Initial commit: Quality App v2 - FG Scan Module with Reports

2026-01-25 22:25:18 +02:00
commit 3c5a273a89
66 changed files with 15368 additions and 0 deletions
--- a/app/access_control.py
+++ b/app/access_control.py
@@ -0,0 +1,279 @@
+"""
+Role-Based Access Control (RBAC) System
+Defines roles, permissions, and access control decorators
+"""
+from functools import wraps
+from flask import session, redirect, url_for, flash
+
+# Role Definitions
+ROLES = {
+    'superadmin': {
+        'name': 'Super Administrator',
+        'description': 'Full system access to all modules and features',
+        'level': 100,
+        'modules': ['quality', 'settings']
+    },
+    'manager': {
+        'name': 'Manager',
+        'description': 'Full access to assigned modules and quality control',
+        'level': 70,
+        'modules': ['quality']
+    },
+    'worker': {
+        'name': 'Worker',
+        'description': 'Limited access to view and create quality inspections',
+        'level': 50,
+        'modules': ['quality']
+    },
+    'admin': {
+        'name': 'Administrator',
+        'description': 'Administrative access - can manage users and system configuration',
+        'level': 90,
+        'modules': ['quality', 'settings']
+    }
+}
+
+# Module Permissions Structure
+MODULE_PERMISSIONS = {
+    'quality': {
+        'name': 'Quality Control Module',
+        'sections': {
+            'inspections': {
+                'name': 'Quality Inspections',
+                'actions': {
+                    'view': 'View inspections',
+                    'create': 'Create new inspection',
+                    'edit': 'Edit inspections',
+                    'delete': 'Delete inspections'
+                },
+                'superadmin': ['view', 'create', 'edit', 'delete'],
+                'admin': ['view', 'create', 'edit', 'delete'],
+                'manager': ['view', 'create', 'edit', 'delete'],
+                'worker': ['view', 'create']
+            },
+            'reports': {
+                'name': 'Quality Reports',
+                'actions': {
+                    'view': 'View reports',
+                    'export': 'Export reports',
+                    'download': 'Download reports'
+                },
+                'superadmin': ['view', 'export', 'download'],
+                'admin': ['view', 'export', 'download'],
+                'manager': ['view', 'export', 'download'],
+                'worker': ['view']
+            }
+        }
+    },
+    'settings': {
+        'name': 'Settings Module',
+        'sections': {
+            'general': {
+                'name': 'General Settings',
+                'actions': {
+                    'view': 'View settings',
+                    'edit': 'Edit settings'
+                },
+                'superadmin': ['view', 'edit'],
+                'admin': ['view', 'edit'],
+                'manager': [],
+                'worker': []
+            },
+            'users': {
+                'name': 'User Management',
+                'actions': {
+                    'view': 'View users',
+                    'create': 'Create users',
+                    'edit': 'Edit users',
+                    'delete': 'Delete users'
+                },
+                'superadmin': ['view', 'create', 'edit', 'delete'],
+                'admin': ['view', 'create', 'edit', 'delete'],
+                'manager': [],
+                'worker': []
+            },
+            'database': {
+                'name': 'Database Settings',
+                'actions': {
+                    'view': 'View database settings',
+                    'edit': 'Edit database settings'
+                },
+                'superadmin': ['view', 'edit'],
+                'admin': ['view', 'edit'],
+                'manager': [],
+                'worker': []
+            }
+        }
+    }
+}
+
+
+def check_permission(user_role, module, section, action):
+    """
+    Check if a user has permission to perform an action
+    
+    Args:
+        user_role (str): User's role
+        module (str): Module name
+        section (str): Section within module
+        action (str): Action to perform
+    
+    Returns:
+        bool: True if user has permission, False otherwise
+    """
+    if not user_role or user_role not in ROLES:
+        return False
+    
+    # Superadmin has all permissions
+    if user_role == 'superadmin':
+        return True
+    
+    # Check if module exists
+    if module not in MODULE_PERMISSIONS:
+        return False
+    
+    # Check if section exists
