Let's just finish this

.gitignore

@@ -135,6 +135,7 @@ venv/
 ENV/
 env.bak/
 venv.bak/
+streamlit_app.py
 
 # Spyder project settings
 .spyderproject

src/auth.py

@@ -107,3 +107,6 @@ async def get_api_key(api_key: str = Security(api_key_header), db: Session = Dep
         )
     
     return api_key
+
+def require_super_admin(current_user: User = Depends(get_current_active_user(required_roles=[Role.ADMIN]))):
+    return current_user  # Or raise if not super, but since Role.ADMIN is "super", it's fine.

src/crud/__init__.py

@@ -24,7 +24,8 @@ from .users import (
     update_user,  # FIX: was update_user_tag_id
     delete_user,
     hash_password,
-    get_all_users
+    get_all_users,
+    get_user_by_email
 )
 from .devices import (
     create_device,  # ADD: missing

src/crud/clearance.py

@@ -1,6 +1,7 @@
 from sqlmodel import Session, select
 from typing import List, Optional
 from src.models import ClearanceStatus, Student, ClearanceUpdate, ClearanceStatusEnum
+from datetime import datetime
 
 def get_clearance_status_for_student(db: Session, student: Student) -> List[ClearanceStatus]:
     """
@@ -24,6 +25,7 @@ def update_clearance_status(db: Session, update_data: ClearanceUpdate) -> Cleara
         ClearanceStatus.department == update_data.department
     )
     clearance_record = db.exec(status_statement).first()
+    clearance_record.updated_at = datetime.utcnow()
 
     if not clearance_record:
         # This case should ideally not happen if students are created correctly

src/crud/devices.py

@@ -14,6 +14,10 @@ def create_device(db: Session, device: DeviceCreate) -> Optional[Device]:
     existing_device = db.exec(select(Device).where(Device.device_name == device.device_name)).first()
     if existing_device:
         return None
+    
+    existing_location = db.exec(select(Device).where(Device.location == device.location)).first()
+    if existing_location:
+        return None
 
     # Generate a secure, URL-safe API key
     api_key = secrets.token_urlsafe(32)

src/crud/students.py

@@ -2,7 +2,7 @@ from sqlmodel import Session, select
 from typing import List, Optional
 
 from src.models import (
-    Student, StudentCreate, StudentUpdate, User, Role, ClearanceStatus, ClearanceDepartment, RFIDTag
+    Student, StudentCreate, StudentUpdate, User, Role, ClearanceStatus, ClearanceDepartment, RFIDTag, UserCreate
 )
 from src.crud import users as user_crud
 # --- Read Operations ---
@@ -35,7 +35,7 @@ def create_student(db: Session, student_data: StudentCreate) -> Student:
     """
     # 1. Create the associated User account for the student to log in
     # The student's username is their matriculation number.
-    user_for_student = user_crud.UserCreate(
+    user_for_student = UserCreate(
         username=student_data.matric_no,
         password=student_data.password,
         email=student_data.email,
@@ -69,9 +69,6 @@ def create_student(db: Session, student_data: StudentCreate) -> Student:
 
 def update_student(db: Session, student: Student, updates: StudentUpdate) -> Student:
     """Updates a student's profile information."""
-    student = get_student_by_id(db, student_id=student.id)
-    if not student:
-        return None
     
     update_data = updates.model_dump(exclude_unset=True)
     student.sqlmodel_update(update_data)

src/crud/users.py

@@ -47,11 +47,7 @@ def create_user(db: Session, user: UserCreate) -> User:
     return db_user
 
 def update_user(db: Session, user: User, updates: UserUpdate) -> User:
-    """Updates a user's information."""
-    user = get_user_by_id(db, user_id=user.id)
-    if not user:
-        return None
-    
+    """Updates a user's information."""    
     update_data = updates.model_dump(exclude_unset=True)
     
     if "password" in update_data:

src/models.py

@@ -1,7 +1,7 @@
 from typing import List, Optional
 from sqlmodel import Field, Relationship, SQLModel
 from enum import Enum
-
+from datetime import datetime
 # --- Enums for choices ---
 
 class Role(str, Enum):
@@ -27,6 +27,10 @@ class ClearanceStatusEnum(str, Enum):
     PENDING = "pending"
     APPROVED = "approved"
     REJECTED = "rejected"
+    
+class OverallClearanceStatusEnum(str, Enum):
+    COMPLETED = "completed"
+    PENDING = "pending"
 
