""" Role-Based Access Control (RBAC) Permissions """ from rest_framework import permissions class IsOwnerOrAdmin(permissions.BasePermission): """Allow access only to owners and admins.""" def has_permission(self, request, view): user = getattr(request, "user", None) if not user or not user.is_authenticated: return False if getattr(user, "is_superuser", False): return True return user.role in ['owner', 'admin', 'developer'] class IsEditorOrAbove(permissions.BasePermission): """Allow access to editors, admins, and owners.""" def has_permission(self, request, view): user = getattr(request, "user", None) if not user or not user.is_authenticated: return False if getattr(user, "is_superuser", False): return True return user.role in ['owner', 'admin', 'editor', 'developer'] class IsViewerOrAbove(permissions.BasePermission): """Allow access to all authenticated users.""" def has_permission(self, request, view): user = getattr(request, "user", None) if not user or not user.is_authenticated: return False return True class AccountPermission(permissions.BasePermission): """Ensure user belongs to the account being accessed.""" def has_permission(self, request, view): if not request.user or not request.user.is_authenticated: return False # System bots can access all accounts if request.user.role == 'system_bot': return True # Users must have an account user_account = getattr(request.user, 'account', None) if not user_account: return False # For now, allow access if user has account (will be refined with object-level checks) return True def has_object_permission(self, request, view, obj): if not request.user or not request.user.is_authenticated: return False # System bots can access all if request.user.role == 'system_bot': return True # Check if object has account and it matches user's account obj_account = getattr(obj, 'account', None) user_account = getattr(request.user, 'account', None) if obj_account: return obj_account == user_account # If no account on object, allow (for non-account models) return True