sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: implement module-driven permissions and relocate business logic

Browse Source 
File Relocations:
- Delete app/config/ folder (empty after menu_registry removal)
- Move feature_gate.py → app/modules/billing/dependencies/
- Move theme_presets.py → app/modules/cms/services/

Module-Driven Permissions System:
- Add PermissionDefinition dataclass to app/modules/base.py
- Create PermissionDiscoveryService in tenancy module
- Update module definitions to declare their own permissions:
  - core: dashboard.view, settings.*
  - catalog: products.*
  - orders: orders.*
  - inventory: stock.*
  - customers: customers.*
  - tenancy: team.*
- Update app/core/permissions.py to use discovery service
- Role presets (owner, manager, staff, etc.) now use module permissions

This follows the same pattern as module-driven menus:
- Each module defines its permissions in definition.py
- PermissionDiscoveryService aggregates all permissions at runtime
- Tenancy module handles role-to-permission assignment

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Samir Boulahtit
2026-02-01 21:42:13 +01:00
parent 31e3d0fcba
commit 03395a9dfa
16 changed files with 749 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

254
app/core/feature_gate.py
View File

@@ -1,254 +0,0 @@
# app/core/feature_gate.py
"""
Feature gating decorator and dependencies for tier-based access control.
Provides:
- @require_feature decorator for endpoints
- RequireFeature dependency for flexible usage
- FeatureNotAvailableError exception with upgrade info
Usage:
# As decorator (simple)
@router.get("/analytics")
@require_feature(FeatureCode.ANALYTICS_DASHBOARD)
def get_analytics(...):
...
# As dependency (more control)
@router.get("/analytics")
def get_analytics(
_: None = Depends(RequireFeature(FeatureCode.ANALYTICS_DASHBOARD)),
...
):
...
# Multiple features (any one required)
@require_feature(FeatureCode.ANALYTICS_DASHBOARD, FeatureCode.BASIC_REPORTS)
def get_reports(...):
...
"""
import functools
import logging
from typing import Callable
from fastapi import Depends, HTTPException, Request
from sqlalchemy.orm import Session
from app.api.deps import get_current_vendor_api
from app.core.database import get_db
from app.modules.billing.services.feature_service import feature_service
from app.modules.billing.models import FeatureCode
from app.modules.tenancy.models import User
logger = logging.getLogger(__name__)
class FeatureNotAvailableError(HTTPException):
"""
Exception raised when a feature is not available for the vendor's tier.
Includes upgrade information for the frontend to display.
"""
def __init__(
self,
feature_code: str,
feature_name: str | None = None,
required_tier_code: str | None = None,
required_tier_name: str | None = None,
required_tier_price_cents: int | None = None,
):
detail = {
"error": "feature_not_available",
"message": f"This feature requires an upgrade to access.",
"feature_code": feature_code,
"feature_name": feature_name,
"upgrade": {
"tier_code": required_tier_code,
"tier_name": required_tier_name,
"price_monthly_cents": required_tier_price_cents,
}
if required_tier_code
else None,
}
super().__init__(status_code=403, detail=detail)
class RequireFeature:
"""
Dependency class that checks if vendor has access to a feature.
Can be used as a FastAPI dependency:
@router.get("/analytics")
def get_analytics(
_: None = Depends(RequireFeature("analytics_dashboard")),
current_user: User = Depends(get_current_vendor_api),
db: Session = Depends(get_db),
):
...
Args:
*feature_codes: One or more feature codes. Access granted if ANY is available.
"""
def __init__(self, *feature_codes: str):
if not feature_codes:
raise ValueError("At least one feature code is required")
self.feature_codes = feature_codes
def __call__(
self,
current_user: User = Depends(get_current_vendor_api),
db: Session = Depends(get_db),
) -> None:
"""Check if vendor has access to any of the required features."""
vendor_id = current_user.token_vendor_id
# Check if vendor has ANY of the required features
for feature_code in self.feature_codes:
if feature_service.has_feature(db, vendor_id, feature_code):
return None
# None of the features are available - get upgrade info for first one
feature_code = self.feature_codes[0]
upgrade_info = feature_service.get_feature_upgrade_info(db, feature_code)
if upgrade_info:
raise FeatureNotAvailableError(
feature_code=feature_code,
feature_name=upgrade_info.feature_name,
required_tier_code=upgrade_info.required_tier_code,
required_tier_name=upgrade_info.required_tier_name,
required_tier_price_cents=upgrade_info.required_tier_price_monthly_cents,
)
else:
# Feature not found in registry
raise FeatureNotAvailableError(feature_code=feature_code)
def require_feature(*feature_codes: str) -> Callable:
"""
Decorator to require one or more features for an endpoint.
