""" Role-Based Access Control (RBAC) System Defines roles, permissions, and access control decorators """ from functools import wraps from flask import session, redirect, url_for, flash # Role Definitions ROLES = { 'superadmin': { 'name': 'Super Administrator', 'description': 'Full system access to all modules and features', 'level': 100, 'modules': ['quality', 'settings'] }, 'manager': { 'name': 'Manager', 'description': 'Full access to assigned modules and quality control', 'level': 70, 'modules': ['quality'] }, 'worker': { 'name': 'Worker', 'description': 'Limited access to view and create quality inspections', 'level': 50, 'modules': ['quality'] }, 'admin': { 'name': 'Administrator', 'description': 'Administrative access - can manage users and system configuration', 'level': 90, 'modules': ['quality', 'settings'] } } # Module Permissions Structure MODULE_PERMISSIONS = { 'quality': { 'name': 'Quality Control Module', 'sections': { 'inspections': { 'name': 'Quality Inspections', 'actions': { 'view': 'View inspections', 'create': 'Create new inspection', 'edit': 'Edit inspections', 'delete': 'Delete inspections' }, 'superadmin': ['view', 'create', 'edit', 'delete'], 'admin': ['view', 'create', 'edit', 'delete'], 'manager': ['view', 'create', 'edit', 'delete'], 'worker': ['view', 'create'] }, 'reports': { 'name': 'Quality Reports', 'actions': { 'view': 'View reports', 'export': 'Export reports', 'download': 'Download reports' }, 'superadmin': ['view', 'export', 'download'], 'admin': ['view', 'export', 'download'], 'manager': ['view', 'export', 'download'], 'worker': ['view'] } } }, 'settings': { 'name': 'Settings Module', 'sections': { 'general': { 'name': 'General Settings', 'actions': { 'view': 'View settings', 'edit': 'Edit settings' }, 'superadmin': ['view', 'edit'], 'admin': ['view', 'edit'], 'manager': [], 'worker': [] }, 'users': { 'name': 'User Management', 'actions': { 'view': 'View users', 'create': 'Create users', 'edit': 'Edit users', 'delete': 'Delete users' }, 'superadmin': ['view', 'create', 'edit', 'delete'], 'admin': ['view', 'create', 'edit', 'delete'], 'manager': [], 'worker': [] }, 'database': { 'name': 'Database Settings', 'actions': { 'view': 'View database settings', 'edit': 'Edit database settings' }, 'superadmin': ['view', 'edit'], 'admin': ['view', 'edit'], 'manager': [], 'worker': [] } } } } def check_permission(user_role, module, section, action): """ Check if a user has permission to perform an action Args: user_role (str): User's role module (str): Module name section (str): Section within module action (str): Action to perform Returns: bool: True if user has permission, False otherwise """ if not user_role or user_role not in ROLES: return False # Superadmin has all permissions if user_role == 'superadmin': return True # Check if module exists if module not in MODULE_PERMISSIONS: return False # Check if section exists if section not in MODULE_PERMISSIONS[module]['sections']: return False # Get allowed actions for this role in this section section_config = MODULE_PERMISSIONS[module]['sections'][section] allowed_actions = section_config.get(user_role, []) return action in allowed_actions def has_module_access(user_role, module): """ Check if user has access to a module Args: user_role (str): User's role module (str): Module name Returns: bool: True if user can access module, False otherwise """ if not user_role or user_role not in ROLES: return False if user_role == 'superadmin': return True return module in ROLES[user_role].get('modules', []) def requires_role(*allowed_roles): """ Decorator to require specific roles for a route Usage: @requires_role('superadmin', 'admin') def admin_page(): pass """ def decorator(f): @wraps(f) def decorated_function(*args, **kwargs): if 'user_id' not in session: flash('Please log in to access this page.', 'error') return redirect(url_for('main.login')) user_role = session.get('role', 'worker') if user_role not in allowed_roles: flash('Access denied: You do not have permission to access this page.', 'error') return redirect(url_for('main.dashboard')) return f(*args, **kwargs) return decorated_function return decorator def requires_module_permission(module, section, action): """ Decorator to require specific module/section/action permission Usage: @requires_module_permission('quality', 'inspections', 'edit') def edit_inspection(): pass """ def decorator(f): @wraps(f) def decorated_function(*args, **kwargs): if 'user_id' not in session: flash('Please log in to access this page.', 'error') return redirect(url_for('main.login')) user_role = session.get('role', 'worker') if not check_permission(user_role, module, section, action): flash('Access denied: You do not have permission to perform this action.', 'error') return redirect(url_for('main.dashboard')) return f(*args, **kwargs) return decorated_function return decorator def requires_module_access(module): """ Decorator to require access to a specific module Usage: @requires_module_access('quality') def quality_page(): pass """ def decorator(f): @wraps(f) def decorated_function(*args, **kwargs): if 'user_id' not in session: flash('Please log in to access this page.', 'error') return redirect(url_for('main.login')) user_role = session.get('role', 'worker') if not has_module_access(user_role, module): flash(f'Access denied: You do not have access to the {module} module.', 'error') return redirect(url_for('main.dashboard')) return f(*args, **kwargs) return decorated_function return decorator def get_user_permissions(user_role): """ Get all permissions for a user role Args: user_role (str): User's role Returns: dict: Dictionary of all permissions for the role """ permissions = {} if not user_role or user_role not in ROLES: return permissions # Superadmin gets all permissions if user_role == 'superadmin': for module, module_data in MODULE_PERMISSIONS.items(): permissions[module] = {} for section, section_data in module_data['sections'].items(): permissions[module][section] = list(section_data['actions'].keys()) return permissions # Get specific role permissions for module, module_data in MODULE_PERMISSIONS.items(): if module in ROLES[user_role].get('modules', []): permissions[module] = {} for section, section_data in module_data['sections'].items(): allowed_actions = section_data.get(user_role, []) if allowed_actions: permissions[module][section] = allowed_actions return permissions