""" Role-Based Access Control (RBAC) System Hierarchical permission structure: Pages → Sections → Actions """ # Permission Actions ACTIONS = { 'view': 'View/Read Access', 'create': 'Create/Add New', 'edit': 'Edit/Modify', 'delete': 'Delete/Remove', 'upload': 'Upload Files', 'download': 'Download Files', 'export': 'Export Data', 'import': 'Import Data' } # Application Structure with Hierarchical Permissions APP_PERMISSIONS = { 'dashboard': { 'name': 'Dashboard', 'sections': { 'overview': { 'name': 'Overview Statistics', 'actions': ['view'] }, 'recent_activity': { 'name': 'Recent Activity Feed', 'actions': ['view'] }, 'quick_actions': { 'name': 'Quick Action Buttons', 'actions': ['view'] } } }, 'settings': { 'name': 'Settings & Administration', 'sections': { 'user_management': { 'name': 'User Management', 'actions': ['view', 'create', 'edit', 'delete'] }, 'role_permissions': { 'name': 'Role & Permissions', 'actions': ['view', 'edit'] }, 'external_database': { 'name': 'External Database Config', 'actions': ['view', 'edit'] }, 'system_settings': { 'name': 'System Configuration', 'actions': ['view', 'edit'] } } }, 'warehouse': { 'name': 'Warehouse Management', 'sections': { 'inventory': { 'name': 'Inventory Management', 'actions': ['view', 'create', 'edit', 'delete', 'export'] }, 'stock_movements': { 'name': 'Stock Movements', 'actions': ['view', 'create', 'edit', 'delete'] }, 'receiving': { 'name': 'Goods Receiving', 'actions': ['view', 'create', 'edit', 'upload'] }, 'shipping': { 'name': 'Goods Shipping', 'actions': ['view', 'create', 'edit', 'delete'] }, 'locations': { 'name': 'Storage Locations', 'actions': ['view', 'create', 'edit', 'delete'] }, 'reports': { 'name': 'Warehouse Reports', 'actions': ['view', 'export', 'download'] } } }, 'quality': { 'name': 'Quality Control', 'sections': { 'inspections': { 'name': 'Quality Inspections', 'actions': ['view', 'create', 'edit', 'delete'] }, 'test_results': { 'name': 'Test Results', 'actions': ['view', 'create', 'edit', 'upload'] }, 'certificates': { 'name': 'Quality Certificates', 'actions': ['view', 'create', 'edit', 'delete', 'upload', 'download'] }, 'compliance': { 'name': 'Compliance Management', 'actions': ['view', 'create', 'edit'] }, 'quality_reports': { 'name': 'Quality Reports', 'actions': ['view', 'export', 'download'] } } }, 'production': { 'name': 'Production Management', 'sections': { 'work_orders': { 'name': 'Work Orders', 'actions': ['view', 'create', 'edit', 'delete'] }, 'production_lines': { 'name': 'Production Lines', 'actions': ['view', 'create', 'edit', 'delete'] }, 'scheduling': { 'name': 'Production Scheduling', 'actions': ['view', 'create', 'edit', 'delete'] }, 'equipment': { 'name': 'Equipment Management', 'actions': ['view', 'create', 'edit', 'delete'] }, 'maintenance': { 'name': 'Maintenance Records', 'actions': ['view', 'create', 'edit', 'delete', 'upload'] } } }, 'traceability': { 'name': 'Product Traceability', 'sections': { 'batch_tracking': { 'name': 'Batch Tracking', 'actions': ['view', 'create', 'edit'] }, 'lot_genealogy': { 'name': 'Lot Genealogy', 'actions': ['view', 'export'] }, 'recall_management': { 'name': 'Product Recall', 'actions': ['view', 'create', 'edit', 'delete'] }, 'chain_of_custody': { 'name': 'Chain of Custody', 'actions': ['view', 'create', 'edit'] } } }, 'reports': { 'name': 'Reports & Analytics', 'sections': { 'standard_reports': { 'name': 'Standard Reports', 'actions': ['view', 'export', 'download'] }, 'custom_reports': { 'name': 'Custom Reports', 'actions': ['view', 'create', 'edit', 'delete', 'export'] }, 'dashboards': { 'name': 'Analytics Dashboards', 'actions': ['view', 'create', 'edit', 'delete'] }, 'data_export': { 'name': 'Data Export Tools', 'actions': ['view', 'export', 'download'] } } } } # Role Hierarchy and Default Permissions ROLE_HIERARCHY = { 'superadmin': { 'name': 'Super Administrator', 'description': 'Full system access - can manage all aspects including system configuration', 'level': 100, 'default_permissions': 'ALL' # Gets all permissions by default }, 'admin': { 'name': 'Administrator', 'description': 'Administrative access - can manage users and most system functions', 'level': 90, 'default_sections': [ 'dashboard', 'settings.user_management', 'settings.system_settings.view', 'warehouse', 'quality', 'production', 'reports', 'traceability' ], 'restrictions': [ 'settings.role_permissions.edit', # Cannot modify role permissions 'settings.external_database.edit', # Cannot modify external DB config ] }, 'manager': { 'name': 'Manager', 'description': 'Management level access - can view and manage operational data', 'level': 70, 'default_sections': [ 'dashboard', 'warehouse.inventory.view', 'warehouse.reports.view', 'quality.inspections.view', 'quality.quality_reports.view', 'production.work_orders', 'reports.standard_reports' ] }, 'warehouse_manager': { 'name': 'Warehouse Manager', 'description': 'Full warehouse access with limited system access', 'level': 60, 'default_sections': [ 'dashboard.overview.view', 'warehouse', # Full warehouse access 'traceability.batch_tracking', 'reports.standard_reports.view' ] }, 'warehouse_worker': { 'name': 'Warehouse Worker', 'description': 'Limited warehouse operations access', 'level': 50, 'default_sections': [ 'dashboard.overview.view', 'warehouse.inventory.view', 'warehouse.stock_movements', 'warehouse.receiving', 'warehouse.shipping.view' ] }, 'quality_manager': { 'name': 'Quality Manager', 'description': 'Full quality control access', 'level': 60, 'default_sections': [ 'dashboard.overview.view', 'quality', # Full quality access 'traceability', 'reports.standard_reports.view' ] }, 'quality_worker': { 'name': 'Quality Worker', 'description': 'Limited quality control operations', 'level': 50, 'default_sections': [ 'dashboard.overview.view', 'quality.inspections', 'quality.test_results', 'quality.certificates.view' ] } } def get_permission_key(page, section, action): """Generate a standardized permission key""" return f"{page}.{section}.{action}" def parse_permission_key(permission_key): """Parse a permission key into its components""" parts = permission_key.split('.') if len(parts) == 3: return parts[0], parts[1], parts[2] return None, None, None def get_all_permissions(): """Get a flat list of all possible permissions""" permissions = [] for page_key, page_data in APP_PERMISSIONS.items(): for section_key, section_data in page_data['sections'].items(): for action in section_data['actions']: permissions.append({ 'key': get_permission_key(page_key, section_key, action), 'page': page_key, 'page_name': page_data['name'], 'section': section_key, 'section_name': section_data['name'], 'action': action, 'action_name': ACTIONS.get(action, action) }) return permissions def get_default_permissions_for_role(role): """Get default permissions for a specific role""" if role not in ROLE_HIERARCHY: return [] role_config = ROLE_HIERARCHY[role] # Superadmin gets everything if role_config.get('default_permissions') == 'ALL': return [p['key'] for p in get_all_permissions()] # Other roles get specific sections permissions = [] default_sections = role_config.get('default_sections', []) for section_pattern in default_sections: if section_pattern == 'dashboard': # Full dashboard access for section_key in APP_PERMISSIONS['dashboard']['sections'].keys(): for action in APP_PERMISSIONS['dashboard']['sections'][section_key]['actions']: permissions.append(get_permission_key('dashboard', section_key, action)) elif '.' in section_pattern: # Specific page.section or page.section.action parts = section_pattern.split('.') if len(parts) == 2: # page.section - all actions page, section = parts if page in APP_PERMISSIONS and section in APP_PERMISSIONS[page]['sections']: for action in APP_PERMISSIONS[page]['sections'][section]['actions']: permissions.append(get_permission_key(page, section, action)) elif len(parts) == 3: # page.section.action - specific action page, section, action = parts if (page in APP_PERMISSIONS and section in APP_PERMISSIONS[page]['sections'] and action in APP_PERMISSIONS[page]['sections'][section]['actions']): permissions.append(get_permission_key(page, section, action)) else: # Full page access page = section_pattern if page in APP_PERMISSIONS: for section_key, section_data in APP_PERMISSIONS[page]['sections'].items(): for action in section_data['actions']: permissions.append(get_permission_key(page, section_key, action)) # Remove any restricted permissions restrictions = role_config.get('restrictions', []) permissions = [p for p in permissions if p not in restrictions] return permissions