 # --- Database Table Models ---
 
@@ -57,6 +61,7 @@ class ClearanceStatus(SQLModel, table=True):
     remarks: Optional[str] = None
     student_id: int = Field(foreign_key="student.id")
     student: "Student" = Relationship(back_populates="clearance_statuses")
+    updated_at: Optional[datetime] = Field(default=None)
 
 class RFIDTag(SQLModel, table=True):
     tag_id: str = Field(primary_key=True, index=True)
@@ -129,12 +134,27 @@ class ClearanceStatusRead(SQLModel):
     department: ClearanceDepartment
     status: ClearanceStatusEnum
     remarks: Optional[str] = None
+    
 
 class ClearanceUpdate(SQLModel):
     matric_no: str
     department: ClearanceDepartment
     status: ClearanceStatusEnum
     remarks: Optional[str] = None
+    
+
+class ClearanceStatusItem(SQLModel):
+    department: ClearanceDepartment
+    status: ClearanceStatusEnum
+    remarks: Optional[str] = None
+    updated_at: Optional[datetime] = None  # Will be added to table model; see below
+
+class ClearanceDetail(SQLModel):
+    student_id: int
+    name: str
+    department: Department
+    clearance_items: List[ClearanceStatusItem]
+    overall_status: OverallClearanceStatusEnum
 
 # Combined Read Model
 class StudentReadWithClearance(StudentRead):

src/routers/admin.py

@@ -3,7 +3,7 @@ from sqlmodel import Session, SQLModel
 from typing import List, Optional, Dict
 
 from src.database import get_session
-from src.auth import get_current_active_user, get_api_key
+from src.auth import get_current_active_user, get_api_key, require_super_admin
 from src.models import (
     User, UserCreate, UserRead, UserUpdate, Role,
     Student, StudentCreate, StudentReadWithClearance, StudentUpdate, StudentRead,
@@ -154,7 +154,10 @@ def lookup_user(
 @router.put("/users/{user_id}", response_model=UserRead, dependencies=[Depends(require_super_admin)])
 def update_user_details(user_id: int, user: UserUpdate, db: Session = Depends(get_session)):
     """(Super Admin Only) Updates a user's details (e.g., role)."""
-    updated_user = user_crud.update_user(db, user_id=user_id, user_update=user)
+    db_user = user_crud.get_user_by_id(db, user_id=user_id)
+    if not db_user:
+        raise HTTPException(status_code=404, detail="User not found")
+    updated_user = user_crud.update_user(db, user=db_user, updates=user)
     if not updated_user:
         raise HTTPException(status_code=404, detail="User not found")
     return updated_user
@@ -186,9 +189,8 @@ def create_device(device: DeviceCreate, db: Session = Depends(get_session)):
     return device_crud.create_device(db=db, device=device)
 
 @router.get("/devices/", response_model=List[DeviceRead], dependencies=[Depends(require_super_admin)])
-def read_all_devices(db: Session = Depends(get_session)):
-    """(Super Admin Only) Retrieves a list of all registered devices."""
-    return device_crud.get_all_devices(db)
+def read_all_devices(skip: int = 0, limit: int = 100, db: Session = Depends(get_session)):
+    return device_crud.get_all_devices(db, skip=skip, limit=limit)
 
