refactor: implement module-driven permissions and relocate business logic

File Relocations: - Delete app/config/ folder (empty after menu_registry removal) - Move feature_gate.py → app/modules/billing/dependencies/ - Move theme_presets.py → app/modules/cms/services/ Module-Driven Permissions System: - Add PermissionDefinition dataclass to app/modules/base.py - Create PermissionDiscoveryService in tenancy module - Update module definitions to declare their own permissions: - core: dashboard.view, settings.* - catalog: products.* - orders: orders.* - inventory: stock.* - customers: customers.* - tenancy: team.* - Update app/core/permissions.py to use discovery service - Role presets (owner, manager, staff, etc.) now use module permissions This follows the same pattern as module-driven menus: - Each module defines its permissions in definition.py - PermissionDiscoveryService aggregates all permissions at runtime - Tenancy module handles role-to-permission assignment Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 21:42:13 +01:00
parent 31e3d0fcba
commit 03395a9dfa
16 changed files with 749 additions and 121 deletions
--- a/app/core/permissions.py
+++ b/app/core/permissions.py
@@ -2,26 +2,38 @@
 """
 Permission constants and checking logic for RBAC.

-This module defines:
- Vendor-specific permissions
- Permission groups (for easier role creation)
- Permission checking utilities
+NOTE: This module now uses the module-driven permission system.
+Permissions are defined in each module's definition.py file and
+discovered by PermissionDiscoveryService.
+
+This file provides backward-compatible exports for existing code.
+New code should use:
+    from app.modules.tenancy.services.permission_discovery_service import (
+        permission_discovery_service
+    )
 """

 from enum import Enum

+from app.modules.tenancy.services.permission_discovery_service import (
+    permission_discovery_service,
+)
+

 class VendorPermissions(str, Enum):
    """
    All available permissions within a vendor context.

+    NOTE: This enum is maintained for backward compatibility.
+    Permissions are now defined in module definition.py files.
+
    Naming convention: RESOURCE_ACTION
    """

-    # Dashboard
+    # Dashboard (from core module)
    DASHBOARD_VIEW = "dashboard.view"

-    # Products
+    # Products (from catalog module)
    PRODUCTS_VIEW = "products.view"
    PRODUCTS_CREATE = "products.create"
    PRODUCTS_EDIT = "products.edit"
@@ -29,133 +41,91 @@ class VendorPermissions(str, Enum):
    PRODUCTS_IMPORT = "products.import"
    PRODUCTS_EXPORT = "products.export"

-    # Stock/Inventory
+    # Stock/Inventory (from inventory module)
    STOCK_VIEW = "stock.view"
    STOCK_EDIT = "stock.edit"
    STOCK_TRANSFER = "stock.transfer"

-    # Orders
+    # Orders (from orders module)
    ORDERS_VIEW = "orders.view"
    ORDERS_EDIT = "orders.edit"
    ORDERS_CANCEL = "orders.cancel"
    ORDERS_REFUND = "orders.refund"

-    # Customers
+    # Customers (from customers module)
    CUSTOMERS_VIEW = "customers.view"
    CUSTOMERS_EDIT = "customers.edit"
    CUSTOMERS_DELETE = "customers.delete"
    CUSTOMERS_EXPORT = "customers.export"

-    # Marketing
+    # Marketing (from messaging module - to be added)
    MARKETING_VIEW = "marketing.view"
    MARKETING_CREATE = "marketing.create"
    MARKETING_SEND = "marketing.send"

-    # Reports
+    # Reports (from analytics module - to be added)
    REPORTS_VIEW = "reports.view"
    REPORTS_FINANCIAL = "reports.financial"
    REPORTS_EXPORT = "reports.export"

-    # Settings
+    # Settings (from core module)
    SETTINGS_VIEW = "settings.view"
    SETTINGS_EDIT = "settings.edit"
    SETTINGS_THEME = "settings.theme"
    SETTINGS_DOMAINS = "settings.domains"

-    # Team Management
+    # Team Management (from tenancy module)
    TEAM_VIEW = "team.view"
    TEAM_INVITE = "team.invite"
    TEAM_EDIT = "team.edit"
    TEAM_REMOVE = "team.remove"

-    # Marketplace Imports
+    # Marketplace Imports (from marketplace module - to be added)
    IMPORTS_VIEW = "imports.view"
    IMPORTS_CREATE = "imports.create"
    IMPORTS_CANCEL = "imports.cancel"


 class PermissionGroups:
-    """Pre-defined permission groups for common roles."""
+    """
+    Pre-defined permission groups for common roles.

-    # Full access (for owners)
-    OWNER: set[str] = set(p.value for p in VendorPermissions)
+    NOTE: These now delegate to permission_discovery_service for consistency.
+    """

