur = conn.cursor()
    cur.execute("SELECT id, username, customer_id, gender, age FROM users ORDER BY id DESC")
    users = [dict(row) for row in cur.fetchall()]
    conn.close()
    # mark admin flag for display
    conn = get_db()
    cur = conn.cursor()
    cur.execute("SELECT customer_id FROM admins")
    admin_cids = {r[0] for r in cur.fetchall()}
    conn.close()
    for u in users:
        u["is_admin"] = u["customer_id"] in admin_cids
    return render_template("users.html", users=users)

@app.route("/admin/delete_user/<customer_id>", methods=["POST"])
@admin_required
def delete_user(customer_id):
    # prevent deleting yourself to avoid lockout
    if customer_id == session.get("customer_id"):
        flash("You cannot delete the currently logged-in admin.", "warning")
        return redirect(url_for("admin_users"))

    conn = get_db()
    cur = conn.cursor()
    cur.execute("SELECT id FROM users WHERE customer_id = ?", (customer_id,))
    row = cur.fetchone()
    if not row:
        conn.close()
        flash("User not found.", "warning")
        return redirect(url_for("admin_users"))

    # Delete from users and admin role if exists
    cur.execute("DELETE FROM users WHERE customer_id = ?", (customer_id,))
    cur.execute("DELETE FROM admins WHERE customer_id = ?", (customer_id,))
    conn.commit()
    conn.close()

    # Cascade delete shopping records in Mongo
    try:
        shopping_collection.delete_many({"customer_id": customer_id})
    except Exception:
        pass

    flash("User and their shopping records deleted.", "info")
    log_action("DELETE_USER", session.get("customer_id"), {"deleted_customer_id": customer_id})
    return redirect(url_for("admin_users"))

@app.route("/admin/upload", methods=["GET", "POST"])
@admin_required
def upload():
    if request.method == "POST":
        if "file" not in request.files:
            flash("No file part.", "danger")
            return redirect(request.url)
        file = request.files["file"]
        if file.filename == "":
            flash("No file selected.", "danger")
            return redirect(request.url)
        if not allowed_file(file.filename):
            flash("Please upload a .csv file.", "danger")
            return redirect(request.url)

        filename = secure_filename(file.filename)
        path = os.path.join(UPLOAD_FOLDER, filename)
        file.save(path)

        try:
            df = pd.read_csv(path)
            # Expected columns (case-insensitive)
            required = {"customer_id", "item", "price", "qty", "date"}
            cols = {c.lower().strip() for c in df.columns}
            if not required.issubset(cols):
                flash(f"CSV must include: {', '.join(sorted(required))}", "danger")
                return redirect(request.url)
            # Normalize headers & clean
            df.columns = [c.lower().strip() for c in df.columns]
            df["price"] = pd.to_numeric(df["price"], errors="coerce").fillna(0.0)
            df["qty"] = pd.to_numeric(df["qty"], errors="coerce").fillna(1).astype(int)
            df["date"] = pd.to_datetime(df["date"], errors="coerce").fillna(pd.Timestamp.utcnow())

            records = df.to_dict(orient="records")
            for r in records:
                r["uploaded_by"] = session.get("customer_id")
                r["uploaded_at"] = datetime.utcnow()
            if records:
                shopping_collection.insert_many(records)
            flash(f"Uploaded {len(records)} shopping records.", "success")
            log_action("UPLOAD_CSV", session.get("customer_id"), {"filename": filename, "count": len(records)})
            return redirect(url_for("admin_dashboard"))
        except Exception as e:
            flash(f"Failed to process CSV: {e}", "danger")
            return redirect(request.url)
    return render_template("upload.html")

# Optional: admin view of all Mongo data
@app.route("/admin/view")
@admin_required
def admin_view_all():
    data = list(shopping_collection.find().sort("date", -1))
    return render_template("view.html", data=data)

# ---------------- Run ----------------
if __name__ == "__main__":
    # In notebooks, this ensures DB/admin exist even before first request
    bootstrap_once()
    app.run(host="0.0.0.0", port=5000, debug=False)


 * Serving Flask app '__main__'
 * Debug mode: off


 * Running on all addresses (0.0.0.0)
 * Running on http://127.0.0.1:5000
 * Running on http://10.129.100.69:5000
Press CTRL+C to quit
127.0.0.1 - - [10/Nov/2025 16:09:36] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [10/Nov/2025 16:09:37] "GET /register HTTP/1.1" 200 -
127.0.0.1 - - [10/Nov/2025 16:09:39] "GET /register HTTP/1.1" 200 -
127.0.0.1 - - [10/Nov/2025 16:09:40] "GET /login HTTP/1.1" 200 -
127.0.0.1 - - [10/Nov/2025 16:09:42] "POST /login HTTP/1.1" 302 -
127.0.0.1 - - [10/Nov/2025 16:09:42] "GET /login HTTP/1.1" 200 -
127.0.0.1 - - [10/Nov/2025 16:10:22] "POST /login HTTP/1.1" 302 -
127.0.0.1 - - [10/Nov/2025 16:10:22] "GET /login HTTP/1.1" 200 -
127.0.0.1 - - [10/Nov/2025 16:10:24] "POST /login HTTP/1.1" 302 -
127.0.0.1 - - [10/Nov/2025 16:10:24] "GET /login HTTP/1.1" 200 -
127.0.0.1 - - [10/Nov/2025 16:10:25] "POST /login HTTP/1.1" 302 -
127.0.0.1 - - [10/Nov/2025 16:10:25] "GET /login HTTP/1.1" 200 -
127.0.0.1 - - [10/Nov/2025 16:10:25] "POST /login HTTP/1.1" 302 -
127.0.0.1 - - 