sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
03395a9dfafe5153aa122053c29da3f87bb5f728
orion/app/core/permissions.py
Samir Boulahtit 03395a9dfa refactor: implement module-driven permissions and relocate business logic 
File Relocations:
- Delete app/config/ folder (empty after menu_registry removal)
- Move feature_gate.py → app/modules/billing/dependencies/
- Move theme_presets.py → app/modules/cms/services/

Module-Driven Permissions System:
- Add PermissionDefinition dataclass to app/modules/base.py
- Create PermissionDiscoveryService in tenancy module
- Update module definitions to declare their own permissions:
  - core: dashboard.view, settings.*
  - catalog: products.*
  - orders: orders.*
  - inventory: stock.*
  - customers: customers.*
  - tenancy: team.*
- Update app/core/permissions.py to use discovery service
- Role presets (owner, manager, staff, etc.) now use module permissions

This follows the same pattern as module-driven menus:
- Each module defines its permissions in definition.py
- PermissionDiscoveryService aggregates all permissions at runtime
- Tenancy module handles role-to-permission assignment

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 21:42:13 +01:00

172 lines
5.4 KiB
Python
Raw Blame History

# app/core/permissions.py
"""
Permission constants and checking logic for RBAC.
NOTE: This module now uses the module-driven permission system.
Permissions are defined in each module's definition.py file and
discovered by PermissionDiscoveryService.
This file provides backward-compatible exports for existing code.
New code should use:
from app.modules.tenancy.services.permission_discovery_service import (
permission_discovery_service
)
"""
from enum import Enum
from app.modules.tenancy.services.permission_discovery_service import (
permission_discovery_service,
)
class VendorPermissions(str, Enum):
"""
All available permissions within a vendor context.
NOTE: This enum is maintained for backward compatibility.
Permissions are now defined in module definition.py files.
Naming convention: RESOURCE_ACTION
"""
# Dashboard (from core module)
DASHBOARD_VIEW = "dashboard.view"
# Products (from catalog module)
PRODUCTS_VIEW = "products.view"
PRODUCTS_CREATE = "products.create"
PRODUCTS_EDIT = "products.edit"
PRODUCTS_DELETE = "products.delete"
PRODUCTS_IMPORT = "products.import"
PRODUCTS_EXPORT = "products.export"
# Stock/Inventory (from inventory module)
STOCK_VIEW = "stock.view"
STOCK_EDIT = "stock.edit"
STOCK_TRANSFER = "stock.transfer"
# Orders (from orders module)
ORDERS_VIEW = "orders.view"
ORDERS_EDIT = "orders.edit"
ORDERS_CANCEL = "orders.cancel"
ORDERS_REFUND = "orders.refund"
# Customers (from customers module)
CUSTOMERS_VIEW = "customers.view"
CUSTOMERS_EDIT = "customers.edit"
CUSTOMERS_DELETE = "customers.delete"
CUSTOMERS_EXPORT = "customers.export"
# Marketing (from messaging module - to be added)
MARKETING_VIEW = "marketing.view"
MARKETING_CREATE = "marketing.create"
MARKETING_SEND = "marketing.send"
# Reports (from analytics module - to be added)
REPORTS_VIEW = "reports.view"
REPORTS_FINANCIAL = "reports.financial"
REPORTS_EXPORT = "reports.export"
# Settings (from core module)
SETTINGS_VIEW = "settings.view"
SETTINGS_EDIT = "settings.edit"
SETTINGS_THEME = "settings.theme"
SETTINGS_DOMAINS = "settings.domains"
# Team Management (from tenancy module)
TEAM_VIEW = "team.view"
TEAM_INVITE = "team.invite"
TEAM_EDIT = "team.edit"
TEAM_REMOVE = "team.remove"
# Marketplace Imports (from marketplace module - to be added)
IMPORTS_VIEW = "imports.view"
IMPORTS_CREATE = "imports.create"
IMPORTS_CANCEL = "imports.cancel"
class PermissionGroups:
"""
Pre-defined permission groups for common roles.
NOTE: These now delegate to permission_discovery_service for consistency.
"""
@property
def OWNER(self) -> set[str]:
"""Full access (for owners) - all permissions."""
return permission_discovery_service.get_preset_permissions("owner")
@property
def MANAGER(self) -> set[str]:
"""Manager - Can do most things except team management."""
return permission_discovery_service.get_preset_permissions("manager")
@property
def STAFF(self) -> set[str]:
"""Staff - Can view and edit products/orders but limited access."""
return permission_discovery_service.get_preset_permissions("staff")
@property
def SUPPORT(self) -> set[str]:
"""Support - Can view and assist with orders/customers."""
return permission_discovery_service.get_preset_permissions("support")
@property
def VIEWER(self) -> set[str]:
"""Viewer - Read-only access."""
return permission_discovery_service.get_preset_permissions("viewer")
@property
def MARKETING(self) -> set[str]:
"""Marketing - Focused on marketing and customer communication."""
return permission_discovery_service.get_preset_permissions("marketing")
# Singleton instance for backward compatibility
_permission_groups = PermissionGroups()
class PermissionChecker:
"""Utility class for permission checking."""
@staticmethod
def has_permission(permissions: list[str], required_permission: str) -> bool:
"""Check if a permission list contains a required permission."""
return required_permission in permissions
@staticmethod
def has_any_permission(
permissions: list[str], required_permissions: list[str]
) -> bool:
"""Check if a permission list contains ANY of the required permissions."""
return any(perm in permissions for perm in required_permissions)
@staticmethod
def has_all_permissions(
permissions: list[str], required_permissions: list[str]
) -> bool:
"""Check if a permission list contains ALL of the required permissions."""
return all(perm in permissions for perm in required_permissions)
@staticmethod
def get_missing_permissions(
permissions: list[str], required_permissions: list[str]
) -> list[str]:
"""Get list of missing permissions."""
return [perm for perm in required_permissions if perm not in permissions]
def get_preset_permissions(preset_name: str) -> set[str]:
"""
Get permissions for a preset role.
Args:
preset_name: Name of the preset (owner, manager, staff, support, viewer, marketing)
Returns:
Set of permission strings
"""
return permission_discovery_service.get_preset_permissions(preset_name)
Reference in New Issue View Git Blame Copy Permalink