updated roles ant permissions

2025-09-12 22:14:51 +03:00
parent 4597595db4
commit 9d80252c14
15 changed files with 1875 additions and 113 deletions
--- a/py_app/app/permissions.py
+++ b/py_app/app/permissions.py
@@ -0,0 +1,344 @@
+"""
+Role-Based Access Control (RBAC) System
+Hierarchical permission structure: Pages → Sections → Actions
+"""
+
+# Permission Actions
+ACTIONS = {
+    'view': 'View/Read Access',
+    'create': 'Create/Add New',
+    'edit': 'Edit/Modify', 
+    'delete': 'Delete/Remove',
+    'upload': 'Upload Files',
+    'download': 'Download Files',
+    'export': 'Export Data',
+    'import': 'Import Data'
+}
+
+# Application Structure with Hierarchical Permissions
+APP_PERMISSIONS = {
+    'dashboard': {
+        'name': 'Dashboard',
+        'sections': {
+            'overview': {
+                'name': 'Overview Statistics',
+                'actions': ['view']
+            },
+            'recent_activity': {
+                'name': 'Recent Activity Feed', 
+                'actions': ['view']
+            },
+            'quick_actions': {
+                'name': 'Quick Action Buttons',
+                'actions': ['view']
+            }
+        }
+    },
+    'settings': {
+        'name': 'Settings & Administration',
+        'sections': {
+            'user_management': {
+                'name': 'User Management',
+                'actions': ['view', 'create', 'edit', 'delete']
+            },
+            'role_permissions': {
+                'name': 'Role & Permissions',
+                'actions': ['view', 'edit']
+            },
+            'external_database': {
+                'name': 'External Database Config',
+                'actions': ['view', 'edit']
+            },
+            'system_settings': {
+                'name': 'System Configuration',
+                'actions': ['view', 'edit']
+            }
+        }
+    },
+    'warehouse': {
+        'name': 'Warehouse Management',
+        'sections': {
+            'inventory': {
+                'name': 'Inventory Management',
+                'actions': ['view', 'create', 'edit', 'delete', 'export']
+            },
+            'stock_movements': {
+                'name': 'Stock Movements',
+                'actions': ['view', 'create', 'edit', 'delete']
+            },
+            'receiving': {
+                'name': 'Goods Receiving',
+                'actions': ['view', 'create', 'edit', 'upload']
+            },
+            'shipping': {
+                'name': 'Goods Shipping', 
+                'actions': ['view', 'create', 'edit', 'delete']
+            },
+            'locations': {
+                'name': 'Storage Locations',
+                'actions': ['view', 'create', 'edit', 'delete']
+            },
+            'reports': {
+                'name': 'Warehouse Reports',
+                'actions': ['view', 'export', 'download']
+            }
+        }
+    },
+    'quality': {
+        'name': 'Quality Control',
+        'sections': {
+            'inspections': {
+                'name': 'Quality Inspections',
+                'actions': ['view', 'create', 'edit', 'delete']
+            },
+            'test_results': {
+                'name': 'Test Results',
+                'actions': ['view', 'create', 'edit', 'upload']
+            },
+            'certificates': {
+                'name': 'Quality Certificates',
+                'actions': ['view', 'create', 'edit', 'delete', 'upload', 'download']
+            },
+            'compliance': {
+                'name': 'Compliance Management',
+                'actions': ['view', 'create', 'edit']
+            },
+            'quality_reports': {
+                'name': 'Quality Reports',
+                'actions': ['view', 'export', 'download']
+            }
+        }
+    },
+    'production': {
+        'name': 'Production Management',
+        'sections': {
+            'work_orders': {
+                'name': 'Work Orders',
+                'actions': ['view', 'create', 'edit', 'delete']
+            },
+            'production_lines': {
+                'name': 'Production Lines',
+                'actions': ['view', 'create', 'edit', 'delete']
+            },
+            'scheduling': {
+                'name': 'Production Scheduling',
+                'actions': ['view', 'create', 'edit', 'delete']
+            },
+            'equipment': {
+                'name': 'Equipment Management',
+                'actions': ['view', 'create', 'edit', 'delete']
+            },
+            'maintenance': {
+                'name': 'Maintenance Records',
+                'actions': ['view', 'create', 'edit', 'delete', 'upload']
+            }
+        }
+    },
+    'traceability': {
+        'name': 'Product Traceability',
+        'sections': {
+            'batch_tracking': {
+                'name': 'Batch Tracking',
+                'actions': ['view', 'create', 'edit']
+            },
+            'lot_genealogy': {
+                'name': 'Lot Genealogy',
+                'actions': ['view', 'export']
+            },
+            'recall_management': {
+                'name': 'Product Recall',
+                'actions': ['view', 'create', 'edit', 'delete']
+            },
+            'chain_of_custody': {
+                'name': 'Chain of Custody',
+                'actions': ['view', 'create', 'edit']
+            }
+        }
+    },
+    'reports': {
+        'name': 'Reports & Analytics',
+        'sections': {
+            'standard_reports': {
+                'name': 'Standard Reports',
+                'actions': ['view', 'export', 'download']
+            },
+            'custom_reports': {
+                'name': 'Custom Reports',
+                'actions': ['view', 'create', 'edit', 'delete', 'export']
+            },
+            'dashboards': {
+                'name': 'Analytics Dashboards',
+                'actions': ['view', 'create', 'edit', 'delete']
+            },
+            'data_export': {
+                'name': 'Data Export Tools',
+                'actions': ['view', 'export', 'download']
+            }
+        }
+    }
+}
+
+# Role Hierarchy and Default Permissions
+ROLE_HIERARCHY = {
+    'superadmin': {
+        'name': 'Super Administrator',
