rewrite

routes/auth_routes.py

@@ -20,10 +20,26 @@ def login_required(f):
     return decorated_function
 
 
+def admin_required(f):
+    """Decorator - require admin role"""
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if 'user_id' not in session:
+            return redirect(url_for('auth.login'))
+        
+        user = User.query.get(session['user_id'])
+        if not user or not user.is_admin:
+            return jsonify({'error': 'Admin access required', 'success': False}), 403
+        
+        return f(*args, **kwargs)
+    return decorated_function
+
+
 @auth_bp.route('/login', methods=['GET', 'POST'])
 def login():
     """Login page and authentication"""
     if request.method == 'GET':
+        # Check if already logged in
         if 'user_id' in session:
             return redirect(url_for('main.index'))
         
@@ -55,12 +71,14 @@ def login():
         session['is_admin'] = user.is_admin
         session.permanent = True  
         
+        # Zaloguj w basie danych
         from datetime import datetime
         user.last_login = datetime.utcnow()
         db.session.commit()
         
         logger.info(f"[AUTH] User '{username}' logged in successfully", flush=True)
         
+        # Redirect do dashboard
         return redirect(url_for('main.index'))
     
     except Exception as e: