8de85ca87f
- Add SchemaVerifier class for automatic database schema verification and repair - Implement warehouse_manager (Level 75) and warehouse_worker (Level 35) roles - Add zone-based access control for warehouse workers - Implement worker-manager binding system with zone filtering - Add comprehensive database auto-repair on Docker initialization - Remove Module Access section from user form (role-based access only) - Add autocomplete attributes to password fields for better UX - Include detailed documentation for warehouse implementation - Update initialize_db.py with schema verification as Step 0
15 KiB
15 KiB
Worker-Manager Binding Model: Visual Guide
Hierarchical Structure
┌─────────────────────────────────────────────────────────────────┐
│ SUPERADMIN / ADMIN │
│ (Unrestricted access to everything) │
│ - Can view all warehouse data │
│ - Can override all restrictions │
│ - Can manage all users and bindings │
└────────────────────────┬────────────────────────────────────────┘
│
┌────────────────┴────────────────┐
│ │
┌───────▼──────────────┐ ┌───────▼──────────────┐
│ WAREHOUSE_MANAGER #1 │ │ WAREHOUSE_MANAGER #2 │
│ - Full access to │ │ - Full access to │
│ input pages │ │ input pages │
│ - Full access to │ │ - Full access to │
│ reports/analytics │ │ reports/analytics │
│ - Can manage │ │ - Can manage │
│ assigned workers │ │ assigned workers │
└────────┬─────────────┘ └────────┬─────────────┘
│ │
┌────┴─────────┬──────────┐ │
│ │ │ │
┌───▼─────┐ ┌───▼─────┐ ┌─▼──────┐ │
│ WORKER1 │ │ WORKER2 │ │WORKER3 │ │
│ (Mgr 1) │ │ (Mgr 1) │ │(Mgr 2) │ │
│ │ │ │ │ │ │
│ Can: │ │ Can: │ │ Can: │ │
│ ✓ Input │ │ ✓ Input │ │✓ Input │ │
│ ✗ Report│ │ ✗ Report│ │✗ Report│ │
│ ✗ Manage│ │ ✗ Manage│ │✗ Manage│ │
└─────────┘ └─────────┘ └────────┘ │
│
Unassigned workers
(can't access warehouse)
Data Access Patterns
SUPERADMIN/ADMIN View
┌─────────────────────────────────────────┐
│ ALL WAREHOUSE DATA │
│ ├─ All workers' entries │
│ ├─ All managers' entries │
│ ├─ All reports │
│ └─ All analytics │
└─────────────────────────────────────────┘
WAREHOUSE_MANAGER View
┌─────────────────────────────────────────┐
│ MANAGER'S ASSIGNED DATA ONLY │
│ ├─ Manager's own entries │
│ ├─ Assigned Worker 1's entries │
│ ├─ Assigned Worker 2's entries │
│ ├─ Reports (aggregated from own + workers)
│ └─ Analytics (own + workers' data) │
└─────────────────────────────────────────┘
WAREHOUSE_WORKER View
┌─────────────────────────────────────────┐
│ WORKER'S OWN DATA ONLY │
│ ├─ Own entries │
│ ├─ Own location assignments │
│ └─ Own submitted records │
│ │
│ ✗ Cannot see other workers' data │
│ ✗ Cannot view any reports │
│ ✗ Cannot access analytics │
└─────────────────────────────────────────┘
Role Hierarchy & Capabilities
Level 100: SUPERADMIN
├─ Can do EVERYTHING
├─ Can override all restrictions
└─ Can manage all users & roles
Level 90: ADMIN
├─ Can do EVERYTHING (in practice)
├─ Can override all restrictions
└─ Can manage all users & roles
Level 75: WAREHOUSE_MANAGER
├─ Can access warehouse INPUT pages
│ ├─ Set box locations
│ ├─ Manage inventory entries
│ └─ Create/edit warehouse data
├─ Can access warehouse REPORTS
│ ├─ View analytics
│ ├─ Export data
│ └─ Download reports
├─ Can manage assigned workers
│ ├─ Assign/unassign workers
│ ├─ Set zone restrictions
│ └─ View worker activity logs
└─ Can view assigned workers' data
Level 70: MANAGER (Quality)
├─ Can access QUALITY module only
├─ Can create/edit/delete inspections
├─ Can export quality reports
└─ Cannot access WAREHOUSE at all
Level 50: WORKER (Quality)
├─ Can access QUALITY module only
├─ Can create quality inspections
├─ Can view inspections
└─ Cannot export or access reports
Level 35: WAREHOUSE_WORKER
├─ Can access INPUT pages ONLY
│ ├─ Set box locations
│ ├─ Create entries
│ └─ Edit own entries
├─ Cannot view reports
├─ Cannot view analytics
├─ Cannot export data
└─ Can only see own submitted data
Database Schema Visualization
┌──────────────────────────┐
│ USERS TABLE │
├──────────────────────────┤
│ id │
│ username │
│ password_hash │
│ full_name │
│ email │
│ role ◄────────┐ │
│ is_active │ │
│ created_at │ │
└──────────────────┼───────┘
│
References │
│
┌──────────┴────────────────────────┐
│ │
▼ ▼
┌──────────────────────┐ ┌──────────────────────┐
│ ROLES TABLE │ │ USER_MODULES TABLE │
├──────────────────────┤ ├──────────────────────┤
│ id │ │ id │
│ name │ │ user_id ───┐ │
│ description │ │ module_name│ │
│ level │ │ created_at │ │
│ created_at │ └────────────┼────────┘
└──────────────────────┘ │
│
┌─────────▼────────────────┐
│ │
▼ ▼
┌──────────────────────┐ ┌──────────────────────┐