The decorated endpoint will return 403 with upgrade info if the vendor
doesn't have access to ANY of the specified features.
Args:
*feature_codes: One or more feature codes. Access granted if ANY is available.
Example:
@router.get("/analytics/dashboard")
@require_feature(FeatureCode.ANALYTICS_DASHBOARD)
async def get_analytics_dashboard(
current_user: User = Depends(get_current_vendor_api),
db: Session = Depends(get_db),
):
...
# Multiple features (any one is sufficient)
@router.get("/reports")
@require_feature(FeatureCode.ANALYTICS_DASHBOARD, FeatureCode.BASIC_REPORTS)
async def get_reports(...):
...
"""
if not feature_codes:
raise ValueError("At least one feature code is required")
def decorator(func: Callable) -> Callable:
@functools.wraps(func)
async def async_wrapper(*args, **kwargs):
# Extract dependencies from kwargs
db = kwargs.get("db")
current_user = kwargs.get("current_user")
if not db or not current_user:
# Try to get from request if not in kwargs
request = kwargs.get("request")
if request and hasattr(request, "state"):
db = getattr(request.state, "db", None)
current_user = getattr(request.state, "user", None)
if not db or not current_user:
raise HTTPException(
status_code=500,
detail="Feature check failed: missing db or current_user dependency",
)
vendor_id = current_user.token_vendor_id
# Check if vendor has ANY of the required features
for feature_code in feature_codes:
if feature_service.has_feature(db, vendor_id, feature_code):
return await func(*args, **kwargs)
# None available - raise with upgrade info
feature_code = feature_codes[0]
upgrade_info = feature_service.get_feature_upgrade_info(db, feature_code)
if upgrade_info:
raise FeatureNotAvailableError(
feature_code=feature_code,
feature_name=upgrade_info.feature_name,
required_tier_code=upgrade_info.required_tier_code,
required_tier_name=upgrade_info.required_tier_name,
required_tier_price_cents=upgrade_info.required_tier_price_monthly_cents,
)
else:
raise FeatureNotAvailableError(feature_code=feature_code)
@functools.wraps(func)
def sync_wrapper(*args, **kwargs):
# Extract dependencies from kwargs
db = kwargs.get("db")
current_user = kwargs.get("current_user")
if not db or not current_user:
raise HTTPException(
status_code=500,
detail="Feature check failed: missing db or current_user dependency",
)
vendor_id = current_user.token_vendor_id
# Check if vendor has ANY of the required features
for feature_code in feature_codes:
if feature_service.has_feature(db, vendor_id, feature_code):
return func(*args, **kwargs)
# None available - raise with upgrade info
feature_code = feature_codes[0]
upgrade_info = feature_service.get_feature_upgrade_info(db, feature_code)
if upgrade_info:
raise FeatureNotAvailableError(
feature_code=feature_code,
feature_name=upgrade_info.feature_name,
required_tier_code=upgrade_info.required_tier_code,
required_tier_name=upgrade_info.required_tier_name,
required_tier_price_cents=upgrade_info.required_tier_price_monthly_cents,
)
else:
raise FeatureNotAvailableError(feature_code=feature_code)
# Return appropriate wrapper based on whether func is async
import asyncio
if asyncio.iscoroutinefunction(func):
return async_wrapper
else:
return sync_wrapper
return decorator
# ============================================================================
# Convenience Exports
# ============================================================================
__all__ = [
"require_feature",
"RequireFeature",
"FeatureNotAvailableError",
"FeatureCode",
]

161
app/core/permissions.py
View File

@@ -2,26 +2,38 @@
"""
Permission constants and checking logic for RBAC.