+        'description': 'Full system access - can manage all aspects including system configuration',
+        'level': 100,
+        'default_permissions': 'ALL'  # Gets all permissions by default
+    },
+    'admin': {
+        'name': 'Administrator',
+        'description': 'Administrative access - can manage users and most system functions',
+        'level': 90,
+        'default_sections': [
+            'dashboard',
+            'settings.user_management',
+            'settings.system_settings.view',
+            'warehouse',
+            'quality',
+            'production',
+            'reports',
+            'traceability'
+        ],
+        'restrictions': [
+            'settings.role_permissions.edit',  # Cannot modify role permissions
+            'settings.external_database.edit',  # Cannot modify external DB config
+        ]
+    },
+    'manager': {
+        'name': 'Manager',
+        'description': 'Management level access - can view and manage operational data',
+        'level': 70,
+        'default_sections': [
+            'dashboard',
+            'warehouse.inventory.view',
+            'warehouse.reports.view',
+            'quality.inspections.view',
+            'quality.quality_reports.view',
+            'production.work_orders',
+            'reports.standard_reports'
+        ]
+    },
+    'warehouse_manager': {
+        'name': 'Warehouse Manager',
+        'description': 'Full warehouse access with limited system access',
+        'level': 60,
+        'default_sections': [
+            'dashboard.overview.view',
+            'warehouse',  # Full warehouse access
+            'traceability.batch_tracking',
+            'reports.standard_reports.view'
+        ]
+    },
+    'warehouse_worker': {
+        'name': 'Warehouse Worker', 
+        'description': 'Limited warehouse operations access',
+        'level': 50,
+        'default_sections': [
+            'dashboard.overview.view',
+            'warehouse.inventory.view',
+            'warehouse.stock_movements',
+            'warehouse.receiving',
+            'warehouse.shipping.view'
+        ]
+    },
+    'quality_manager': {
+        'name': 'Quality Manager',
+        'description': 'Full quality control access',
+        'level': 60,
+        'default_sections': [
+            'dashboard.overview.view',
+            'quality',  # Full quality access
+            'traceability',
+            'reports.standard_reports.view'
+        ]
+    },
+    'quality_worker': {
+        'name': 'Quality Worker',
+        'description': 'Limited quality control operations',
+        'level': 50,
+        'default_sections': [
+            'dashboard.overview.view',
+            'quality.inspections',
+            'quality.test_results',
+            'quality.certificates.view'
+        ]
+    }
+}
+
+def get_permission_key(page, section, action):
+    """Generate a standardized permission key"""
+    return f"{page}.{section}.{action}"
+
+def parse_permission_key(permission_key):
+    """Parse a permission key into its components"""
+    parts = permission_key.split('.')
+    if len(parts) == 3:
+        return parts[0], parts[1], parts[2]
+    return None, None, None
+
+def get_all_permissions():
+    """Get a flat list of all possible permissions"""
+    permissions = []
+    for page_key, page_data in APP_PERMISSIONS.items():
+        for section_key, section_data in page_data['sections'].items():
+            for action in section_data['actions']:
+                permissions.append({
+                    'key': get_permission_key(page_key, section_key, action),
+                    'page': page_key,
+                    'page_name': page_data['name'],
+                    'section': section_key,
+                    'section_name': section_data['name'],
+                    'action': action,
+                    'action_name': ACTIONS.get(action, action)
+                })
+    return permissions
+
+def get_default_permissions_for_role(role):
+    """Get default permissions for a specific role"""
+    if role not in ROLE_HIERARCHY:
+        return []
+    
+    role_config = ROLE_HIERARCHY[role]
+    
+    # Superadmin gets everything
+    if role_config.get('default_permissions') == 'ALL':
+        return [p['key'] for p in get_all_permissions()]
+    
+    # Other roles get specific sections
+    permissions = []
+    default_sections = role_config.get('default_sections', [])
+    
+    for section_pattern in default_sections:
+        if section_pattern == 'dashboard':
+            # Full dashboard access
+            for section_key in APP_PERMISSIONS['dashboard']['sections'].keys():
+                for action in APP_PERMISSIONS['dashboard']['sections'][section_key]['actions']:
+                    permissions.append(get_permission_key('dashboard', section_key, action))
+        elif '.' in section_pattern:
+            # Specific page.section or page.section.action
+            parts = section_pattern.split('.')
+            if len(parts) == 2:  # page.section - all actions
+                page, section = parts
+                if page in APP_PERMISSIONS and section in APP_PERMISSIONS[page]['sections']:
+                    for action in APP_PERMISSIONS[page]['sections'][section]['actions']:
+                        permissions.append(get_permission_key(page, section, action))
+            elif len(parts) == 3:  # page.section.action - specific action
+                page, section, action = parts
+                if (page in APP_PERMISSIONS and 
+                    section in APP_PERMISSIONS[page]['sections'] and
+                    action in APP_PERMISSIONS[page]['sections'][section]['actions']):
+                    permissions.append(get_permission_key(page, section, action))
+        else:
+            # Full page access
+            page = section_pattern
+            if page in APP_PERMISSIONS:
+                for section_key, section_data in APP_PERMISSIONS[page]['sections'].items():
+                    for action in section_data['actions']:
+                        permissions.append(get_permission_key(page, section_key, action))
+    
+    # Remove any restricted permissions
+    restrictions = role_config.get('restrictions', [])
+    permissions = [p for p in permissions if p not in restrictions]
+    
+    return permissions