-    # Manager - Can do most things except team management and critical settings
-    MANAGER: set[str] = {
-        VendorPermissions.DASHBOARD_VIEW.value,
-        VendorPermissions.PRODUCTS_VIEW.value,
-        VendorPermissions.PRODUCTS_CREATE.value,
-        VendorPermissions.PRODUCTS_EDIT.value,
-        VendorPermissions.PRODUCTS_DELETE.value,
-        VendorPermissions.PRODUCTS_IMPORT.value,
-        VendorPermissions.PRODUCTS_EXPORT.value,
-        VendorPermissions.STOCK_VIEW.value,
-        VendorPermissions.STOCK_EDIT.value,
-        VendorPermissions.STOCK_TRANSFER.value,
-        VendorPermissions.ORDERS_VIEW.value,
-        VendorPermissions.ORDERS_EDIT.value,
-        VendorPermissions.ORDERS_CANCEL.value,
-        VendorPermissions.ORDERS_REFUND.value,
-        VendorPermissions.CUSTOMERS_VIEW.value,
-        VendorPermissions.CUSTOMERS_EDIT.value,
-        VendorPermissions.CUSTOMERS_EXPORT.value,
-        VendorPermissions.MARKETING_VIEW.value,
-        VendorPermissions.MARKETING_CREATE.value,
-        VendorPermissions.MARKETING_SEND.value,
-        VendorPermissions.REPORTS_VIEW.value,
-        VendorPermissions.REPORTS_FINANCIAL.value,
-        VendorPermissions.REPORTS_EXPORT.value,
-        VendorPermissions.SETTINGS_VIEW.value,
-        VendorPermissions.SETTINGS_THEME.value,
-        VendorPermissions.IMPORTS_VIEW.value,
-        VendorPermissions.IMPORTS_CREATE.value,
-        VendorPermissions.IMPORTS_CANCEL.value,
-    }
+    @property
+    def OWNER(self) -> set[str]:
+        """Full access (for owners) - all permissions."""
+        return permission_discovery_service.get_preset_permissions("owner")

-    # Staff - Can view and edit products/orders but limited access
-    STAFF: set[str] = {
-        VendorPermissions.DASHBOARD_VIEW.value,
-        VendorPermissions.PRODUCTS_VIEW.value,
-        VendorPermissions.PRODUCTS_CREATE.value,
-        VendorPermissions.PRODUCTS_EDIT.value,
-        VendorPermissions.STOCK_VIEW.value,
-        VendorPermissions.STOCK_EDIT.value,
-        VendorPermissions.ORDERS_VIEW.value,
-        VendorPermissions.ORDERS_EDIT.value,
-        VendorPermissions.CUSTOMERS_VIEW.value,
-        VendorPermissions.CUSTOMERS_EDIT.value,
-    }
+    @property
+    def MANAGER(self) -> set[str]:
+        """Manager - Can do most things except team management."""
+        return permission_discovery_service.get_preset_permissions("manager")

-    # Support - Can view and assist with orders/customers
-    SUPPORT: set[str] = {
-        VendorPermissions.DASHBOARD_VIEW.value,
-        VendorPermissions.PRODUCTS_VIEW.value,
-        VendorPermissions.ORDERS_VIEW.value,
-        VendorPermissions.ORDERS_EDIT.value,
-        VendorPermissions.CUSTOMERS_VIEW.value,
-        VendorPermissions.CUSTOMERS_EDIT.value,
-    }
+    @property
+    def STAFF(self) -> set[str]:
+        """Staff - Can view and edit products/orders but limited access."""
+        return permission_discovery_service.get_preset_permissions("staff")

-    # Viewer - Read-only access
-    VIEWER: set[str] = {
-        VendorPermissions.DASHBOARD_VIEW.value,
-        VendorPermissions.PRODUCTS_VIEW.value,
-        VendorPermissions.STOCK_VIEW.value,
-        VendorPermissions.ORDERS_VIEW.value,
-        VendorPermissions.CUSTOMERS_VIEW.value,
-        VendorPermissions.REPORTS_VIEW.value,
-    }
+    @property
+    def SUPPORT(self) -> set[str]:
+        """Support - Can view and assist with orders/customers."""
+        return permission_discovery_service.get_preset_permissions("support")

-    # Marketing - Focused on marketing and customer communication
-    MARKETING: set[str] = {
-        VendorPermissions.DASHBOARD_VIEW.value,
-        VendorPermissions.CUSTOMERS_VIEW.value,
-        VendorPermissions.CUSTOMERS_EXPORT.value,
-        VendorPermissions.MARKETING_VIEW.value,
-        VendorPermissions.MARKETING_CREATE.value,
-        VendorPermissions.MARKETING_SEND.value,
-        VendorPermissions.REPORTS_VIEW.value,
-    }
+    @property
+    def VIEWER(self) -> set[str]:
+        """Viewer - Read-only access."""
+        return permission_discovery_service.get_preset_permissions("viewer")
+
+    @property
+    def MARKETING(self) -> set[str]:
+        """Marketing - Focused on marketing and customer communication."""
+        return permission_discovery_service.get_preset_permissions("marketing")
+
+
+# Singleton instance for backward compatibility
+_permission_groups = PermissionGroups()


 class PermissionChecker:
@@ -188,23 +158,14 @@ class PermissionChecker:
        return [perm for perm in required_permissions if perm not in permissions]


-# Helper function to get permissions for a role preset
 def get_preset_permissions(preset_name: str) -> set[str]:
    """
    Get permissions for a preset role.

    Args:
-        preset_name: Name of the preset (manager, staff, support, viewer, marketing)
+        preset_name: Name of the preset (owner, manager, staff, support, viewer, marketing)

    Returns:
        Set of permission strings
    """
-    presets = {
-        "owner": PermissionGroups.OWNER,
-        "manager": PermissionGroups.MANAGER,
-        "staff": PermissionGroups.STAFF,
-        "support": PermissionGroups.SUPPORT,
-        "viewer": PermissionGroups.VIEWER,
-        "marketing": PermissionGroups.MARKETING,
-    }
-    return presets.get(preset_name.lower(), set())
+    return permission_discovery_service.get_preset_permissions(preset_name)