226 lines
7.6 KiB
Python
226 lines
7.6 KiB
Python
"""
|
|
Simplified 4-Tier Role-Based Access Control System
|
|
Clear hierarchy: Superadmin → Admin → Manager → Worker
|
|
Module-based permissions: Quality, Labels, Warehouse
|
|
"""
|
|
|
|
# APPLICATION MODULES
|
|
MODULES = {
|
|
'quality': {
|
|
'name': 'Quality Control',
|
|
'scan_pages': ['quality', 'fg_quality'],
|
|
'management_pages': ['quality_reports', 'quality_settings'],
|
|
'worker_access': ['scan_only'] # Workers can only scan, no reports
|
|
},
|
|
'labels': {
|
|
'name': 'Label Management',
|
|
'scan_pages': ['label_scan'],
|
|
'management_pages': ['label_creation', 'label_reports'],
|
|
'worker_access': ['scan_only']
|
|
},
|
|
'warehouse': {
|
|
'name': 'Warehouse Management',
|
|
'scan_pages': ['move_orders'],
|
|
'management_pages': ['create_locations', 'warehouse_reports', 'inventory_management'],
|
|
'worker_access': ['move_orders_only'] # Workers can move orders but not create locations
|
|
}
|
|
}
|
|
|
|
# 4-TIER ROLE STRUCTURE
|
|
ROLES = {
|
|
'superadmin': {
|
|
'name': 'Super Administrator',
|
|
'level': 100,
|
|
'description': 'Full system access - complete control over all modules and system settings',
|
|
'access': {
|
|
'all_modules': True,
|
|
'all_pages': True,
|
|
'restricted_pages': [] # No restrictions
|
|
}
|
|
},
|
|
'admin': {
|
|
'name': 'Administrator',
|
|
'level': 90,
|
|
'description': 'Full app access except role permissions and extension download',
|
|
'access': {
|
|
'all_modules': True,
|
|
'all_pages': True,
|
|
'restricted_pages': ['role_permissions', 'download_extension']
|
|
}
|
|
},
|
|
'manager': {
|
|
'name': 'Manager',
|
|
'level': 70,
|
|
'description': 'Complete module access - can manage one or more modules (quality/labels/warehouse)',
|
|
'access': {
|
|
'all_modules': False, # Only assigned modules
|
|
'module_access': 'full', # Full access to assigned modules
|
|
'can_cumulate': True, # Can have multiple modules
|
|
'restricted_pages': ['role_permissions', 'download_extension', 'system_settings']
|
|
}
|
|
},
|
|
'worker': {
|
|
'name': 'Worker',
|
|
'level': 50,
|
|
'description': 'Limited module access - can perform basic operations in assigned modules',
|
|
'access': {
|
|
'all_modules': False, # Only assigned modules
|
|
'module_access': 'limited', # Limited access (scan pages only)
|
|
'can_cumulate': True, # Can have multiple modules
|
|
'restricted_pages': ['role_permissions', 'download_extension', 'system_settings', 'reports']
|
|
}
|
|
}
|
|
}
|
|
|
|
# PAGE ACCESS RULES
|
|
PAGE_ACCESS = {
|
|
# System pages accessible by role level
|
|
'dashboard': {'min_level': 50, 'modules': []},
|
|
'settings': {'min_level': 90, 'modules': []},
|
|
'role_permissions': {'min_level': 100, 'modules': []}, # Superadmin only
|
|
'download_extension': {'min_level': 100, 'modules': []}, # Superadmin only
|
|
|
|
# Quality module pages
|
|
'quality': {'min_level': 50, 'modules': ['quality']},
|
|
'fg_quality': {'min_level': 50, 'modules': ['quality']},
|
|
'quality_reports': {'min_level': 70, 'modules': ['quality']}, # Manager+ only
|
|
'reports': {'min_level': 70, 'modules': ['quality']}, # Manager+ only for quality reports
|
|
|
|
# Warehouse module pages
|
|
'warehouse': {'min_level': 50, 'modules': ['warehouse']},
|
|
'move_orders': {'min_level': 50, 'modules': ['warehouse']},
|
|
'create_locations': {'min_level': 70, 'modules': ['warehouse']}, # Manager+ only
|
|
'warehouse_reports': {'min_level': 70, 'modules': ['warehouse']}, # Manager+ only
|
|
|
|
# Labels module pages
|
|
'labels': {'min_level': 50, 'modules': ['labels']},
|
|
'label_scan': {'min_level': 50, 'modules': ['labels']},
|
|
'label_creation': {'min_level': 70, 'modules': ['labels']}, # Manager+ only
