snapshot: preserve role management and user lifecycle controls

backend/workflows/forms.py

@@ -1,11 +1,13 @@
 from django import forms
 from pathlib import Path
 from datetime import timedelta
+from django.contrib.auth import get_user_model
 from django.utils import timezone
 from django.utils.translation import get_language, gettext as _
 
 from .form_builder import apply_form_field_config
 from .models import EmployeeProfile, FormOption, OffboardingRequest, OnboardingRequest, WorkflowConfig
+from .roles import ROLE_ADMIN, ROLE_GROUP_NAMES, ROLE_IT_STAFF, ROLE_LABELS, ROLE_STAFF, ROLE_SUPER_ADMIN, assign_user_role
 
 
 YES_NO_CHOICES = [('', '--'), ('ja', 'Ja'), ('nein', 'Nein')]
@@ -96,6 +98,60 @@ HARDWARE_EXTRA_CHOICES = [('Smartphone', 'Smartphone'), ('Anderes', 'Anderes')]
 SOFTWARE_EXTRA_CHOICES = [('Adobe Acrobat Pro (Abonnement: Zusätzliche Kosten)', 'Adobe Acrobat Pro (Abonnement: Zusätzliche Kosten)'), ('Anderes', 'Anderes')]
 
 
+class UserManagementCreateForm(forms.Form):
+    first_name = forms.CharField(label=_('Vorname'), max_length=150, required=False)
+    last_name = forms.CharField(label=_('Nachname'), max_length=150, required=False)
+    username = forms.CharField(label=_('Benutzername'), max_length=150)
+    email = forms.EmailField(label=_('E-Mail-Adresse'))
+    role_key = forms.ChoiceField(label=_('Rolle'))
+    password1 = forms.CharField(label=_('Passwort'), widget=forms.PasswordInput())
+    password2 = forms.CharField(label=_('Passwort bestätigen'), widget=forms.PasswordInput())
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields['role_key'].choices = [
+            (role_key, str(ROLE_LABELS[role_key]))
+            for role_key in (ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF, ROLE_STAFF)
+        ]
+
+    def clean_username(self):
+        username = (self.cleaned_data.get('username') or '').strip()
+        user_model = get_user_model()
+        if user_model.objects.filter(username=username).exists():
+            raise forms.ValidationError(_('Dieser Benutzername ist bereits vergeben.'))
+        return username
+
+    def clean_email(self):
+        return (self.cleaned_data.get('email') or '').strip().lower()
+
+    def clean_role_key(self):
+        role_key = (self.cleaned_data.get('role_key') or '').strip()
+        if role_key not in ROLE_GROUP_NAMES:
+            raise forms.ValidationError(_('Ungültige Rolle.'))
+        return role_key
+
+    def clean(self):
+        cleaned = super().clean()
+        password1 = cleaned.get('password1')
+        password2 = cleaned.get('password2')
+        if password1 and password2 and password1 != password2:
+            self.add_error('password2', _('Die Passwörter stimmen nicht überein.'))
+        return cleaned
+
+    def save(self):
+        user_model = get_user_model()
+        user = user_model.objects.create_user(
+            username=self.cleaned_data['username'],
+            email=self.cleaned_data['email'],
+            password=self.cleaned_data['password1'],
+            first_name=self.cleaned_data.get('first_name', ''),
+            last_name=self.cleaned_data.get('last_name', ''),
+            is_active=True,
+        )
+        assign_user_role(user, self.cleaned_data['role_key'])
+        return user
+
+
 class OnboardingRequestForm(forms.ModelForm):
     first_name = forms.CharField(label='Vorname', required=False)
     last_name = forms.CharField(label='Nachname', required=False)