Fix milestones 422 + acc-mgr user + reset-apikey endpoint

- Fix: /milestones?project_id= now accepts project_code (str) not just int - Add: built-in acc-mgr user created on wizard init (account-manager role, no login, undeletable) - Add: POST /users/{id}/reset-apikey with permission-based access control - Add: GET /auth/me/apikey-permissions for frontend capability check - Add: user.reset-self-apikey and user.reset-apikey permissions - Protect admin and acc-mgr accounts from deletion - Block acc-mgr from login (/auth/token returns 403)
2026-03-22 05:39:03 +00:00
parent d17072881b
commit 88931d822d
4 changed files with 155 additions and 2 deletions
--- a/app/api/routers/auth.py
+++ b/app/api/routers/auth.py
@@ -24,6 +24,9 @@ async def login(form_data: OAuth2PasswordRequestForm = Depends(), db: Session =
                            headers={"WWW-Authenticate": "Bearer"})
    if not user.is_active:
        raise HTTPException(status_code=400, detail="Inactive user")
+    # Built-in acc-mgr account cannot log in interactively
+    if user.username == "acc-mgr":
+        raise HTTPException(status_code=403, detail="This account cannot log in")
    access_token = create_access_token(
        data={"sub": str(user.id)},
        expires_delta=timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
@@ -36,6 +39,36 @@ async def get_me(current_user: models.User = Depends(get_current_user)):
    return current_user


+class ApiKeyPermissionResponse(BaseModel):
+    can_reset_self: bool
+    can_reset_any: bool
+
+
+@router.get("/me/apikey-permissions", response_model=ApiKeyPermissionResponse)
+async def get_apikey_permissions(
+    current_user: models.User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    """Return the current user's API key reset capabilities."""
+    def _has_perm(perm_name: str) -> bool:
+        if current_user.is_admin:
+            return True
+        if not current_user.role_id:
+            return False
+        perm = db.query(Permission).filter(Permission.name == perm_name).first()
+        if not perm:
+            return False
+        return db.query(RolePermission).filter(
+            RolePermission.role_id == current_user.role_id,
+            RolePermission.permission_id == perm.id,
+        ).first() is not None
+
+    return ApiKeyPermissionResponse(
+        can_reset_self=_has_perm("user.reset-self-apikey"),
+        can_reset_any=_has_perm("user.reset-apikey"),
+    )
+
+
 class PermissionIntrospectionResponse(BaseModel):
    username: str
    role_name: str | None