feat: add role/permission system with tests support

- Add Role model with 17 default permissions - Add init_wizard to create admin/guest roles on first startup - Protect admin role from modification/deletion via API - Fix MilestoneCreate schema (project_id optional) - Fix delete role to clean up role_permissions first - Add check_project_role RBAC function
2026-03-15 12:25:59 +00:00
parent fee2320cee
commit 61e3349ca4
5 changed files with 172 additions and 18 deletions
--- a/app/api/rbac.py
+++ b/app/api/rbac.py
@@ -56,17 +56,43 @@ def check_permission(db: Session, user_id: int, project_id: int, permission: str
        )


-# Keep old function for backward compatibility (deprecated)
-def check_project_role(db: Session, user_id: int, project_id: int, min_role: str = "viewer"):
-    """Legacy function - maps old role names to new permission system."""
-    # Map old roles to permissions
-    role_to_perm = {
-        "admin": "project.edit",
-        "mgr": "milestone.create", 
-        "dev": "issue.create",
-        "ops": "issue.view",
-        "viewer": "project.view",
-    }
+def check_project_role(db: Session, user_id: int, project_id: int, min_role: str = "member"):
+    """Check if user has at least the specified role in a project."""
+    # Check if user is global admin
+    user = db.query(models.User).filter(models.User.id == user_id).first()
+    if user and user.is_admin:
+        return True
    
-    perm = role_to_perm.get(min_role, "project.view")
-    check_permission(db, user_id, project_id, perm)
+    # Get user's role in project
+    member = db.query(models.ProjectMember).filter(
+        models.ProjectMember.user_id == user_id,
+        models.ProjectMember.project_id == project_id,
+    ).first()
+    
+    if not member or not member.role_id:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=f"You are not a member of this project"
+        )
+    
+    role = db.query(Role).filter(Role.id == member.role_id).first()
+    if not role:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=f"Role not found"
+        )
+    
+    # Role hierarchy: admin > member > guest
+    role_hierarchy = {"admin": 3, "member": 2, "guest": 1}
+    user_role_level = role_hierarchy.get(role.name, 0)
+    required_level = role_hierarchy.get(min_role, 0)
+    
+    if user_role_level < required_level:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=f"Role '{min_role}' or higher required. Your role: {role.name}"
+        )
+    
+    return True
+
+