zhi/HarborForge.Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(users): switch account management to single-role model

Browse Source 
- add users.role_id for one global role per account
- seed protected account-manager role with account.create permission
- default new accounts to guest role
- block admin role assignment through user management
- allow account-manager permission to create accounts
This commit is contained in:
zhi
2026-03-21 08:44:19 +00:00
parent 7d42d567d1
commit 271d5140e6
6 changed files with 105 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
app/api/routers/roles.py
View File

@@ -170,13 +170,14 @@ def delete_role(role_id: int, db: Session = Depends(get_db), current_user: model
if not db_role:
raise HTTPException(status_code=404, detail="Role not found")
# Prevent deleting the admin or guest role
if db_role.name in ("admin", "guest"):
# Prevent deleting protected default roles
if db_role.name in ("admin", "guest", "account-manager"):
raise HTTPException(status_code=403, detail=f"Cannot delete the '{db_role.name}' role")
member_count = db.query(models.ProjectMember).filter(models.ProjectMember.role_id == role_id).count()
if member_count > 0:
raise HTTPException(status_code=400, detail="Role is in use by members")
account_count = db.query(models.User).filter(models.User.role_id == role_id).count()
if member_count > 0 or account_count > 0:
raise HTTPException(status_code=400, detail="Role is in use and cannot be deleted")
# Delete role permissions first
db.query(RolePermission).filter(RolePermission.role_id == role_id).delete()
@@ -196,9 +197,9 @@ def assign_permissions(role_id: int, perm_assign: PermissionAssign, db: Session
if not role:
raise HTTPException(status_code=404, detail="Role not found")
# Prevent modifying permissions of the admin role
if role.name == "admin":
raise HTTPException(status_code=403, detail="Cannot modify permissions of the admin role")
# Prevent modifying permissions of protected system roles
if role.name in ("admin", "account-manager"):
raise HTTPException(status_code=403, detail=f"Cannot modify permissions of the {role.name} role")
db.query(RolePermission).filter(RolePermission.role_id == role_id).delete()