This module defines:
- Vendor-specific permissions
- Permission groups (for easier role creation)
- Permission checking utilities
NOTE: This module now uses the module-driven permission system.
Permissions are defined in each module's definition.py file and
discovered by PermissionDiscoveryService.
This file provides backward-compatible exports for existing code.
New code should use:
from app.modules.tenancy.services.permission_discovery_service import (
permission_discovery_service
)
"""
from enum import Enum
from app.modules.tenancy.services.permission_discovery_service import (
permission_discovery_service,
)
class VendorPermissions(str, Enum):
"""
All available permissions within a vendor context.
NOTE: This enum is maintained for backward compatibility.
Permissions are now defined in module definition.py files.
Naming convention: RESOURCE_ACTION
"""
# Dashboard
# Dashboard (from core module)
DASHBOARD_VIEW = "dashboard.view"
# Products
# Products (from catalog module)
PRODUCTS_VIEW = "products.view"
PRODUCTS_CREATE = "products.create"
PRODUCTS_EDIT = "products.edit"
@@ -29,133 +41,91 @@ class VendorPermissions(str, Enum):
PRODUCTS_IMPORT = "products.import"
PRODUCTS_EXPORT = "products.export"
# Stock/Inventory
# Stock/Inventory (from inventory module)
STOCK_VIEW = "stock.view"
STOCK_EDIT = "stock.edit"
STOCK_TRANSFER = "stock.transfer"
# Orders
# Orders (from orders module)
ORDERS_VIEW = "orders.view"
ORDERS_EDIT = "orders.edit"
ORDERS_CANCEL = "orders.cancel"
ORDERS_REFUND = "orders.refund"
# Customers
# Customers (from customers module)
CUSTOMERS_VIEW = "customers.view"
CUSTOMERS_EDIT = "customers.edit"
CUSTOMERS_DELETE = "customers.delete"
CUSTOMERS_EXPORT = "customers.export"
# Marketing
# Marketing (from messaging module - to be added)
MARKETING_VIEW = "marketing.view"
MARKETING_CREATE = "marketing.create"
MARKETING_SEND = "marketing.send"
# Reports
# Reports (from analytics module - to be added)
REPORTS_VIEW = "reports.view"
REPORTS_FINANCIAL = "reports.financial"
REPORTS_EXPORT = "reports.export"
# Settings
# Settings (from core module)
SETTINGS_VIEW = "settings.view"
SETTINGS_EDIT = "settings.edit"
SETTINGS_THEME = "settings.theme"
SETTINGS_DOMAINS = "settings.domains"
# Team Management
# Team Management (from tenancy module)
TEAM_VIEW = "team.view"
TEAM_INVITE = "team.invite"
TEAM_EDIT = "team.edit"
TEAM_REMOVE = "team.remove"
# Marketplace Imports
# Marketplace Imports (from marketplace module - to be added)
IMPORTS_VIEW = "imports.view"
IMPORTS_CREATE = "imports.create"
IMPORTS_CANCEL = "imports.cancel"
class PermissionGroups:
"""Pre-defined permission groups for common roles."""
"""
Pre-defined permission groups for common roles.
# Full access (for owners)
OWNER: set[str] = set(p.value for p in VendorPermissions)
NOTE: These now delegate to permission_discovery_service for consistency.