+    if section not in MODULE_PERMISSIONS[module]['sections']:
+        return False
+    
+    # Get allowed actions for this role in this section
+    section_config = MODULE_PERMISSIONS[module]['sections'][section]
+    allowed_actions = section_config.get(user_role, [])
+    
+    return action in allowed_actions
+
+
+def has_module_access(user_role, module):
+    """
+    Check if user has access to a module
+    
+    Args:
+        user_role (str): User's role
+        module (str): Module name
+    
+    Returns:
+        bool: True if user can access module, False otherwise
+    """
+    if not user_role or user_role not in ROLES:
+        return False
+    
+    if user_role == 'superadmin':
+        return True
+    
+    return module in ROLES[user_role].get('modules', [])
+
+
+def requires_role(*allowed_roles):
+    """
+    Decorator to require specific roles for a route
+    
+    Usage:
+        @requires_role('superadmin', 'admin')
+        def admin_page():
+            pass
+    """
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            if 'user_id' not in session:
+                flash('Please log in to access this page.', 'error')
+                return redirect(url_for('main.login'))
+            
+            user_role = session.get('role', 'worker')
+            
+            if user_role not in allowed_roles:
+                flash('Access denied: You do not have permission to access this page.', 'error')
+                return redirect(url_for('main.dashboard'))
+            
+            return f(*args, **kwargs)
+        return decorated_function
+    return decorator
+
+
+def requires_module_permission(module, section, action):
+    """
+    Decorator to require specific module/section/action permission
+    
+    Usage:
+        @requires_module_permission('quality', 'inspections', 'edit')
+        def edit_inspection():
+            pass
+    """
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            if 'user_id' not in session:
+                flash('Please log in to access this page.', 'error')
+                return redirect(url_for('main.login'))
+            
+            user_role = session.get('role', 'worker')
+            
+            if not check_permission(user_role, module, section, action):
+                flash('Access denied: You do not have permission to perform this action.', 'error')
+                return redirect(url_for('main.dashboard'))
+            
+            return f(*args, **kwargs)
+        return decorated_function
+    return decorator
+
+
+def requires_module_access(module):
+    """
+    Decorator to require access to a specific module
+    
+    Usage:
+        @requires_module_access('quality')
+        def quality_page():
+            pass
+    """
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            if 'user_id' not in session:
+                flash('Please log in to access this page.', 'error')
+                return redirect(url_for('main.login'))
+            
+            user_role = session.get('role', 'worker')
+            
+            if not has_module_access(user_role, module):
+                flash(f'Access denied: You do not have access to the {module} module.', 'error')
+                return redirect(url_for('main.dashboard'))
+            
+            return f(*args, **kwargs)
+        return decorated_function
+    return decorator
+
+
+def get_user_permissions(user_role):
+    """
+    Get all permissions for a user role
+    
+    Args:
+        user_role (str): User's role
+    
+    Returns:
+        dict: Dictionary of all permissions for the role
+    """
+    permissions = {}
+    
+    if not user_role or user_role not in ROLES:
+        return permissions
+    
+    # Superadmin gets all permissions
+    if user_role == 'superadmin':
+        for module, module_data in MODULE_PERMISSIONS.items():
+            permissions[module] = {}
+            for section, section_data in module_data['sections'].items():
+                permissions[module][section] = list(section_data['actions'].keys())
+        return permissions
+    
+    # Get specific role permissions
+    for module, module_data in MODULE_PERMISSIONS.items():
+        if module in ROLES[user_role].get('modules', []):
+            permissions[module] = {}
+            for section, section_data in module_data['sections'].items():
+                allowed_actions = section_data.get(user_role, [])
+                if allowed_actions:
+                    permissions[module][section] = allowed_actions
+    
+    return permissions