chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
71ba0b95a59afb941e787b45559b299ae75e89aa
resolutionflow/backend/app/core/permissions.py
chihlasm 71ba0b95a5 fix: high-severity security hardening (Phase B permissions audit) 
Phase B addresses 7 high-severity gaps from the permissions audit:

- B1: Enforce tree access check on session start via can_access_tree
- B2: Replace all inline permission helpers with centralized permissions.py
- B3: Fix require_engineer_or_admin to check is_team_admin before role
- B4: Add is_active field on User with enforcement in get_current_active_user
- B5: Add admin user management endpoints (list, get, role, team-admin, deactivate, activate)
- B6: Add rate limiting on auth/invite endpoints via slowapi (disabled in DEBUG)
- B7: Implement refresh token rotation with JTI-based revocation and meaningful logout

Also reduces access token TTL from 15 to 5 minutes and updates CLAUDE.md
with SaaS/MSP context for future planning sessions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-05 22:44:05 -05:00

172 lines
5.4 KiB
Python
Raw Blame History

"""
Centralized permission checks for ResolutionFlow.
Role hierarchy: super_admin > team_admin > engineer > viewer
- super_admin: is_super_admin=True, full system access
- team_admin: is_team_admin=True + valid team_id, manage team resources
- engineer: role='engineer' (default), CRUD own trees/steps
- viewer: role='viewer', read-only (can browse, run sessions, rate steps)
"""
from __future__ import annotations
from typing import Optional, TYPE_CHECKING
from uuid import UUID
if TYPE_CHECKING:
from app.models.user import User
from app.models.tree import Tree
from app.models.step_library import StepLibrary
from app.models.category import TreeCategory
from app.models.step_category import StepCategory
ROLE_HIERARCHY = {
"super_admin": 4,
"team_admin": 3,
"engineer": 2,
"viewer": 1,
}
def get_effective_role(user: User) -> str:
"""Get the effective role considering is_super_admin and is_team_admin flags."""
if user.is_super_admin:
return "super_admin"
if user.is_team_admin and user.team_id is not None:
return "team_admin"
return user.role # "engineer" or "viewer"
def has_minimum_role(user: User, minimum_role: str) -> bool:
"""Check if user has at least the specified role level."""
effective = get_effective_role(user)
return ROLE_HIERARCHY.get(effective, 0) >= ROLE_HIERARCHY.get(minimum_role, 0)
def can_create_content(user: User) -> bool:
"""Can the user create trees, steps, or other content? Viewers cannot."""
return has_minimum_role(user, "engineer")
def can_edit_tree(user: User, tree: Tree) -> bool:
"""Can the user edit this specific tree?"""
if user.is_super_admin:
return True
if not can_create_content(user):
return False
if tree.author_id == user.id:
return True
if user.is_team_admin and tree.team_id == user.team_id and user.team_id is not None:
return True
return False
def can_delete_tree(user: User, tree: Tree) -> bool:
"""Can the user delete this tree? Super admin only."""
return user.is_super_admin
def can_edit_step(user: User, step: StepLibrary) -> bool:
"""Can the user edit/delete this step?"""
if user.is_super_admin:
return True
if not can_create_content(user):
return False
return step.created_by == user.id
def can_manage_category(user: User, category: TreeCategory) -> bool:
"""Can the user edit/delete this category?"""
if user.is_super_admin:
return True
if user.is_team_admin and category.team_id == user.team_id and user.team_id is not None:
return True
return False
def can_manage_tree_tags(user: User, tree: Tree) -> bool:
"""Can the user add/remove tags on this tree?"""
if user.is_super_admin:
return True
if not can_create_content(user):
return False
if tree.author_id == user.id:
return True
if user.is_team_admin and tree.team_id == user.team_id and user.team_id is not None:
return True
return False
def can_access_tree(user: User, tree: Tree) -> bool:
"""Can the user access (view) this tree?"""
if tree.is_default or tree.is_public:
return True
if tree.author_id == user.id:
return True
if tree.team_id == user.team_id and user.team_id is not None:
return True
if user.is_super_admin:
return True
return False
def can_view_step(user: User, step: StepLibrary) -> bool:
"""Can the user view this step based on its visibility?"""
if step.visibility == "public":
return True
if step.visibility == "private":
return step.created_by == user.id
if step.visibility == "team":
return (step.team_id == user.team_id and user.team_id is not None) or user.is_super_admin
return False
def can_create_tag(user: User, team_id: Optional[UUID]) -> bool:
"""Can the user create a tag for the given scope?
- Super admins can create global tags (team_id=None) or any team's tags
- Engineers can create team tags for their own team
- Viewers cannot create tags
"""
if user.is_super_admin:
return True
if not can_create_content(user):
return False
if team_id is not None and team_id == user.team_id:
return True
return False
def can_create_category(user: User, team_id: Optional[UUID]) -> bool:
"""Can the user create a category for the given team?
- Super admins can create global or any team's categories
- Team admins can create categories for their own team
"""
if user.is_super_admin:
return True
if user.is_team_admin and team_id == user.team_id and user.team_id is not None:
return True
return False
def can_manage_step_category(user: User, category: StepCategory) -> bool:
"""Can the user edit/delete this step category?"""
if user.is_super_admin:
return True
if user.is_team_admin and category.team_id == user.team_id and user.team_id is not None:
return True
return False
def can_create_step_category(user: User, team_id: Optional[UUID]) -> bool:
"""Can the user create a step category for the given team?
- Super admins can create global or any team's step categories
- Team admins can create step categories for their own team
"""
if user.is_super_admin:
return True
if user.is_team_admin and team_id == user.team_id and user.team_id is not None:
return True
return False
Reference in New Issue View Git Blame Copy Permalink