"""
# Manager - Can do most things except team management and critical settings
MANAGER: set[str] = {
VendorPermissions.DASHBOARD_VIEW.value,
VendorPermissions.PRODUCTS_VIEW.value,
VendorPermissions.PRODUCTS_CREATE.value,
VendorPermissions.PRODUCTS_EDIT.value,
VendorPermissions.PRODUCTS_DELETE.value,
VendorPermissions.PRODUCTS_IMPORT.value,
VendorPermissions.PRODUCTS_EXPORT.value,
VendorPermissions.STOCK_VIEW.value,
VendorPermissions.STOCK_EDIT.value,
VendorPermissions.STOCK_TRANSFER.value,
VendorPermissions.ORDERS_VIEW.value,
VendorPermissions.ORDERS_EDIT.value,
VendorPermissions.ORDERS_CANCEL.value,
VendorPermissions.ORDERS_REFUND.value,
VendorPermissions.CUSTOMERS_VIEW.value,
VendorPermissions.CUSTOMERS_EDIT.value,
VendorPermissions.CUSTOMERS_EXPORT.value,
VendorPermissions.MARKETING_VIEW.value,
VendorPermissions.MARKETING_CREATE.value,
VendorPermissions.MARKETING_SEND.value,
VendorPermissions.REPORTS_VIEW.value,
VendorPermissions.REPORTS_FINANCIAL.value,
VendorPermissions.REPORTS_EXPORT.value,
VendorPermissions.SETTINGS_VIEW.value,
VendorPermissions.SETTINGS_THEME.value,
VendorPermissions.IMPORTS_VIEW.value,
VendorPermissions.IMPORTS_CREATE.value,
VendorPermissions.IMPORTS_CANCEL.value,
}
@property
def OWNER(self) -> set[str]:
"""Full access (for owners) - all permissions."""
return permission_discovery_service.get_preset_permissions("owner")
# Staff - Can view and edit products/orders but limited access
STAFF: set[str] = {
VendorPermissions.DASHBOARD_VIEW.value,
VendorPermissions.PRODUCTS_VIEW.value,
VendorPermissions.PRODUCTS_CREATE.value,
VendorPermissions.PRODUCTS_EDIT.value,
VendorPermissions.STOCK_VIEW.value,
VendorPermissions.STOCK_EDIT.value,
VendorPermissions.ORDERS_VIEW.value,
VendorPermissions.ORDERS_EDIT.value,
VendorPermissions.CUSTOMERS_VIEW.value,
VendorPermissions.CUSTOMERS_EDIT.value,
}
@property
def MANAGER(self) -> set[str]:
"""Manager - Can do most things except team management."""
return permission_discovery_service.get_preset_permissions("manager")
# Support - Can view and assist with orders/customers
SUPPORT: set[str] = {
VendorPermissions.DASHBOARD_VIEW.value,
VendorPermissions.PRODUCTS_VIEW.value,
VendorPermissions.ORDERS_VIEW.value,
VendorPermissions.ORDERS_EDIT.value,
VendorPermissions.CUSTOMERS_VIEW.value,
VendorPermissions.CUSTOMERS_EDIT.value,
}
@property
def STAFF(self) -> set[str]:
"""Staff - Can view and edit products/orders but limited access."""
return permission_discovery_service.get_preset_permissions("staff")
# Viewer - Read-only access
VIEWER: set[str] = {
VendorPermissions.DASHBOARD_VIEW.value,
VendorPermissions.PRODUCTS_VIEW.value,
VendorPermissions.STOCK_VIEW.value,
VendorPermissions.ORDERS_VIEW.value,
VendorPermissions.CUSTOMERS_VIEW.value,
VendorPermissions.REPORTS_VIEW.value,
}
@property
def SUPPORT(self) -> set[str]:
"""Support - Can view and assist with orders/customers."""
return permission_discovery_service.get_preset_permissions("support")
# Marketing - Focused on marketing and customer communication
MARKETING: set[str] = {
VendorPermissions.DASHBOARD_VIEW.value,
VendorPermissions.CUSTOMERS_VIEW.value,
VendorPermissions.CUSTOMERS_EXPORT.value,
VendorPermissions.MARKETING_VIEW.value,
VendorPermissions.MARKETING_CREATE.value,
VendorPermissions.MARKETING_SEND.value,
VendorPermissions.REPORTS_VIEW.value,
}
@property
def VIEWER(self) -> set[str]:
"""Viewer - Read-only access."""
return permission_discovery_service.get_preset_permissions("viewer")
@property
def MARKETING(self) -> set[str]:
"""Marketing - Focused on marketing and customer communication."""
return permission_discovery_service.get_preset_permissions("marketing")
# Singleton instance for backward compatibility
_permission_groups = PermissionGroups()
class PermissionChecker:
@@ -188,23 +158,14 @@ class PermissionChecker:
return [perm for perm in required_permissions if perm not in permissions]
# Helper function to get permissions for a role preset
def get_preset_permissions(preset_name: str) -> set[str]:
"""
Get permissions for a preset role.
