Files
comiaunicaty/backend/app/services/permissions.py

42 lines
1.3 KiB
Python

from fastapi import HTTPException, status
from app.models import Member
ROLE_ORDER = {
"guest": 0,
"member": 10,
"moderator": 20,
"admin": 30,
"owner": 40,
}
def has_role(member: Member | None, min_role: str) -> bool:
if member is None:
return False
return ROLE_ORDER.get(member.role, -1) >= ROLE_ORDER.get(min_role, 999)
def require_role(member: Member | None, min_role: str = "admin") -> None:
if not has_role(member, min_role):
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail={"error": {"code": "permission_denied", "message": "You do not have permission to do that.", "details": {}}},
)
def can(member: Member | None, action: str, resource: object | None = None) -> bool:
if member is None:
return False
if action in {"rsvp", "vote", "comment", "upload_file", "view_group"}:
return ROLE_ORDER.get(member.role, -1) >= ROLE_ORDER["member"]
if action == "create_official_announcement":
return has_role(member, "moderator")
if action in {"create_invite", "view_migration", "manage_members", "create_connection_token"}:
return has_role(member, "admin")
if action in {"create_event", "create_task"}:
return has_role(member, "moderator")
return False