feat: RBAC Phase 1 — consolidate user roles into 4-value enum

Consolidate User.role (2-value: admin/store) + User.is_super_admin (boolean) into a single 4-value UserRole enum: super_admin, platform_admin, merchant_owner, store_member. Drop stale StoreUser.user_type column. Fix role="user" bug in merchant creation. Key changes: - Expand UserRole enum from 2 to 4 values with computed properties (is_admin, is_super_admin, is_platform_admin, is_merchant_owner, is_store_user) - Add Alembic migration (tenancy_003) for data migration + column drops - Remove is_super_admin from JWT token payload - Update all auth dependencies, services, routes, templates, JS, and tests - Update all RBAC documentation 66 files changed, 1219 unit tests passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 22:44:29 +01:00
parent ef21d47533
commit 1dcb0e6c33
67 changed files with 874 additions and 616 deletions
--- a/app/modules/tenancy/tests/integration/test_email_verification_routes.py
+++ b/app/modules/tenancy/tests/integration/test_email_verification_routes.py
@@ -34,7 +34,7 @@ def ev_unverified_user(db):
        email=f"unverified_{uid}@test.com",
        username=f"unverified_{uid}",
        hashed_password=auth.hash_password("testpass123"),  # noqa: SEC001
-        role="store",
+        role="merchant_owner",
        is_active=True,
        is_email_verified=False,
    )
@@ -55,7 +55,7 @@ def ev_verified_user(db):
        email=f"verified_{uid}@test.com",
        username=f"verified_{uid}",
        hashed_password=auth.hash_password("testpass123"),  # noqa: SEC001
-        role="store",
+        role="merchant_owner",
        is_active=True,
        is_email_verified=True,
    )
--- a/app/modules/tenancy/tests/integration/test_merchant_auth_routes.py
+++ b/app/modules/tenancy/tests/integration/test_merchant_auth_routes.py
@@ -33,7 +33,7 @@ def ma_owner(db):
        email=f"maowner_{uid}@test.com",
        username=f"maowner_{uid}",
        hashed_password=auth.hash_password("mapass123"),
-        role="store",
+        role="merchant_owner",
        is_active=True,
        is_email_verified=True,
    )
@@ -70,7 +70,7 @@ def ma_non_merchant_user(db):
        email=f"nonmerch_{uid}@test.com",
        username=f"nonmerch_{uid}",
        hashed_password=auth.hash_password("nonmerch123"),
-        role="store",
+        role="merchant_owner",
        is_active=True,
        is_email_verified=True,
    )
@@ -91,7 +91,7 @@ def ma_inactive_user(db):
        email=f"inactive_{uid}@test.com",
        username=f"inactive_{uid}",
        hashed_password=auth.hash_password("inactive123"),
-        role="store",
+        role="merchant_owner",
        is_active=False,
    )
    db.add(user)
--- a/app/modules/tenancy/tests/integration/test_merchant_password_reset.py
+++ b/app/modules/tenancy/tests/integration/test_merchant_password_reset.py
@@ -32,7 +32,7 @@ def mpr_user(db):
        email=f"mpr_{uid}@test.com",
        username=f"mpr_{uid}",
        hashed_password=auth.hash_password("oldpass123"),  # noqa: SEC001
-        role="store",
+        role="merchant_owner",
        is_active=True,
        is_email_verified=True,
    )
@@ -69,7 +69,7 @@ def mpr_inactive_user(db):
        email=f"mpri_{uid}@test.com",
        username=f"mpri_{uid}",
        hashed_password=auth.hash_password("inactive123"),  # noqa: SEC001
-        role="store",
+        role="merchant_owner",
        is_active=False,
        is_email_verified=True,
    )
--- a/app/modules/tenancy/tests/integration/test_merchant_routes.py
+++ b/app/modules/tenancy/tests/integration/test_merchant_routes.py
@@ -36,7 +36,7 @@ def mt_owner(db):
        email=f"mtowner_{uid}@test.com",
        username=f"mtowner_{uid}",
        hashed_password=auth.hash_password("mtpass123"),
-        role="store",
+        role="merchant_owner",
        is_active=True,
    )
    db.add(user)
@@ -95,7 +95,7 @@ def mt_auth(mt_owner, mt_merchant):
        id=mt_owner.id,
        email=mt_owner.email,
        username=mt_owner.username,
-        role="store",
+        role="merchant_owner",
        is_active=True,
    )

--- a/app/modules/tenancy/tests/integration/test_store_password_reset.py
+++ b/app/modules/tenancy/tests/integration/test_store_password_reset.py
@@ -12,7 +12,6 @@ import uuid
 import pytest

 from app.modules.tenancy.models import Merchant, Store, StoreUser, User
-from app.modules.tenancy.models.store import StoreUserType
 from app.modules.tenancy.models.user_password_reset_token import UserPasswordResetToken

 # ============================================================================
@@ -33,7 +32,7 @@ def spr_owner(db):
        email=f"spr_{uid}@test.com",
        username=f"spr_{uid}",
        hashed_password=auth.hash_password("storepass123"),  # noqa: SEC001
-        role="store",
+        role="merchant_owner",
        is_active=True,
        is_email_verified=True,
    )
@@ -83,7 +82,6 @@ def spr_store_user(db, spr_owner, spr_store):
    store_user = StoreUser(
        user_id=spr_owner.id,
        store_id=spr_store.id,
-        user_type=StoreUserType.OWNER.value,
        is_active=True,
    )
    db.add(store_user)