feat: add configurable role/permission system

app/api/rbac.py

@@ -1,46 +1,72 @@
-"""Role-based access control helpers."""
-from functools import wraps
+"""Role-based access control helpers - using configurable permissions."""
 from fastapi import HTTPException, status
 from sqlalchemy.orm import Session
-from app.models.models import ProjectMember, User
+from app.models import models
+from app.models.role_permission import Role, Permission, RolePermission
+from app.models import models
 
 
-# Role hierarchy: admin > mgr > dev > ops > viewer
-ROLE_LEVELS = {
-    "admin": 50,
-    "mgr": 40,
-    "dev": 30,
-    "ops": 20,
-    "viewer": 10,
-}
-
-
-def get_member_role(db: Session, user_id: int, project_id: int) -> str | None:
-    """Get user's role in a project. Returns None if not a member."""
+def get_user_role(db: Session, user_id: int, project_id: int) -> Role | None:
+    """Get user's role in a project."""
     member = db.query(ProjectMember).filter(
         ProjectMember.user_id == user_id,
         ProjectMember.project_id == project_id,
     ).first()
-    if member:
-        return member.role
-    # Check if user is global admin
-    user = db.query(User).filter(User.id == user_id).first()
+    
+    if member and member.role_id:
+        return db.query(Role).filter(Role.id == member.role_id).first()
+    
+    # Check global admin
+    user = db.query(models.User).filter(models.User.id == user_id).first()
     if user and user.is_admin:
-        return "admin"
+        # Return global admin role
+        return db.query(Role).filter(Role.is_global == True, Role.name == "superadmin").first()
+    
     return None
 
 
+def has_permission(db: Session, user_id: int, project_id: int, permission: str) -> bool:
+    """Check if user has a specific permission in a project."""
+    role = get_user_role(db, user_id, project_id)
+    
+    if not role:
+        return False
+    
+    # Check if role has the permission
+    perm = db.query(Permission).filter(Permission.name == permission).first()
+    if not perm:
+        return False
+    
+    role_perm = db.query(RolePermission).filter(
+        RolePermission.role_id == role.id,
+        RolePermission.permission_id == perm.id
+    ).first()
+    
+    return role_perm is not None
+
+
+def check_permission(db: Session, user_id: int, project_id: int, permission: str):
+    """Raise 403 if user doesn't have the permission."""
+    if not has_permission(db, user_id, project_id, permission):
+        role = get_user_role(db, user_id, project_id)
+        role_name = role.name if role else "none"
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=f"Permission '{permission}' required. Your role: {role_name}"
+        )
+
+
+# Keep old function for backward compatibility (deprecated)
 def check_project_role(db: Session, user_id: int, project_id: int, min_role: str = "viewer"):
-    """Raise 403 if user doesn't have the minimum required role in the project."""
-    role = get_member_role(db, user_id, project_id)
-    if role is None:
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Not a member of this project"
-        )
-    if ROLE_LEVELS.get(role, 0) < ROLE_LEVELS.get(min_role, 0):
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail=f"Requires role '{min_role}' or higher, you have '{role}'"
-        )
-    return role
+    """Legacy function - maps old role names to new permission system."""
+    # Map old roles to permissions
+    role_to_perm = {
+        "admin": "project.edit",
+        "mgr": "milestone.create", 
+        "dev": "issue.create",
+        "ops": "issue.view",
+        "viewer": "project.view",
+    }
+    
+    perm = role_to_perm.get(min_role, "project.view")
+    check_permission(db, user_id, project_id, perm)