Args:
preset_name: Name of the preset (manager, staff, support, viewer, marketing)
preset_name: Name of the preset (owner, manager, staff, support, viewer, marketing)
Returns:
Set of permission strings
"""
presets = {
"owner": PermissionGroups.OWNER,
"manager": PermissionGroups.MANAGER,
"staff": PermissionGroups.STAFF,
"support": PermissionGroups.SUPPORT,
"viewer": PermissionGroups.VIEWER,
"marketing": PermissionGroups.MARKETING,
}
return presets.get(preset_name.lower(), set())
return permission_discovery_service.get_preset_permissions(preset_name)

249
app/core/theme_presets.py
View File

@@ -1,249 +0,0 @@
# app/core/theme_presets.py
"""
Theme presets for vendor shops.
Presets define default color schemes, fonts, and layouts that vendors can choose from.
Each preset provides a complete theme configuration that can be customized further.
"""
from app.modules.cms.models import VendorTheme
THEME_PRESETS = {
"default": {
"colors": {
"primary": "#6366f1", # Indigo
"secondary": "#8b5cf6", # Purple
"accent": "#ec4899", # Pink
"background": "#ffffff", # White
"text": "#1f2937", # Gray-800
"border": "#e5e7eb", # Gray-200
},
"fonts": {"heading": "Inter, sans-serif", "body": "Inter, sans-serif"},
"layout": {"style": "grid", "header": "fixed", "product_card": "modern"},
},
"modern": {
"colors": {
"primary": "#6366f1", # Indigo - Modern tech look
"secondary": "#8b5cf6", # Purple
"accent": "#ec4899", # Pink
"background": "#ffffff", # White
"text": "#1f2937", # Gray-800
"border": "#e5e7eb", # Gray-200
},
"fonts": {"heading": "Inter, sans-serif", "body": "Inter, sans-serif"},
"layout": {"style": "grid", "header": "fixed", "product_card": "modern"},
},
"classic": {
"colors": {
"primary": "#1e40af", # Dark blue - Traditional
"secondary": "#7c3aed", # Purple
"accent": "#dc2626", # Red
"background": "#ffffff", # White
"text": "#1f2937", # Gray-800
"border": "#d1d5db", # Gray-300
},
"fonts": {"heading": "Georgia, serif", "body": "Arial, sans-serif"},
"layout": {"style": "list", "header": "static", "product_card": "classic"},
},
"minimal": {
"colors": {
"primary": "#000000", # Black - Ultra minimal
"secondary": "#404040", # Dark gray
"accent": "#666666", # Medium gray
"background": "#ffffff", # White
"text": "#000000", # Black
"border": "#e5e7eb", # Light gray
},
"fonts": {"heading": "Helvetica, sans-serif", "body": "Helvetica, sans-serif"},
"layout": {"style": "grid", "header": "transparent", "product_card": "minimal"},
},
"vibrant": {
"colors": {
"primary": "#f59e0b", # Orange - Bold & energetic
"secondary": "#ef4444", # Red
"accent": "#8b5cf6", # Purple
"background": "#ffffff", # White
"text": "#1f2937", # Gray-800
"border": "#fbbf24", # Yellow
},
"fonts": {"heading": "Poppins, sans-serif", "body": "Open Sans, sans-serif"},
"layout": {"style": "masonry", "header": "fixed", "product_card": "modern"},
},
"elegant": {
"colors": {
"primary": "#6b7280", # Gray - Sophisticated
"secondary": "#374151", # Dark gray
"accent": "#d97706", # Amber
"background": "#ffffff", # White
"text": "#1f2937", # Gray-800
"border": "#e5e7eb", # Gray-200
},
"fonts": {"heading": "Playfair Display, serif", "body": "Lato, sans-serif"},
"layout": {"style": "grid", "header": "fixed", "product_card": "classic"},
},
"nature": {
"colors": {
"primary": "#059669", # Green - Natural & eco
"secondary": "#10b981", # Emerald
"accent": "#f59e0b", # Amber
"background": "#ffffff", # White
"text": "#1f2937", # Gray-800
"border": "#d1fae5", # Light green
},
"fonts": {"heading": "Montserrat, sans-serif", "body": "Open Sans, sans-serif"},
"layout": {"style": "grid", "header": "fixed", "product_card": "modern"},
},
}
def get_preset(preset_name: str) -> dict:
"""
Get a theme preset by name.
