""" Simplified 4-Tier Role-Based Access Control System Clear hierarchy: Superadmin → Admin → Manager → Worker Module-based permissions: Quality, Labels, Warehouse """ # APPLICATION MODULES MODULES = { 'quality': { 'name': 'Quality Control', 'scan_pages': ['quality', 'fg_quality'], 'management_pages': ['quality_reports', 'quality_settings'], 'worker_access': ['scan_only'] # Workers can only scan, no reports }, 'labels': { 'name': 'Label Management', 'scan_pages': ['label_scan'], 'management_pages': ['label_creation', 'label_reports'], 'worker_access': ['scan_only'] }, 'warehouse': { 'name': 'Warehouse Management', 'scan_pages': ['move_orders'], 'management_pages': ['create_locations', 'warehouse_reports', 'inventory_management'], 'worker_access': ['move_orders_only'] # Workers can move orders but not create locations }, 'daily_mirror': { 'name': 'Daily Mirror', 'scan_pages': [], # No scanning, purely reporting/analytics 'management_pages': ['daily_mirror_main', 'daily_mirror_report', 'daily_mirror_history', 'daily_mirror_analytics'], 'worker_access': ['view_only'], # Workers can view daily reports but cannot generate or export 'description': 'Business Intelligence and Production Reporting Module' } } # 4-TIER ROLE STRUCTURE ROLES = { 'superadmin': { 'name': 'Super Administrator', 'level': 100, 'description': 'Full system access - complete control over all modules and system settings', 'access': { 'all_modules': True, 'all_pages': True, 'restricted_pages': [] # No restrictions } }, 'admin': { 'name': 'Administrator', 'level': 90, 'description': 'Full app access except role permissions and extension download', 'access': { 'all_modules': True, 'all_pages': True, 'restricted_pages': ['role_permissions', 'download_extension'] } }, 'manager': { 'name': 'Manager', 'level': 70, 'description': 'Complete module access - can manage one or more modules (quality/labels/warehouse)', 'access': { 'all_modules': False, # Only assigned modules 'module_access': 'full', # Full access to assigned modules 'can_cumulate': True, # Can have multiple modules 'restricted_pages': ['role_permissions', 'download_extension', 'system_settings'] } }, 'worker': { 'name': 'Worker', 'level': 50, 'description': 'Limited module access - can perform basic operations in assigned modules', 'access': { 'all_modules': False, # Only assigned modules 'module_access': 'limited', # Limited access (scan pages only) 'can_cumulate': True, # Can have multiple modules 'restricted_pages': ['role_permissions', 'download_extension', 'system_settings', 'reports'] } } } # PAGE ACCESS RULES PAGE_ACCESS = { # System pages accessible by role level 'dashboard': {'min_level': 50, 'modules': []}, 'settings': {'min_level': 90, 'modules': []}, 'role_permissions': {'min_level': 100, 'modules': []}, # Superadmin only 'download_extension': {'min_level': 100, 'modules': []}, # Superadmin only # Quality module pages 'quality': {'min_level': 50, 'modules': ['quality']}, 'fg_quality': {'min_level': 50, 'modules': ['quality']}, 'quality_reports': {'min_level': 70, 'modules': ['quality']}, # Manager+ only 'reports': {'min_level': 70, 'modules': ['quality']}, # Manager+ only for quality reports # Warehouse module pages 'warehouse': {'min_level': 50, 'modules': ['warehouse']}, 'move_orders': {'min_level': 50, 'modules': ['warehouse']}, 'create_locations': {'min_level': 70, 'modules': ['warehouse']}, # Manager+ only 'warehouse_reports': {'min_level': 70, 'modules': ['warehouse']}, # Manager+ only # Labels module pages 'labels': {'min_level': 50, 'modules': ['labels']}, 'label_scan': {'min_level': 50, 'modules': ['labels']}, 'label_creation': {'min_level': 70, 'modules': ['labels']}, # Manager+ only 'label_reports': {'min_level': 70, 'modules': ['labels']}, # Manager+ only # Daily Mirror module pages 'daily_mirror_main': {'min_level': 70, 'modules': ['daily_mirror']}, # Manager+ only 'daily_mirror_report': {'min_level': 70, 'modules': ['daily_mirror']}, # Manager+ only 'daily_mirror_history': {'min_level': 70, 'modules': ['daily_mirror']}, # Manager+ only 'daily_mirror_analytics': {'min_level': 90, 'modules': ['daily_mirror']}, # Admin+ only for advanced analytics 'daily_mirror': {'min_level': 70, 'modules': ['daily_mirror']} # Legacy route support } def check_access(user_role, user_modules, page): """ Simple access check for the 4-tier system Args: user_role (str): User's role (superadmin, admin, manager, worker) user_modules (list): User's assigned modules ['quality', 'warehouse'] page (str): Page being accessed Returns: bool: True if access granted, False otherwise """ if user_role not in ROLES: return False user_level = ROLES[user_role]['level'] # Check if page exists in our access rules if page not in PAGE_ACCESS: return False page_config = PAGE_ACCESS[page] # Check minimum level requirement if user_level < page_config['min_level']: return False # Check restricted pages for this role if page in ROLES[user_role]['access']['restricted_pages']: return False # Check module requirements required_modules = page_config['modules'] if required_modules: # Page requires specific modules # Superadmin and admin have access to all modules by default if ROLES[user_role]['access']['all_modules']: return True # Other roles need to have the required module assigned if not any(module in user_modules for module in required_modules): return False return True def get_user_accessible_pages(user_role, user_modules): """ Get list of pages accessible to a user Args: user_role (str): User's role user_modules (list): User's assigned modules Returns: list: List of accessible page names """ accessible_pages = [] for page in PAGE_ACCESS.keys(): if check_access(user_role, user_modules, page): accessible_pages.append(page) return accessible_pages def validate_user_modules(user_role, user_modules): """ Validate that user's module assignment is valid for their role Args: user_role (str): User's role user_modules (list): User's assigned modules Returns: tuple: (is_valid, error_message) """ if user_role not in ROLES: return False, "Invalid role" role_config = ROLES[user_role] # Superadmin and admin have access to all modules by default if role_config['access']['all_modules']: return True, "" # Manager can have multiple modules if user_role == 'manager': if not user_modules: return False, "Managers must have at least one module assigned" valid_modules = list(MODULES.keys()) for module in user_modules: if module not in valid_modules: return False, f"Invalid module: {module}" return True, "" # Worker can have multiple modules now if user_role == 'worker': if not user_modules: return False, "Workers must have at least one module assigned" valid_modules = list(MODULES.keys()) for module in user_modules: if module not in valid_modules: return False, f"Invalid module: {module}" return True, "" return True, "" def get_role_description(role): """Get human-readable role description""" return ROLES.get(role, {}).get('description', 'Unknown role') def get_available_modules(): """Get list of available modules""" return list(MODULES.keys()) def can_access_reports(user_role, user_modules, module): """ Check if user can access reports for a specific module Worker level users cannot access reports """ if user_role == 'worker': return False if module in user_modules or ROLES[user_role]['access']['all_modules']: return True return False