42 lines
1.3 KiB
Python
42 lines
1.3 KiB
Python
from fastapi import HTTPException, status
|
|
|
|
from app.models import Member
|
|
|
|
|
|
ROLE_ORDER = {
|
|
"guest": 0,
|
|
"member": 10,
|
|
"moderator": 20,
|
|
"admin": 30,
|
|
"owner": 40,
|
|
}
|
|
|
|
|
|
def has_role(member: Member | None, min_role: str) -> bool:
|
|
if member is None:
|
|
return False
|
|
return ROLE_ORDER.get(member.role, -1) >= ROLE_ORDER.get(min_role, 999)
|
|
|
|
|
|
def require_role(member: Member | None, min_role: str = "admin") -> None:
|
|
if not has_role(member, min_role):
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail={"error": {"code": "permission_denied", "message": "You do not have permission to do that.", "details": {}}},
|
|
)
|
|
|
|
|
|
def can(member: Member | None, action: str, resource: object | None = None) -> bool:
|
|
if member is None:
|
|
return False
|
|
if action in {"rsvp", "vote", "comment", "upload_file", "view_group"}:
|
|
return ROLE_ORDER.get(member.role, -1) >= ROLE_ORDER["member"]
|
|
if action == "create_official_announcement":
|
|
return has_role(member, "moderator")
|
|
if action in {"create_invite", "view_migration", "manage_members", "create_connection_token"}:
|
|
return has_role(member, "admin")
|
|
if action in {"create_event", "create_task"}:
|
|
return has_role(member, "moderator")
|
|
return False
|
|
|