 @router.delete("/devices/{device_id}", response_model=DeviceRead, dependencies=[Depends(require_super_admin)])
 def delete_device_registration(device_id: int, db: Session = Depends(get_session)):

src/routers/clearance.py

@@ -26,6 +26,8 @@ def update_student_clearance_status(
     """
     # A potential security check: ensure staff's department matches clearance_update.department
     # For now, we trust the role.
+    if current_user.department != clearance_update.department:
+        raise HTTPException(status_code=403, detail="You can only update clearances for your department.")
     
     updated_status = clearance_crud.update_clearance_status(db, clearance_update)
     

src/routers/devices.py

@@ -27,14 +27,17 @@ def create_device(
     """
     # Check if a device with the same location already exists
     db_device = device_crud.get_device_by_location(db, location=device.location)
+
     if db_device:
         raise HTTPException(
             status_code=status.HTTP_400_BAD_REQUEST,
             detail=f"A device at location '{device.location}' already exists."
         )
-    
-    # Create the new device and its API key
-    return device_crud.create_device(db=db, device=device)
+
+    db_device = device_crud.create_device(db=db, device=device)
+    if not db_device:
+        raise HTTPException(status_code=400, detail="Device already exists (duplicate name or location).")
+    return db_device
 
 
 @router.get("/", response_model=List[DeviceRead])

src/routers/rfid.py

@@ -2,7 +2,7 @@ from fastapi import APIRouter, Depends, HTTPException, status, Security
 from fastapi.security import APIKeyHeader
 from sqlmodel import Session, SQLModel
 from typing import Dict
-
+from threading import Lock  # Added for thread-safety on global state
 from src.database import get_session
 from src.auth import get_current_active_user, get_api_key
 from src.models import (
@@ -18,11 +18,15 @@ router = APIRouter(prefix="/rfid", tags=["RFID"])
 api_key_header = APIKeyHeader(name="x-api-key", auto_error=False)
 
 # --- Moved from admin.py: State for secure admin scanning ---
-# Maps a device's API key to the admin user ID who activated it (changed to str key for api_key).
+# Maps a device's API key to the admin user ID who activated it.
 activated_scanners: Dict[str, int] = {}
 
 # Stores the last tag scanned by a device, keyed by the admin ID who was waiting.
 admin_scanned_tags: Dict[int, tuple[str, str]] = {}
+# Locks for thread-safe access to global dicts (since FastAPI is async/multi-threaded)
+
+activated_scanners_lock = Lock()
+admin_scanned_tags_lock = Lock()
 
 # --- Moved from admin.py: Secure Scanning Workflow ---
 class ActivationRequest(SQLModel):
@@ -41,28 +45,35 @@ def activate_admin_scanner(
     device = device_crud.get_device_by_api_key(db, api_key=activation.api_key)
     if not device:
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Device not found.")
-    
-    # Map the device's API key to the currently logged-in admin's ID.
-    activated_scanners[device.api_key] = current_user.id
+
+    # Map the device's API key to the currently logged-in admin's ID (thread-safe).
+    with activated_scanners_lock:
+        activated_scanners[device.api_key] = current_user.id
     return
 
 @router.post("/scanners/scan", status_code=status.HTTP_204_NO_CONTENT)
 def receive_scan_from_activated_device(
     scan_data: TagScan,
-    # Removed api_key dependency for "free use" (easier RFID data submission).
-    # Assumes api_key is in scan_data for association.
+    db: Session = Depends(get_session)  # Added back for device validation
 ):
     """
     STEP 2 (Device): The ESP32 device sends the scanned tag to this endpoint.
-    No authentication required for free use.
+    No authentication required for free use, but validates device existence.
     """
-    # Check if this device was activated by an admin (using api_key from scan_data).
-    admin_id = activated_scanners.pop(scan_data.api_key, None)
+    # Validate that the device exists (minimal security check without full auth).
+    device = device_crud.get_device_by_api_key(db, api_key=scan_data.api_key)
+    if not device:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Device not found.")
+
+    # Check if this device was activated by an admin (thread-safe).
+    with activated_scanners_lock:
+        admin_id = activated_scanners.pop(scan_data.api_key, None)
     if admin_id is None:
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="This scanner has not been activated for a scan.")
-    
-    # Store the scanned tag against the admin who was waiting for it.
-    admin_scanned_tags[admin_id] = (scan_data.tag_id, scan_data.api_key)
+
+    # Store the scanned tag against the admin who was waiting for it (thread-safe).
+    with admin_scanned_tags_lock:
+        admin_scanned_tags[admin_id] = (scan_data.tag_id, scan_data.api_key)
     return
 
