sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: RBAC Phase 1 — consolidate user roles into 4-value enum
Some checks failed
CI / ruff (push) Successful in 11s
Details
CI / validate (push) Has been cancelled
Details
CI / dependency-scanning (push) Has been cancelled
Details
CI / docs (push) Has been cancelled
Details
CI / deploy (push) Has been cancelled
Details
CI / pytest (push) Has been cancelled
Details

Browse Source 
Consolidate User.role (2-value: admin/store) + User.is_super_admin (boolean)
into a single 4-value UserRole enum: super_admin, platform_admin,
merchant_owner, store_member. Drop stale StoreUser.user_type column.
Fix role="user" bug in merchant creation.

Key changes:
- Expand UserRole enum from 2 to 4 values with computed properties
  (is_admin, is_super_admin, is_platform_admin, is_merchant_owner, is_store_user)
- Add Alembic migration (tenancy_003) for data migration + column drops
- Remove is_super_admin from JWT token payload
- Update all auth dependencies, services, routes, templates, JS, and tests
- Update all RBAC documentation

66 files changed, 1219 unit tests passing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Samir Boulahtit
2026-02-19 22:44:29 +01:00
parent ef21d47533
commit 1dcb0e6c33
67 changed files with 874 additions and 616 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
tests/unit/api/test_deps.py
View File

@@ -211,7 +211,7 @@ class TestValidateCustomerToken:
email=f"owner_{uid}@test.com",
username=f"owner_{uid}",
hashed_password="not_a_real_hash",
role="store",
role="merchant_owner",
is_active=True,
)
db.add(owner)
@@ -353,7 +353,7 @@ class TestGetCurrentAdminFromCookieOrHeader:
result = get_current_admin_from_cookie_or_header(request, creds, None, db)
assert result.id == test_admin.id
assert result.role == "admin"
assert result.is_admin is True
def test_valid_admin_via_cookie(self, db, auth_manager, test_admin):
"""Admin user with valid cookie token returns UserContext."""
@@ -394,7 +394,7 @@ class TestGetCurrentAdminApi:
result = get_current_admin_api(creds, db)
assert result.id == test_admin.id
assert result.role == "admin"
assert result.is_admin is True
def test_rejects_non_admin(self, db, auth_manager, test_store_user):
"""Non-admin user rejected with AdminRequiredException."""
@@ -474,7 +474,7 @@ class TestGetCurrentStoreFromCookieOrHeader:
result = get_current_store_from_cookie_or_header(request, creds, None, db)
assert result.id == test_store_user.id
assert result.role == "store"
assert result.is_store_user is True
def test_valid_store_user_via_cookie(self, db, auth_manager, test_store_user):
"""Store user with valid cookie token returns UserContext."""
@@ -626,7 +626,7 @@ def _create_merchant_owner(db, auth_manager):
email=f"merchant_{uid}@example.com",
username=f"merchant_{uid}",
hashed_password=auth_manager.hash_password("testpass123"),
role="store",
role="merchant_owner",
is_active=True,
is_email_verified=True,
)
@@ -786,7 +786,7 @@ class TestGetCurrentCustomerFromCookieOrHeader:
email=f"csowner_{uid}@test.com",
username=f"csowner_{uid}",
hashed_password="not_a_real_hash",
role="store",
role="merchant_owner",
is_active=True,
)
db.add(owner)
@@ -879,7 +879,7 @@ class TestGetCurrentCustomerApi:
email=f"caowner_{uid}@test.com",
username=f"caowner_{uid}",
hashed_password="not_a_real_hash",
role="store",
role="merchant_owner",
is_active=True,
)
db.add(owner)
@@ -962,7 +962,7 @@ class TestGetCurrentCustomerOptional:
email=f"coowner_{uid}@test.com",
username=f"coowner_{uid}",
hashed_password="not_a_real_hash",
role="store",
role="merchant_owner",
is_active=True,
)
db.add(owner)
@@ -1293,7 +1293,7 @@ class TestGetUserStore:
email=f"other_{uid2}@example.com",
username=f"other_{uid2}",
hashed_password=auth_manager.hash_password("testpass123"),
role="store",
role="merchant_owner",
is_active=True,
is_email_verified=True,
)