new kw for it services & sectors alignment & viewer access partial fixed

2026-02-20 23:29:51 +00:00
parent 2011e48145
commit 341f7c5bc7
110 changed files with 4768 additions and 36 deletions
--- a/backend/igny8_core/api/account_views.py
+++ b/backend/igny8_core/api/account_views.py
@@ -171,6 +171,7 @@ class TeamManagementViewSet(viewsets.ViewSet):
                    'email': user.email,
                    'first_name': user.first_name,
                    'last_name': user.last_name,
+                    'role': user.role,
                    'is_active': user.is_active,
                    'is_staff': user.is_staff,
                    'date_joined': user.date_joined.isoformat(),
@@ -182,9 +183,11 @@ class TeamManagementViewSet(viewsets.ViewSet):
        })
    
    def create(self, request):
-        """Invite new team member"""
+        """Invite new team member with role and optional site access."""
        account = request.user.account
        email = request.data.get('email')
+        role = request.data.get('role', 'viewer')
+        site_ids = request.data.get('site_ids', [])  # For viewer role: which sites to grant access
        
        if not email:
            return Response(
@@ -192,6 +195,13 @@ class TeamManagementViewSet(viewsets.ViewSet):
                status=status.HTTP_400_BAD_REQUEST
            )
        
+        # Validate role - only admin and viewer allowed for invites
+        if role not in ['admin', 'viewer']:
+            return Response(
+                {'error': 'Role must be either "admin" or "viewer"'},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+        
        # Check if user already exists
        if User.objects.filter(email=email).exists():
            return Response(
@@ -217,15 +227,39 @@ class TeamManagementViewSet(viewsets.ViewSet):
            username = f"{base_username}{counter}"
            counter += 1

-        # Create user and send invitation email
+        # Create user with assigned role
        user = User.objects.create_user(
            username=username,
            email=email,
            first_name=request.data.get('first_name', ''),
            last_name=request.data.get('last_name', ''),
-            account=account
+            account=account,
+            role=role,
        )

+        # Grant site access based on role
+        from igny8_core.auth.models import SiteUserAccess, Site
+        if role == 'viewer' and site_ids:
+            # Viewer: grant access only to specified sites
+            sites = Site.objects.filter(id__in=site_ids, account=account)
+            for site in sites:
+                SiteUserAccess.objects.get_or_create(
+                    user=user,
+                    site=site,
+                    defaults={'granted_by': request.user}
+                )
+        elif role == 'admin':
+            # Admin: automatically grant access to ALL current sites
+            # (admin also sees all sites via get_accessible_sites, but
+            #  creating records ensures consistency)
+            sites = Site.objects.filter(account=account)
+            for site in sites:
+                SiteUserAccess.objects.get_or_create(
+                    user=user,
+                    site=site,
+                    defaults={'granted_by': request.user}
+                )
+
        # Create password reset token for invite
        token = secrets.token_urlsafe(32)
        expires_at = timezone.now() + timedelta(hours=24)
@@ -248,6 +282,7 @@ class TeamManagementViewSet(viewsets.ViewSet):
                'email': user.email,
                'first_name': user.first_name,
                'last_name': user.last_name,
+                'role': user.role,
            }
        }, status=status.HTTP_201_CREATED)