280 lines
8.6 KiB
Python
280 lines
8.6 KiB
Python
"""
|
|
Role-Based Access Control (RBAC) System
|
|
Defines roles, permissions, and access control decorators
|
|
"""
|
|
from functools import wraps
|
|
from flask import session, redirect, url_for, flash
|
|
|
|
# Role Definitions
|
|
ROLES = {
|
|
'superadmin': {
|
|
'name': 'Super Administrator',
|
|
'description': 'Full system access to all modules and features',
|
|
'level': 100,
|
|
'modules': ['quality', 'settings']
|
|
},
|
|
'manager': {
|
|
'name': 'Manager',
|
|
'description': 'Full access to assigned modules and quality control',
|
|
'level': 70,
|
|
'modules': ['quality']
|
|
},
|
|
'worker': {
|
|
'name': 'Worker',
|
|
'description': 'Limited access to view and create quality inspections',
|
|
'level': 50,
|
|
'modules': ['quality']
|
|
},
|
|
'admin': {
|
|
'name': 'Administrator',
|
|
'description': 'Administrative access - can manage users and system configuration',
|
|
'level': 90,
|
|
'modules': ['quality', 'settings']
|
|
}
|
|
}
|
|
|
|
# Module Permissions Structure
|
|
MODULE_PERMISSIONS = {
|
|
'quality': {
|
|
'name': 'Quality Control Module',
|
|
'sections': {
|
|
'inspections': {
|
|
'name': 'Quality Inspections',
|
|
'actions': {
|
|
'view': 'View inspections',
|
|
'create': 'Create new inspection',
|
|
'edit': 'Edit inspections',
|
|
'delete': 'Delete inspections'
|
|
},
|
|
'superadmin': ['view', 'create', 'edit', 'delete'],
|
|
'admin': ['view', 'create', 'edit', 'delete'],
|
|
'manager': ['view', 'create', 'edit', 'delete'],
|
|
'worker': ['view', 'create']
|
|
},
|
|
'reports': {
|
|
'name': 'Quality Reports',
|
|
'actions': {
|
|
'view': 'View reports',
|
|
'export': 'Export reports',
|
|
'download': 'Download reports'
|
|
},
|
|
'superadmin': ['view', 'export', 'download'],
|
|
'admin': ['view', 'export', 'download'],
|
|
'manager': ['view', 'export', 'download'],
|
|
'worker': ['view']
|
|
}
|
|
}
|
|
},
|
|
'settings': {
|
|
'name': 'Settings Module',
|
|
'sections': {
|
|
'general': {
|
|
'name': 'General Settings',
|
|
'actions': {
|
|
'view': 'View settings',
|
|
'edit': 'Edit settings'
|
|
},
|
|
'superadmin': ['view', 'edit'],
|
|
'admin': ['view', 'edit'],
|
|
'manager': [],
|
|
'worker': []
|
|
},
|
|
'users': {
|
|
'name': 'User Management',
|
|
'actions': {
|
|
'view': 'View users',
|
|
'create': 'Create users',
|
|
'edit': 'Edit users',
|
|
'delete': 'Delete users'
|
|
},
|
|
'superadmin': ['view', 'create', 'edit', 'delete'],
|
|
'admin': ['view', 'create', 'edit', 'delete'],
|
|
'manager': [],
|
|
'worker': []
|
|
},
|
|
'database': {
|
|
'name': 'Database Settings',
|
|
'actions': {
|
|
'view': 'View database settings',
|
|
'edit': 'Edit database settings'
|
|
},
|
|
'superadmin': ['view', 'edit'],
|
|
'admin': ['view', 'edit'],
|
|
'manager': [],
|
|
'worker': []
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
def check_permission(user_role, module, section, action):
|
|
"""
|
|
Check if a user has permission to perform an action
|
|
|
|
Args:
|
|
user_role (str): User's role
|
|
module (str): Module name
|
|
section (str): Section within module
|
|
action (str): Action to perform
|
|
|
|
Returns:
|
|
bool: True if user has permission, False otherwise
|
|
"""
|
|
if not user_role or user_role not in ROLES:
|
|
return False
|
|
|
|
# Superadmin has all permissions
|
|
if user_role == 'superadmin':
|
|
return True
|
|
|
|
# Check if module exists
|
|
if module not in MODULE_PERMISSIONS:
|
|
return False
|
|
|
|
# Check if section exists
|
|
if section not in MODULE_PERMISSIONS[module]['sections']:
|
|
return False
|
|
|
|
# Get allowed actions for this role in this section
|
|
section_config = MODULE_PERMISSIONS[module]['sections'][section]
|
|
allowed_actions = section_config.get(user_role, [])
|
|
|
|
return action in allowed_actions
