d09bf34e85
- Implement role normalization system to handle role name variants (superadmin, super_admin, administrator) - Add session persistence configuration (PERMANENT_SESSION_LIFETIME = 7 days) - Add modules JSON column to users database table schema - Update setup script with backward compatibility check for modules column - Fix user_management_simple route to properly fetch and display modules - Resolve modal aria-hidden accessibility warning by managing focus on close button - All changes deployed and tested successfully
112 lines
4.4 KiB
Python
112 lines
4.4 KiB
Python
"""
|
|
Simple access control decorators for the 4-tier system
|
|
"""
|
|
from functools import wraps
|
|
from flask import session, redirect, url_for, flash, request
|
|
from .permissions_simple import check_access, ROLES, normalize_role
|
|
|
|
def requires_role(min_role_level=None, required_modules=None, page=None):
|
|
"""
|
|
Simple role-based access decorator
|
|
|
|
Args:
|
|
min_role_level (int): Minimum role level required (50, 70, 90, 100)
|
|
required_modules (list): Required modules for access
|
|
page (str): Page name for automatic access checking
|
|
"""
|
|
def decorator(f):
|
|
@wraps(f)
|
|
def decorated_function(*args, **kwargs):
|
|
# Check if user is logged in
|
|
if 'user' not in session:
|
|
flash('Please log in to access this page.')
|
|
return redirect(url_for('main.login'))
|
|
|
|
user_role_raw = session.get('role')
|
|
user_role = normalize_role(user_role_raw)
|
|
user_modules = session.get('modules', [])
|
|
|
|
# Debug - write to a variable we can check
|
|
import json
|
|
debug_info = {
|
|
'user': session.get('user'),
|
|
'raw_role': user_role_raw,
|
|
'normalized_role': user_role,
|
|
'modules': user_modules,
|
|
'min_level_needed': min_role_level,
|
|
'requested_page': request.path
|
|
}
|
|
|
|
# If page is specified, use automatic access checking
|
|
if page:
|
|
if not check_access(user_role, user_modules, page):
|
|
flash('Access denied: You do not have permission to access this page.')
|
|
return redirect(url_for('main.dashboard'))
|
|
return f(*args, **kwargs)
|
|
|
|
# Manual role level checking
|
|
if min_role_level:
|
|
user_level = ROLES.get(user_role, {}).get('level', 0)
|
|
debug_info['user_level'] = user_level
|
|
debug_info['access_granted'] = user_level >= min_role_level
|
|
if user_level < min_role_level:
|
|
flash(f'Access denied: Insufficient privileges. (Your level: {user_level}, Required: {min_role_level})')
|
|
return redirect(url_for('main.dashboard'))
|
|
|
|
# Module requirement checking
|
|
if required_modules:
|
|
if user_role == 'superadmin':
|
|
# Superadmin has access to all modules
|
|
pass
|
|
else:
|
|
if not any(module in user_modules for module in required_modules):
|
|
flash('Access denied: You do not have access to this module.')
|
|
return redirect(url_for('main.dashboard'))
|
|
|
|
return f(*args, **kwargs)
|
|
return decorated_function
|
|
return decorator
|
|
|
|
def superadmin_only(f):
|
|
"""Decorator for superadmin-only pages"""
|
|
return requires_role(min_role_level=100)(f)
|
|
|
|
def admin_plus(f):
|
|
"""Decorator for admin and superadmin access"""
|
|
return requires_role(min_role_level=90)(f)
|
|
|
|
def manager_plus(f):
|
|
"""Decorator for manager, admin, and superadmin access"""
|
|
return requires_role(min_role_level=70)(f)
|
|
|
|
def requires_quality_module(f):
|
|
"""Decorator for quality module access"""
|
|
return requires_role(required_modules=['quality'])(f)
|
|
|
|
def requires_warehouse_module(f):
|
|
"""Decorator for warehouse module access"""
|
|
return requires_role(required_modules=['warehouse'])(f)
|
|
|
|
def requires_labels_module(f):
|
|
"""Decorator for labels module access"""
|
|
return requires_role(required_modules=['labels'])(f)
|
|
|
|
def requires_daily_mirror_module(f):
|
|
"""Decorator for daily mirror module access"""
|
|
return requires_role(required_modules=['daily_mirror'])(f)
|
|
|
|
def quality_manager_plus(f):
|
|
"""Decorator for quality module manager+ access"""
|
|
return requires_role(min_role_level=70, required_modules=['quality'])(f)
|
|
|
|
def warehouse_manager_plus(f):
|
|
"""Decorator for warehouse module manager+ access"""
|
|
return requires_role(min_role_level=70, required_modules=['warehouse'])(f)
|
|
|
|
def labels_manager_plus(f):
|
|
"""Decorator for labels module manager+ access"""
|
|
return requires_role(min_role_level=70, required_modules=['labels'])(f)
|
|
|
|
def daily_mirror_manager_plus(f):
|
|
"""Decorator for daily mirror module manager+ access"""
|
|
return requires_role(min_role_level=70, required_modules=['daily_mirror'])(f) |