sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: RBAC Phase 1 — consolidate user roles into 4-value enum
Some checks failed
CI / ruff (push) Successful in 11s
Details
CI / validate (push) Has been cancelled
Details
CI / dependency-scanning (push) Has been cancelled
Details
CI / docs (push) Has been cancelled
Details
CI / deploy (push) Has been cancelled
Details
CI / pytest (push) Has been cancelled
Details

Browse Source 
Consolidate User.role (2-value: admin/store) + User.is_super_admin (boolean)
into a single 4-value UserRole enum: super_admin, platform_admin,
merchant_owner, store_member. Drop stale StoreUser.user_type column.
Fix role="user" bug in merchant creation.

Key changes:
- Expand UserRole enum from 2 to 4 values with computed properties
  (is_admin, is_super_admin, is_platform_admin, is_merchant_owner, is_store_user)
- Add Alembic migration (tenancy_003) for data migration + column drops
- Remove is_super_admin from JWT token payload
- Update all auth dependencies, services, routes, templates, JS, and tests
- Update all RBAC documentation

66 files changed, 1219 unit tests passing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Samir Boulahtit
2026-02-19 22:44:29 +01:00
parent ef21d47533
commit 1dcb0e6c33
67 changed files with 874 additions and 616 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
tests/fixtures/admin_platform_fixtures.py vendored
View File

@@ -78,10 +78,9 @@ def platform_admin_with_platform(db, auth_manager, test_platform, test_super_adm
email=f"padmin_{unique_id}@example.com",
username=f"padmin_{unique_id}",
hashed_password=hashed_password,
role="admin",
role="platform_admin",
is_active=True,
is_email_verified=True,
is_super_admin=False,
)
db.add(admin)
db.flush()

18
tests/fixtures/auth_fixtures.py vendored
View File

@@ -29,7 +29,7 @@ def test_user(db, auth_manager):
email=f"test_{unique_id}@example.com",
username=f"testuser_{unique_id}",
hashed_password=hashed_password,
role="user",
role="store_member",
is_active=True,
is_email_verified=True,
)
@@ -48,10 +48,9 @@ def test_admin(db, auth_manager):
email=f"admin_{unique_id}@example.com",
username=f"admin_{unique_id}",
hashed_password=hashed_password,
role="admin",
role="super_admin",
is_active=True,
is_email_verified=True,
is_super_admin=True, # Full platform access
)
db.add(admin)
db.commit()
@@ -68,10 +67,9 @@ def test_super_admin(db, auth_manager):
email=f"superadmin_{unique_id}@example.com",
username=f"superadmin_{unique_id}",
hashed_password=hashed_password,
role="admin",
role="super_admin",
is_active=True,
is_email_verified=True,
is_super_admin=True,
)
db.add(admin)
db.commit()
@@ -88,10 +86,9 @@ def test_platform_admin(db, auth_manager):
email=f"platformadmin_{unique_id}@example.com",
username=f"platformadmin_{unique_id}",
hashed_password=hashed_password,
role="admin",
role="platform_admin",
is_active=True,
is_email_verified=True,
is_super_admin=False, # Platform admin, not super admin
)
db.add(admin)
db.commit()
@@ -132,10 +129,9 @@ def another_admin(db, auth_manager):
email=f"another_admin_{unique_id}@example.com",
username=f"another_admin_{unique_id}",
hashed_password=hashed_password,
role="admin",
role="super_admin",
is_active=True,
is_email_verified=True,
is_super_admin=True, # Full platform access
)
db.add(admin)
db.commit()
@@ -152,7 +148,7 @@ def other_user(db, auth_manager):
email=f"other_{unique_id}@example.com",
username=f"otheruser_{unique_id}",
hashed_password=hashed_password,
role="user",
role="store_member",
is_active=True,
is_email_verified=True,
)
@@ -194,7 +190,7 @@ def test_store_user(db, auth_manager):
email=f"store_{unique_id}@example.com",
username=f"storeuser_{unique_id}",
hashed_password=hashed_password,
role="store",
role="merchant_owner",
is_active=True,
is_email_verified=True,
)

5
tests/fixtures/store_fixtures.py vendored
View File

@@ -70,7 +70,7 @@ def test_store(db, test_merchant):
@pytest.fixture
def test_store_with_store_user(db, test_store_user):
"""Create a store owned by a store user (for testing store API endpoints)."""
from app.modules.tenancy.models import StoreUser, StoreUserType
from app.modules.tenancy.models import StoreUser
unique_id = str(uuid.uuid4())[:8].upper()
@@ -98,11 +98,10 @@ def test_store_with_store_user(db, test_store_user):
db.commit()
db.refresh(store)
# Create StoreUser association
# Create StoreUser association (ownership determined via Merchant.owner_user_id)
store_user = StoreUser(
store_id=store.id,
user_id=test_store_user.id,
user_type=StoreUserType.OWNER.value,
is_active=True,
)
db.add(store_user)