rewrite

routes/auth_routes.py

@@ -20,10 +20,26 @@ def login_required(f):
     return decorated_function
 
 
+def admin_required(f):
+    """Decorator - require admin role"""
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if 'user_id' not in session:
+            return redirect(url_for('auth.login'))
+        
+        user = User.query.get(session['user_id'])
+        if not user or not user.is_admin:
+            return jsonify({'error': 'Admin access required', 'success': False}), 403
+        
+        return f(*args, **kwargs)
+    return decorated_function
+
+
 @auth_bp.route('/login', methods=['GET', 'POST'])
 def login():
     """Login page and authentication"""
     if request.method == 'GET':
+        # Check if already logged in
         if 'user_id' in session:
             return redirect(url_for('main.index'))
         
@@ -49,18 +65,20 @@ def login():
             logger.warning(f"[AUTH] Login failed - wrong password for '{username}'", flush=True)
             return render_template('auth/login.html', error='Invalid credentials'), 401
         
-        session.clear()
+        session.clear() 
         session['user_id'] = user.id
         session['username'] = user.username
         session['is_admin'] = user.is_admin
-        session.permanent = True
+        session.permanent = True  
         
+        # Zaloguj w basie danych
         from datetime import datetime
         user.last_login = datetime.utcnow()
         db.session.commit()
         
         logger.info(f"[AUTH] User '{username}' logged in successfully", flush=True)
         
+        # Redirect do dashboard
         return redirect(url_for('main.index'))
     
     except Exception as e: