feat: add account-based subscription model with migrations
Transition from team-based to account-based multi-tenancy (Free/Pro/Team). Migrations 016-020 create accounts, subscriptions, plan_limits, and account_invites tables, then migrate existing users and content FKs. New models: Account, Subscription, PlanLimits, AccountInvite. Updated models add account_id alongside existing team_id (coexistence for safe two-PR deployment). Permissions and deps refactored for account_role instead of is_team_admin. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
chihlasm
@@ -1,12 +1,12 @@
|
||||
"""
|
||||
Centralized permission checks for ResolutionFlow.
|
||||
|
||||
Role hierarchy: super_admin > team_admin > engineer > viewer
|
||||
Role hierarchy: super_admin > owner > engineer > viewer
|
||||
|
||||
- super_admin: is_super_admin=True, full system access
|
||||
- team_admin: is_team_admin=True + valid team_id, manage team resources
|
||||
- engineer: role='engineer' (default), CRUD own trees/steps
|
||||
- viewer: role='viewer', read-only (can browse, run sessions, rate steps)
|
||||
- owner: account_role='owner', manage account resources
|
||||
- engineer: account_role='engineer' (default), CRUD own trees/steps
|
||||
- viewer: account_role='viewer', read-only (can browse, run sessions, rate steps)
|
||||
"""
|
||||
from __future__ import annotations
|
||||
from typing import Optional, TYPE_CHECKING
|
||||
@@ -21,19 +21,19 @@ if TYPE_CHECKING:
|
||||
|
||||
ROLE_HIERARCHY = {
|
||||
"super_admin": 4,
|
||||
"team_admin": 3,
|
||||
"owner": 3,
|
||||
"engineer": 2,
|
||||
"viewer": 1,
|
||||
}
|
||||
|
||||
|
||||
def get_effective_role(user: User) -> str:
|
||||
"""Get the effective role considering is_super_admin and is_team_admin flags."""
|
||||
"""Get the effective role considering is_super_admin and account_role."""
|
||||
if user.is_super_admin:
|
||||
return "super_admin"
|
||||
if user.is_team_admin and user.team_id is not None:
|
||||
return "team_admin"
|
||||
return user.role # "engineer" or "viewer"
|
||||
if user.account_role == "owner":
|
||||
return "owner"
|
||||
return user.account_role # "engineer" or "viewer"
|
||||
|
||||
|
||||
def has_minimum_role(user: User, minimum_role: str) -> bool:
|
||||
@@ -55,7 +55,7 @@ def can_edit_tree(user: User, tree: Tree) -> bool:
|
||||
return False
|
||||
if tree.author_id == user.id:
|
||||
return True
|
||||
if user.is_team_admin and tree.team_id == user.team_id and user.team_id is not None:
|
||||
if user.account_role == "owner" and tree.account_id == user.account_id and user.account_id is not None:
|
||||
return True
|
||||
return False
|
||||
|
||||
@@ -78,7 +78,7 @@ def can_manage_category(user: User, category: TreeCategory) -> bool:
|
||||
"""Can the user edit/delete this category?"""
|
||||
if user.is_super_admin:
|
||||
return True
|
||||
if user.is_team_admin and category.team_id == user.team_id and user.team_id is not None:
|
||||
if user.account_role == "owner" and category.account_id == user.account_id and user.account_id is not None:
|
||||
return True
|
||||
return False
|
||||
|
||||
@@ -91,7 +91,7 @@ def can_manage_tree_tags(user: User, tree: Tree) -> bool:
|
||||
return False
|
||||
if tree.author_id == user.id:
|
||||
return True
|
||||
if user.is_team_admin and tree.team_id == user.team_id and user.team_id is not None:
|
||||
if user.account_role == "owner" and tree.account_id == user.account_id and user.account_id is not None:
|
||||
return True
|
||||
return False
|
||||
|
||||
@@ -102,7 +102,7 @@ def can_access_tree(user: User, tree: Tree) -> bool:
|
||||
return True
|
||||
if tree.author_id == user.id:
|
||||
return True
|
||||
if tree.team_id == user.team_id and user.team_id is not None:
|
||||
if tree.account_id == user.account_id and user.account_id is not None:
|
||||
return True
|
||||
if user.is_super_admin:
|
||||
return True
|
||||
@@ -116,35 +116,35 @@ def can_view_step(user: User, step: StepLibrary) -> bool:
|
||||
if step.visibility == "private":
|
||||
return step.created_by == user.id
|
||||
if step.visibility == "team":
|
||||
return (step.team_id == user.team_id and user.team_id is not None) or user.is_super_admin
|
||||
return (step.account_id == user.account_id and user.account_id is not None) or user.is_super_admin
|
||||
return False
|
||||
|
||||
|
||||
def can_create_tag(user: User, team_id: Optional[UUID]) -> bool:
|
||||
def can_create_tag(user: User, account_id: Optional[UUID]) -> bool:
|
||||
"""Can the user create a tag for the given scope?
|
||||
|
||||
- Super admins can create global tags (team_id=None) or any team's tags
|
||||
- Engineers can create team tags for their own team
|
||||
- Super admins can create global tags (account_id=None) or any account's tags
|
||||
- Engineers can create account tags for their own account
|
||||
- Viewers cannot create tags
|
||||
"""
|
||||
if user.is_super_admin:
|
||||
return True
|
||||
if not can_create_content(user):
|
||||
return False
|
||||
if team_id is not None and team_id == user.team_id:
|
||||
if account_id is not None and account_id == user.account_id:
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def can_create_category(user: User, team_id: Optional[UUID]) -> bool:
|
||||
"""Can the user create a category for the given team?
|
||||
def can_create_category(user: User, account_id: Optional[UUID]) -> bool:
|
||||
"""Can the user create a category for the given account?
|
||||
|
||||
- Super admins can create global or any team's categories
|
||||
- Team admins can create categories for their own team
|
||||
- Super admins can create global or any account's categories
|
||||
- Account owners can create categories for their own account
|
||||
"""
|
||||
if user.is_super_admin:
|
||||
return True
|
||||
if user.is_team_admin and team_id == user.team_id and user.team_id is not None:
|
||||
if user.account_role == "owner" and account_id == user.account_id and user.account_id is not None:
|
||||
return True
|
||||
return False
|
||||
|
||||
@@ -153,19 +153,19 @@ def can_manage_step_category(user: User, category: StepCategory) -> bool:
|
||||
"""Can the user edit/delete this step category?"""
|
||||
if user.is_super_admin:
|
||||
return True
|
||||
if user.is_team_admin and category.team_id == user.team_id and user.team_id is not None:
|
||||
if user.account_role == "owner" and category.account_id == user.account_id and user.account_id is not None:
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def can_create_step_category(user: User, team_id: Optional[UUID]) -> bool:
|
||||
"""Can the user create a step category for the given team?
|
||||
def can_create_step_category(user: User, account_id: Optional[UUID]) -> bool:
|
||||
"""Can the user create a step category for the given account?
|
||||
|
||||
- Super admins can create global or any team's step categories
|
||||
- Team admins can create step categories for their own team
|
||||
- Super admins can create global or any account's step categories
|
||||
- Account owners can create step categories for their own account
|
||||
"""
|
||||
if user.is_super_admin:
|
||||
return True
|
||||
if user.is_team_admin and team_id == user.team_id and user.team_id is not None:
|
||||
if user.account_role == "owner" and account_id == user.account_id and user.account_id is not None:
|
||||
return True
|
||||
return False
|
||||
|
||||
Reference in New Issue
Block a user