chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
34daa26a6756bf670131f6a779a3ce02b8d529af
resolutionflow/backend/app/core/permissions.py
chihlasm 34daa26a67 feat: implement RBAC permissions system 
Add role-based access control with hierarchy: super_admin > team_admin >
engineer > viewer. Adds is_super_admin boolean to User model (migration 010),
centralized backend permissions module, frontend usePermissions hook, and
UI enforcement (conditional Create/Edit buttons, editor redirect for viewers,
role badge in header). All endpoint admin checks updated from role=="admin"
to is_super_admin.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 02:42:44 -05:00

95 lines
2.9 KiB
Python
Raw Blame History

"""
Centralized permission checks for ResolutionFlow.
Role hierarchy: super_admin > team_admin > engineer > viewer
- super_admin: is_super_admin=True, full system access
- team_admin: is_team_admin=True + valid team_id, manage team resources
- engineer: role='engineer' (default), CRUD own trees/steps
- viewer: role='viewer', read-only (can browse, run sessions, rate steps)
"""
from __future__ import annotations
from typing import TYPE_CHECKING
if TYPE_CHECKING:
from app.models.user import User
from app.models.tree import Tree
from app.models.step_library import StepLibrary
from app.models.category import TreeCategory
ROLE_HIERARCHY = {
"super_admin": 4,
"team_admin": 3,
"engineer": 2,
"viewer": 1,
}
def get_effective_role(user: User) -> str:
"""Get the effective role considering is_super_admin and is_team_admin flags."""
if user.is_super_admin:
return "super_admin"
if user.is_team_admin and user.team_id is not None:
return "team_admin"
return user.role # "engineer" or "viewer"
def has_minimum_role(user: User, minimum_role: str) -> bool:
"""Check if user has at least the specified role level."""
effective = get_effective_role(user)
return ROLE_HIERARCHY.get(effective, 0) >= ROLE_HIERARCHY.get(minimum_role, 0)
def can_create_content(user: User) -> bool:
"""Can the user create trees, steps, or other content? Viewers cannot."""
return has_minimum_role(user, "engineer")
def can_edit_tree(user: User, tree: Tree) -> bool:
"""Can the user edit this specific tree?"""
if user.is_super_admin:
return True
if not can_create_content(user):
return False
if tree.author_id == user.id:
return True
if user.is_team_admin and tree.team_id == user.team_id and user.team_id is not None:
return True
return False
def can_delete_tree(user: User, tree: Tree) -> bool:
"""Can the user delete this tree? Super admin only."""
return user.is_super_admin
def can_edit_step(user: User, step: StepLibrary) -> bool:
"""Can the user edit/delete this step?"""
if user.is_super_admin:
return True
if not can_create_content(user):
return False
return step.created_by == user.id
def can_manage_category(user: User, category: TreeCategory) -> bool:
"""Can the user edit/delete this category?"""
if user.is_super_admin:
return True
if user.is_team_admin and category.team_id == user.team_id and user.team_id is not None:
return True
return False
def can_manage_tree_tags(user: User, tree: Tree) -> bool:
"""Can the user add/remove tags on this tree?"""
if user.is_super_admin:
return True
if not can_create_content(user):
return False
if tree.author_id == user.id:
return True
if user.is_team_admin and tree.team_id == user.team_id and user.team_id is not None:
return True
return False
Reference in New Issue View Git Blame Copy Permalink