│ WAREHOUSE_MANAGER │ │ WAREHOUSE_WORKER │
│ role_id: 75 │ │ role_id: 35 │
└──────────────────────┘ └──────────────────────┘
│ │
└──────────┬───────────────┘
│
┌──────────────────────▼──────────────┐
│ WORKER_MANAGER_BINDINGS TABLE │
├─────────────────────────────────────┤
│ id │
│ manager_id ──────┐ (Foreign Key) │
│ worker_id ────────┼─ (Foreign Key) │
│ warehouse_zone │ (Optional) │
│ is_active │ (TINYINT) │
│ created_at │ │
│ updated_at │ │
└─────────────────────────────────────┘
│
│ One binding allows:
├─ Manager to oversee Worker
├─ Worker to input data
├─ Manager to view Worker's data
└─ Optional: Restrict to specific zone
Example Bindings
Scenario 1: Single Manager, Multiple Workers
Manager: John Smith (ID=5, role=warehouse_manager)
Workers:
- Alice Johnson (ID=12, role=warehouse_worker)
- Bob Wilson (ID=13, role=warehouse_worker)
- Carol Davis (ID=14, role=warehouse_worker)
Bindings:
binding_1: manager_id=5, worker_id=12, zone=NULL (all zones)
binding_2: manager_id=5, worker_id=13, zone=NULL (all zones)
binding_3: manager_id=5, worker_id=14, zone=NULL (all zones)
Result:
✓ John can see data from Alice, Bob, and Carol
✓ John can generate reports using all their data
✓ Alice/Bob/Carol can only see their own data
✓ Alice/Bob/Carol cannot see reports
Scenario 2: Zone-Restricted Workers
Manager: Maria Garcia (ID=6, role=warehouse_manager)
Workers (restricted to zones):
- David Chen (ID=15, zone="Cold Storage")
- Eve Martinez (ID=16, zone="High Shelf")
Bindings:
binding_4: manager_id=6, worker_id=15, zone="Cold Storage"
binding_5: manager_id=6, worker_id=16, zone="High Shelf"
Result:
✓ David can only input in "Cold Storage"
✓ Eve can only input in "High Shelf"
✓ Maria can filter reports by zone
✓ Maria can see which worker handles which zone
Scenario 3: Unassigned Worker
Worker: Frank Thompson (ID=17, role=warehouse_worker)
No binding exists for Frank
Result:
✗ Frank cannot access warehouse module
✗ Frank's dashboard shows no warehouse option
✗ If Frank tries to access /warehouse/*:
- Gets redirected with "Access denied" message
Access Control Decision Tree
User Request → Is user logged in?
│
├─ NO → Redirect to login
│
└─ YES → Get user role
│
├─ Is role = 'superadmin'?
│ ├─ YES → ALLOW (all access)
│ └─ NO → Continue
│
├─ Is role = 'admin'?
│ ├─ YES → ALLOW (all access)
│ └─ NO → Continue
│
├─ Is user accessing report page?
│ ├─ YES → Is role = 'warehouse_manager'?
│ │ ├─ YES → ALLOW
│ │ └─ NO → DENY
│ │
│ └─ NO → Is user accessing input page?
│ ├─ YES → Is role = 'warehouse_manager' OR 'warehouse_worker'?
│ │ ├─ YES → Check binding (for worker)
│ │ │ ├─ If manager → ALLOW
│ │ │ └─ If worker → ALLOW (sees own data only)
│ │ └─ NO → DENY
│ │
│ └─ NO → Other page type
│ └─ DENY (unknown page type)
│
└─ DENY (role not recognized for warehouse)
Implementation Checklist
Database Changes
- Insert 2 new roles into
rolestable - Create
worker_manager_bindingstable - Verify foreign key constraints work
- Test data isolation queries
Backend Code
- Update
access_control.pyROLES dictionary - Update
access_control.pyMODULE_PERMISSIONS - Create
can_access_warehouse_reports()decorator - Create
can_access_warehouse_input()decorator - Update warehouse route handlers with decorators
- Implement data filtering logic in queries
- Add binding validation logic
Frontend Code
- Update
user_form.htmlwith warehouse role options - Create warehouse worker assignment page
- Add worker management UI in warehouse module
- Update dashboard to show warehouse module for eligible users
Testing
- Test superadmin access (full access)
- Test admin access (full access)
- Test warehouse_manager access (input + reports)
- Test warehouse_worker access (input only, blocked from reports)
- Test data isolation (worker A cannot see worker B's data)
- Test manager sees assigned workers' data only
- Test zone restriction filtering
- Test unassigned worker cannot access warehouse
Security Notes
⚠️ Critical Points
- Always verify user role in EVERY warehouse route
- Always include WHERE clauses to filter data by user/binding
- Never trust frontend filtering alone
- Log all access to reports for audit trail
- Validate zone restrictions server-side
- Regularly audit worker-manager bindings
⚠️ Data Isolation
- Workers MUST be completely isolated from each other
- Managers MUST only see assigned workers' data
- Database queries must reflect this isolation
- Test edge cases (deleted bindings, zone changes, etc.)
⚠️ Role Confusion Prevention
- Quality roles and warehouse roles are SEPARATE
- Explicitly assign each module
- Don't auto-grant cross-module access
- Always check module assignment + permission