|
|
'label_reports': {'min_level': 70, 'modules': ['labels']} # Manager+ only
|
|
}
|
|
|
|
def check_access(user_role, user_modules, page):
|
|
"""
|
|
Simple access check for the 4-tier system
|
|
|
|
Args:
|
|
user_role (str): User's role (superadmin, admin, manager, worker)
|
|
user_modules (list): User's assigned modules ['quality', 'warehouse']
|
|
page (str): Page being accessed
|
|
|
|
Returns:
|
|
bool: True if access granted, False otherwise
|
|
"""
|
|
if user_role not in ROLES:
|
|
return False
|
|
|
|
user_level = ROLES[user_role]['level']
|
|
|
|
# Check if page exists in our access rules
|
|
if page not in PAGE_ACCESS:
|
|
return False
|
|
|
|
page_config = PAGE_ACCESS[page]
|
|
|
|
# Check minimum level requirement
|
|
if user_level < page_config['min_level']:
|
|
return False
|
|
|
|
# Check restricted pages for this role
|
|
if page in ROLES[user_role]['access']['restricted_pages']:
|
|
return False
|
|
|
|
# Check module requirements
|
|
required_modules = page_config['modules']
|
|
if required_modules:
|
|
# Page requires specific modules
|
|
# Superadmin and admin have access to all modules by default
|
|
if ROLES[user_role]['access']['all_modules']:
|
|
return True
|
|
# Other roles need to have the required module assigned
|
|
if not any(module in user_modules for module in required_modules):
|
|
return False
|
|
|
|
return True
|
|
|
|
def get_user_accessible_pages(user_role, user_modules):
|
|
"""
|
|
Get list of pages accessible to a user
|
|
|
|
Args:
|
|
user_role (str): User's role
|
|
user_modules (list): User's assigned modules
|
|
|
|
Returns:
|
|
list: List of accessible page names
|
|
"""
|
|
accessible_pages = []
|
|
|
|
for page in PAGE_ACCESS.keys():
|
|
if check_access(user_role, user_modules, page):
|
|
accessible_pages.append(page)
|
|
|
|
return accessible_pages
|
|
|
|
def validate_user_modules(user_role, user_modules):
|
|
"""
|
|
Validate that user's module assignment is valid for their role
|
|
|
|
Args:
|
|
user_role (str): User's role
|
|
user_modules (list): User's assigned modules
|
|
|
|
Returns:
|
|
tuple: (is_valid, error_message)
|
|
"""
|
|
if user_role not in ROLES:
|
|
return False, "Invalid role"
|
|
|
|
role_config = ROLES[user_role]
|
|
|
|
# Superadmin and admin have access to all modules by default
|
|
if role_config['access']['all_modules']:
|
|
return True, ""
|
|
|
|
# Manager can have multiple modules
|
|
if user_role == 'manager':
|
|
if not user_modules:
|
|
return False, "Managers must have at least one module assigned"
|
|
valid_modules = list(MODULES.keys())
|
|
for module in user_modules:
|
|
if module not in valid_modules:
|
|
return False, f"Invalid module: {module}"
|
|
return True, ""
|
|
|
|
# Worker can have multiple modules now
|
|
if user_role == 'worker':
|
|
if not user_modules:
|
|
return False, "Workers must have at least one module assigned"
|
|
valid_modules = list(MODULES.keys())
|
|
for module in user_modules:
|
|
if module not in valid_modules:
|
|
return False, f"Invalid module: {module}"
|
|
return True, ""
|
|
|
|
return True, ""
|
|
|
|
def get_role_description(role):
|
|
"""Get human-readable role description"""
|
|
return ROLES.get(role, {}).get('description', 'Unknown role')
|
|
|
|
def get_available_modules():
|
|
"""Get list of available modules"""
|
|
return list(MODULES.keys())
|
|
|
|
def can_access_reports(user_role, user_modules, module):
|
|
"""
|
|
Check if user can access reports for a specific module
|
|
Worker level users cannot access reports
|
|
"""
|
|
if user_role == 'worker':
|
|
return False
|
|
|
|
if module in user_modules or ROLES[user_role]['access']['all_modules']:
|
|
return True
|
|
|
|
return False |