feat(P2.1): register 9 new permissions (milestone/task/propose actions) + wire check_permission in all action endpoints

- Add milestone.freeze/start/close, task.close/reopen_closed/reopen_completed, propose.accept/reject/reopen to DEFAULT_PERMISSIONS - Replace placeholder check_project_role with check_permission in proposes.py accept/reject/reopen - Replace freeform permission strings with dotted names in milestone_actions.py - Add task.close and task.reopen_* permission checks in tasks.py transition endpoint - Admin role auto-inherits all new permissions via init_wizard
2026-03-17 15:03:48 +00:00
parent c18b8f3850
commit 3afbbc2a88
4 changed files with 26 additions and 11 deletions
--- a/app/api/routers/proposes.py
+++ b/app/api/routers/proposes.py
@@ -6,7 +6,7 @@ from sqlalchemy import func as sa_func

 from app.core.config import get_db
 from app.api.deps import get_current_user_or_apikey
-from app.api.rbac import check_project_role, is_global_admin
+from app.api.rbac import check_project_role, check_permission, is_global_admin
 from app.models import models
 from app.models.propose import Propose, ProposeStatus
 from app.models.milestone import Milestone, MilestoneStatus
@@ -161,8 +161,7 @@ def accept_propose(
    if propose_status != "open":
        raise HTTPException(status_code=400, detail="Only open proposes can be accepted")

-    # TODO: check 'accept propose' permission once P2 lands
-    check_project_role(db, current_user.id, project_id, min_role="mgr")
+    check_permission(db, current_user.id, project_id, "propose.accept")

    # Validate milestone
    milestone = db.query(Milestone).filter(
@@ -236,8 +235,7 @@ def reject_propose(
    if propose_status != "open":
        raise HTTPException(status_code=400, detail="Only open proposes can be rejected")

-    # TODO: check 'reject propose' permission once P2 lands
-    check_project_role(db, current_user.id, project_id, min_role="mgr")
+    check_permission(db, current_user.id, project_id, "propose.reject")

    propose.status = ProposeStatus.REJECTED
    db.commit()
@@ -266,8 +264,7 @@ def reopen_propose(
    if propose_status != "rejected":
        raise HTTPException(status_code=400, detail="Only rejected proposes can be reopened")

-    # TODO: check 'reopen rejected propose' permission once P2 lands
-    check_project_role(db, current_user.id, project_id, min_role="mgr")
+    check_permission(db, current_user.id, project_id, "propose.reopen")

    propose.status = ProposeStatus.OPEN
    db.commit()