from fastapi import HTTPException, status from app.models import Member ROLE_ORDER = { "guest": 0, "member": 10, "moderator": 20, "admin": 30, "owner": 40, } def has_role(member: Member | None, min_role: str) -> bool: if member is None: return False return ROLE_ORDER.get(member.role, -1) >= ROLE_ORDER.get(min_role, 999) def require_role(member: Member | None, min_role: str = "admin") -> None: if not has_role(member, min_role): raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail={"error": {"code": "permission_denied", "message": "You do not have permission to do that.", "details": {}}}, ) def can(member: Member | None, action: str, resource: object | None = None) -> bool: if member is None: return False if action in {"rsvp", "vote", "comment", "upload_file", "view_group"}: return ROLE_ORDER.get(member.role, -1) >= ROLE_ORDER["member"] if action == "create_official_announcement": return has_role(member, "moderator") if action in {"create_invite", "view_migration", "manage_members", "create_connection_token"}: return has_role(member, "admin") if action in {"create_event", "create_task"}: return has_role(member, "moderator") return False