feat: add username-based user lookup and permission introspection endpoint

- users router: accept username or id in get/update/delete/worklogs via _find_user_by_id_or_username() - auth router: add GET /auth/me/permissions for CLI help introspection (token → user → role → permissions)
2026-03-21 14:21:54 +00:00
parent 271d5140e6
commit e5fd89f972
2 changed files with 71 additions and 14 deletions
--- a/app/api/routers/auth.py
+++ b/app/api/routers/auth.py
@@ -1,11 +1,15 @@
 """Auth router."""
 from datetime import timedelta
+from typing import List
+
 from fastapi import APIRouter, Depends, HTTPException
 from fastapi.security import OAuth2PasswordRequestForm
+from pydantic import BaseModel
 from sqlalchemy.orm import Session

 from app.core.config import get_db, settings
 from app.models import models
+from app.models.role_permission import Permission, Role, RolePermission
 from app.schemas import schemas
 from app.api.deps import Token, verify_password, create_access_token, get_current_user

@@ -30,3 +34,44 @@ async def login(form_data: OAuth2PasswordRequestForm = Depends(), db: Session =
@router.get("/me", response_model=schemas.UserResponse)
 async def get_me(current_user: models.User = Depends(get_current_user)):
    return current_user
+
+
+class PermissionIntrospectionResponse(BaseModel):
+    username: str
+    role_name: str | None
+    is_admin: bool
+    permissions: List[str]
+
+
+@router.get("/me/permissions", response_model=PermissionIntrospectionResponse)
+async def get_my_permissions(
+    current_user: models.User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    """Return the current user's effective permissions for CLI help introspection."""
+    perms: List[str] = []
+    role_name: str | None = None
+
+    if current_user.is_admin:
+        # Admin gets all permissions
+        all_perms = db.query(Permission).order_by(Permission.name).all()
+        perms = [p.name for p in all_perms]
+        role_name = "admin"
+    elif current_user.role_id:
+        role = db.query(Role).filter(Role.id == current_user.role_id).first()
+        if role:
+            role_name = role.name
+            perm_ids = db.query(RolePermission.permission_id).filter(
+                RolePermission.role_id == role.id
+            ).all()
+            if perm_ids:
+                pid_list = [p[0] for p in perm_ids]
+                matched = db.query(Permission).filter(Permission.id.in_(pid_list)).order_by(Permission.name).all()
+                perms = [p.name for p in matched]
+
+    return PermissionIntrospectionResponse(
+        username=current_user.username,
+        role_name=role_name,
+        is_admin=current_user.is_admin,
+        permissions=perms,
+    )