igny8/tenant/backend/igny8_core/auth/permissions.py

"""
Role-Based Access Control (RBAC) Permissions
"""
from rest_framework import permissions


class IsOwnerOrAdmin(permissions.BasePermission):
    """Allow access only to owners and admins."""
    
    def has_permission(self, request, view):
        user = getattr(request, "user", None)
        if not user or not user.is_authenticated:
            return False
        if getattr(user, "is_superuser", False):
            return True
        return user.role in ['owner', 'admin', 'developer']


class IsEditorOrAbove(permissions.BasePermission):
    """Allow access to editors, admins, and owners."""
    
    def has_permission(self, request, view):
        user = getattr(request, "user", None)
        if not user or not user.is_authenticated:
            return False
        if getattr(user, "is_superuser", False):
            return True
        return user.role in ['owner', 'admin', 'editor', 'developer']


class IsViewerOrAbove(permissions.BasePermission):
    """Allow access to all authenticated users."""
    
    def has_permission(self, request, view):
        user = getattr(request, "user", None)
        if not user or not user.is_authenticated:
            return False
        return True


class AccountPermission(permissions.BasePermission):
    """Ensure user belongs to the account being accessed."""
    
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        
        # System bots can access all accounts
        if request.user.role == 'system_bot':
            return True
        
        # Users must have an account
        user_account = getattr(request.user, 'account', None)
        if not user_account:
            return False
        
        # For now, allow access if user has account (will be refined with object-level checks)
        return True
    
    def has_object_permission(self, request, view, obj):
        if not request.user or not request.user.is_authenticated:
            return False
        
        # System bots can access all
        if request.user.role == 'system_bot':
            return True
        
        # Check if object has account and it matches user's account
        obj_account = getattr(obj, 'account', None)
        user_account = getattr(request.user, 'account', None)
        if obj_account:
            return obj_account == user_account
        
        # If no account on object, allow (for non-account models)
        return True