 @router.get("/scanners/retrieve", response_model=TagScan)
@@ -73,7 +84,9 @@ def retrieve_scanned_tag_for_ui(
     STEP 3 (Browser): The browser polls this endpoint to get the tag ID
     that the device reported in STEP 2.
     """
-    tag_data = admin_scanned_tags.pop(current_user.id, None)
+    # Retrieve the tag data (thread-safe).
+    with admin_scanned_tags_lock:
+        tag_data = admin_scanned_tags.pop(current_user.id, None)
     if not tag_data:
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="No tag has been scanned by the activated device yet.")
     tag_id, api_key = tag_data
@@ -102,7 +115,6 @@ def check_rfid_status(
             for clearance in student.clearance_statuses
         )
         clearance_status_str = "Fully Cleared" if is_cleared else "Pending Clearance"
-        
         return RFIDStatusResponse(
             status="found",
             full_name=student.full_name,
@@ -126,4 +138,5 @@ def check_rfid_status(
         full_name=None,
         entity_type=None,
         clearance_status=None,
-    )
+
+    )

src/routers/students.py

@@ -17,7 +17,7 @@ router = APIRouter(
     dependencies=[Depends(get_current_active_user)]
 )
 
-@router.post("/lookup", response_model=StudentReadWithClearance)
+@router.get("/lookup", response_model=StudentReadWithClearance)
 def lookup_student_by_matric_no(
     request: StudentLookupRequest,
     db: Session = Depends(get_session)

src/utils.py

@@ -1,6 +1,7 @@
 from typing import List, Dict, Any
 from sqlalchemy.orm import Session as SQLAlchemySessionType
 from fastapi.concurrency import run_in_threadpool
+from sqlmodel import select
 
 from src import crud, models
 
@@ -18,7 +19,9 @@ async def format_student_clearance_details(
     Returns:
         models.ClearanceDetail: Formatted clearance details.
     """
-    statuses_orm_list = await run_in_threadpool(crud.get_clearance_statuses_by_student_id, db, student_orm.student_id)
+    statuses_orm_list = await run_in_threadpool(
+    lambda: db.exec(select(models.ClearanceStatus).where(models.ClearanceStatus.student_id == student_orm.id)).all()
+)
     
     clearance_items_models: List[models.ClearanceStatusItem] = []
     overall_status_val = models.OverallClearanceStatusEnum.COMPLETED
@@ -35,15 +38,12 @@ async def format_student_clearance_details(
             updated_at=status_orm.updated_at
         )
         clearance_items_models.append(item)
-        if item.status != models.ClearanceStatusEnum.COMPLETED:
+        if item.status != models.ClearanceStatusEnum.APPROVED:
             overall_status_val = models.OverallClearanceStatusEnum.PENDING
             
-    if not statuses_orm_list and overall_status_val == models.OverallClearanceStatusEnum.COMPLETED:
-         overall_status_val = models.OverallClearanceStatusEnum.PENDING
-
     return models.ClearanceDetail(
-        student_id=student_orm.student_id,
-        name=student_orm.name,
+        student_id=student_orm.id,
+        name=student_orm.full_name,
         department=student_orm.department,
         clearance_items=clearance_items_models,
         overall_status=overall_status_val