Args:
preset_name: Name of the preset (e.g., 'modern', 'classic')
Returns:
dict: Theme configuration
Raises:
ValueError: If preset name is unknown
"""
if preset_name not in THEME_PRESETS:
available = ", ".join(THEME_PRESETS.keys())
raise ValueError(f"Unknown preset: {preset_name}. Available: {available}")
return THEME_PRESETS[preset_name]
def apply_preset(theme: VendorTheme, preset_name: str) -> VendorTheme:
"""
Apply a preset to a vendor theme.
Args:
theme: VendorTheme instance to update
preset_name: Name of the preset to apply
Returns:
VendorTheme: Updated theme instance
Raises:
ValueError: If preset name is unknown
Example:
theme = VendorTheme(vendor_id=1)
apply_preset(theme, "modern")
db.add(theme)
db.commit()
"""
preset = get_preset(preset_name)
# Set theme name
theme.theme_name = preset_name
# Apply colors (all of them!)
theme.colors = preset["colors"]
# Apply fonts
theme.font_family_heading = preset["fonts"]["heading"]
theme.font_family_body = preset["fonts"]["body"]
# Apply layout settings
theme.layout_style = preset["layout"]["style"]
theme.header_style = preset["layout"]["header"]
theme.product_card_style = preset["layout"]["product_card"]
# Mark as active
theme.is_active = True
return theme
def get_available_presets() -> list[str]:
"""
Get list of available preset names.
Returns:
list: Available preset names
"""
return list(THEME_PRESETS.keys())
def get_preset_preview(preset_name: str) -> dict:
"""
Get preview information for a preset (for UI display).
Args:
preset_name: Name of the preset
Returns:
dict: Preview info with colors, fonts, description
"""
preset = get_preset(preset_name)
descriptions = {
"default": "Clean and professional - perfect for getting started",
"modern": "Contemporary tech-inspired design with vibrant colors",
"classic": "Traditional and trustworthy with serif typography",
"minimal": "Ultra-clean black and white aesthetic",
"vibrant": "Bold and energetic with bright accent colors",
"elegant": "Sophisticated gray tones with refined typography",
"nature": "Fresh and eco-friendly green color palette",
}
return {
"name": preset_name,
"description": descriptions.get(preset_name, ""),
"primary_color": preset["colors"]["primary"],
"secondary_color": preset["colors"]["secondary"],
"accent_color": preset["colors"]["accent"],
"heading_font": preset["fonts"]["heading"],
"body_font": preset["fonts"]["body"],
"layout_style": preset["layout"]["style"],
}
def create_custom_preset(
colors: dict, fonts: dict, layout: dict, name: str = "custom"
) -> dict:
"""
Create a custom preset from provided settings.
Args:
colors: Dict with primary, secondary, accent, background, text, border
fonts: Dict with heading and body fonts
layout: Dict with style, header, product_card
name: Name for the custom preset
Returns:
dict: Custom preset configuration
Example:
custom = create_custom_preset(
colors={"primary": "#ff0000", "secondary": "#00ff00", ...},
fonts={"heading": "Arial", "body": "Arial"},
layout={"style": "grid", "header": "fixed", "product_card": "modern"},
name="my_custom_theme"
)
"""
# Validate colors
required_colors = ["primary", "secondary", "accent", "background", "text", "border"]
for color_key in required_colors:
if color_key not in colors:
colors[color_key] = THEME_PRESETS["default"]["colors"][color_key]
# Validate fonts
if "heading" not in fonts:
fonts["heading"] = "Inter, sans-serif"
if "body" not in fonts:
fonts["body"] = "Inter, sans-serif"
# Validate layout
if "style" not in layout:
layout["style"] = "grid"
if "header" not in layout:
layout["header"] = "fixed"
if "product_card" not in layout:
layout["product_card"] = "modern"
return {"colors": colors, "fonts": fonts, "layout": layout}