|
|
|
|
|
|
def has_module_access(user_role, module):
|
|
"""
|
|
Check if user has access to a module
|
|
|
|
Args:
|
|
user_role (str): User's role
|
|
module (str): Module name
|
|
|
|
Returns:
|
|
bool: True if user can access module, False otherwise
|
|
"""
|
|
if not user_role or user_role not in ROLES:
|
|
return False
|
|
|
|
if user_role == 'superadmin':
|
|
return True
|
|
|
|
return module in ROLES[user_role].get('modules', [])
|
|
|
|
|
|
def requires_role(*allowed_roles):
|
|
"""
|
|
Decorator to require specific roles for a route
|
|
|
|
Usage:
|
|
@requires_role('superadmin', 'admin')
|
|
def admin_page():
|
|
pass
|
|
"""
|
|
def decorator(f):
|
|
@wraps(f)
|
|
def decorated_function(*args, **kwargs):
|
|
if 'user_id' not in session:
|
|
flash('Please log in to access this page.', 'error')
|
|
return redirect(url_for('main.login'))
|
|
|
|
user_role = session.get('role', 'worker')
|
|
|
|
if user_role not in allowed_roles:
|
|
flash('Access denied: You do not have permission to access this page.', 'error')
|
|
return redirect(url_for('main.dashboard'))
|
|
|
|
return f(*args, **kwargs)
|
|
return decorated_function
|
|
return decorator
|
|
|
|
|
|
def requires_module_permission(module, section, action):
|
|
"""
|
|
Decorator to require specific module/section/action permission
|
|
|
|
Usage:
|
|
@requires_module_permission('quality', 'inspections', 'edit')
|
|
def edit_inspection():
|
|
pass
|
|
"""
|
|
def decorator(f):
|
|
@wraps(f)
|
|
def decorated_function(*args, **kwargs):
|
|
if 'user_id' not in session:
|
|
flash('Please log in to access this page.', 'error')
|
|
return redirect(url_for('main.login'))
|
|
|
|
user_role = session.get('role', 'worker')
|
|
|
|
if not check_permission(user_role, module, section, action):
|
|
flash('Access denied: You do not have permission to perform this action.', 'error')
|
|
return redirect(url_for('main.dashboard'))
|
|
|
|
return f(*args, **kwargs)
|
|
return decorated_function
|
|
return decorator
|
|
|
|
|
|
def requires_module_access(module):
|
|
"""
|
|
Decorator to require access to a specific module
|
|
|
|
Usage:
|
|
@requires_module_access('quality')
|
|
def quality_page():
|
|
pass
|
|
"""
|
|
def decorator(f):
|
|
@wraps(f)
|
|
def decorated_function(*args, **kwargs):
|
|
if 'user_id' not in session:
|
|
flash('Please log in to access this page.', 'error')
|
|
return redirect(url_for('main.login'))
|
|
|
|
user_role = session.get('role', 'worker')
|
|
|
|
if not has_module_access(user_role, module):
|
|
flash(f'Access denied: You do not have access to the {module} module.', 'error')
|
|
return redirect(url_for('main.dashboard'))
|
|
|
|
return f(*args, **kwargs)
|
|
return decorated_function
|
|
return decorator
|
|
|
|
|
|
def get_user_permissions(user_role):
|
|
"""
|
|
Get all permissions for a user role
|
|
|
|
Args:
|
|
user_role (str): User's role
|
|
|
|
Returns:
|
|
dict: Dictionary of all permissions for the role
|
|
"""
|
|
permissions = {}
|
|
|
|
if not user_role or user_role not in ROLES:
|
|
return permissions
|
|
|
|
# Superadmin gets all permissions
|
|
if user_role == 'superadmin':
|
|
for module, module_data in MODULE_PERMISSIONS.items():
|
|
permissions[module] = {}
|
|
for section, section_data in module_data['sections'].items():
|
|
permissions[module][section] = list(section_data['actions'].keys())
|
|
return permissions
|
|
|
|
# Get specific role permissions
|
|
for module, module_data in MODULE_PERMISSIONS.items():
|
|
if module in ROLES[user_role].get('modules', []):
|
|
permissions[module] = {}
|
|
for section, section_data in module_data['sections'].items():
|
|
allowed_actions = section_data.get(user_role, [])
|
|
if allowed_actions:
|
|
permissions[module][section] = allowed_actions
|
|
|
|
return permissions
|