asdasd

2025-12-08 06:02:04 +00:00
parent 191287829f
commit 156742d679
23 changed files with 442 additions and 0 deletions
--- a/tenant-temp/backend/igny8_core/auth/permissions.py
+++ b/tenant-temp/backend/igny8_core/auth/permissions.py
@@ -0,0 +1,77 @@
+"""
+Role-Based Access Control (RBAC) Permissions
+"""
+from rest_framework import permissions
+
+
+class IsOwnerOrAdmin(permissions.BasePermission):
+    """Allow access only to owners and admins."""
+    
+    def has_permission(self, request, view):
+        user = getattr(request, "user", None)
+        if not user or not user.is_authenticated:
+            return False
+        if getattr(user, "is_superuser", False):
+            return True
+        return user.role in ['owner', 'admin', 'developer']
+
+
+class IsEditorOrAbove(permissions.BasePermission):
+    """Allow access to editors, admins, and owners."""
+    
+    def has_permission(self, request, view):
+        user = getattr(request, "user", None)
+        if not user or not user.is_authenticated:
+            return False
+        if getattr(user, "is_superuser", False):
+            return True
+        return user.role in ['owner', 'admin', 'editor', 'developer']
+
+
+class IsViewerOrAbove(permissions.BasePermission):
+    """Allow access to all authenticated users."""
+    
+    def has_permission(self, request, view):
+        user = getattr(request, "user", None)
+        if not user or not user.is_authenticated:
+            return False
+        return True
+
+
+class AccountPermission(permissions.BasePermission):
+    """Ensure user belongs to the account being accessed."""
+    
+    def has_permission(self, request, view):
+        if not request.user or not request.user.is_authenticated:
+            return False
+        
+        # System bots can access all accounts
+        if request.user.role == 'system_bot':
+            return True
+        
+        # Users must have an account
+        user_account = getattr(request.user, 'account', None)
+        if not user_account:
+            return False
+        
+        # For now, allow access if user has account (will be refined with object-level checks)
+        return True
+    
+    def has_object_permission(self, request, view, obj):
+        if not request.user or not request.user.is_authenticated:
+            return False
+        
+        # System bots can access all
+        if request.user.role == 'system_bot':
+            return True
+        
+        # Check if object has account and it matches user's account
+        obj_account = getattr(obj, 'account', None)
+        user_account = getattr(request.user, 'account', None)
+        if obj_account:
+            return obj_account == user_account
+        
+        # If no account on object, allow (for non-account models)
+        return True
+
+