73 lines
2.6 KiB
Python
73 lines
2.6 KiB
Python
"""Role-based access control helpers - using configurable permissions."""
|
|
from fastapi import HTTPException, status
|
|
from sqlalchemy.orm import Session
|
|
from app.models import models
|
|
from app.models.role_permission import Role, Permission, RolePermission
|
|
from app.models import models
|
|
|
|
|
|
def get_user_role(db: Session, user_id: int, project_id: int) -> Role | None:
|
|
"""Get user's role in a project."""
|
|
member = db.query(models.ProjectMember).filter(
|
|
models.ProjectMember.user_id == user_id,
|
|
models.ProjectMember.project_id == project_id,
|
|
).first()
|
|
|
|
if member and member.role_id:
|
|
return db.query(Role).filter(Role.id == member.role_id).first()
|
|
|
|
# Check global admin
|
|
user = db.query(models.User).filter(models.User.id == user_id).first()
|
|
if user and user.is_admin:
|
|
# Return global admin role
|
|
return db.query(Role).filter(Role.is_global == True, Role.name == "superadmin").first()
|
|
|
|
return None
|
|
|
|
|
|
def has_permission(db: Session, user_id: int, project_id: int, permission: str) -> bool:
|
|
"""Check if user has a specific permission in a project."""
|
|
role = get_user_role(db, user_id, project_id)
|
|
|
|
if not role:
|
|
return False
|
|
|
|
# Check if role has the permission
|
|
perm = db.query(Permission).filter(Permission.name == permission).first()
|
|
if not perm:
|
|
return False
|
|
|
|
role_perm = db.query(RolePermission).filter(
|
|
RolePermission.role_id == role.id,
|
|
RolePermission.permission_id == perm.id
|
|
).first()
|
|
|
|
return role_perm is not None
|
|
|
|
|
|
def check_permission(db: Session, user_id: int, project_id: int, permission: str):
|
|
"""Raise 403 if user doesn't have the permission."""
|
|
if not has_permission(db, user_id, project_id, permission):
|
|
role = get_user_role(db, user_id, project_id)
|
|
role_name = role.name if role else "none"
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail=f"Permission '{permission}' required. Your role: {role_name}"
|
|
)
|
|
|
|
|
|
# Keep old function for backward compatibility (deprecated)
|
|
def check_project_role(db: Session, user_id: int, project_id: int, min_role: str = "viewer"):
|
|
"""Legacy function - maps old role names to new permission system."""
|
|
# Map old roles to permissions
|
|
role_to_perm = {
|
|
"admin": "project.edit",
|
|
"mgr": "milestone.create",
|
|
"dev": "issue.create",
|
|
"ops": "issue.view",
|
|
"viewer": "project.view",
|
|
}
|
|
|
|
perm = role_to_perm.get(min_role, "project.view")
|
|
check_permission(db, user_id, project_id, perm)
|