Move access permissions to access module
This commit is contained in:
@@ -25,7 +25,11 @@ from govoplan_access.backend.security.sessions import (
|
||||
collect_user_groups,
|
||||
collect_user_scopes,
|
||||
)
|
||||
from govoplan_access.backend.semantic import collect_function_assignment_ids, collect_function_delegation_ids
|
||||
from govoplan_access.backend.semantic import (
|
||||
collect_external_function_roles,
|
||||
collect_function_assignment_ids,
|
||||
collect_function_delegation_ids,
|
||||
)
|
||||
from govoplan_access.backend.auth.dependencies import ApiPrincipal, has_scope
|
||||
from govoplan_access.backend.db.models import (
|
||||
Account,
|
||||
@@ -38,7 +42,8 @@ from govoplan_access.backend.db.models import (
|
||||
User,
|
||||
UserGroupMembership,
|
||||
)
|
||||
from govoplan_core.security.permissions import effective_permission_count
|
||||
from govoplan_core.core.idm import OrganizationFunctionAssignmentRef
|
||||
from govoplan_access.backend.permissions.catalog import effective_permission_count, expand_scopes
|
||||
|
||||
|
||||
def _http_admin_error(exc: Exception) -> HTTPException:
|
||||
@@ -132,12 +137,24 @@ def _group_summary(session: Session, group: Group, *, include_members: bool = Tr
|
||||
)
|
||||
|
||||
|
||||
def _user_item(session: Session, user: User, *, owner_ids: set[str] | None = None) -> UserAdminItem:
|
||||
def _user_item(
|
||||
session: Session,
|
||||
user: User,
|
||||
*,
|
||||
owner_ids: set[str] | None = None,
|
||||
idm_assignments: tuple[OrganizationFunctionAssignmentRef, ...] = (),
|
||||
) -> UserAdminItem:
|
||||
account = session.get(Account, user.account_id)
|
||||
if account is None:
|
||||
raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail="User account is missing")
|
||||
groups = collect_user_groups(session, user)
|
||||
roles = collect_direct_user_roles(session, user)
|
||||
external_roles = collect_external_function_roles(session, user, idm_assignments) if idm_assignments else []
|
||||
effective_scopes = set(collect_user_scopes(session, user, include_system=False))
|
||||
for role in external_roles:
|
||||
effective_scopes.update(role.permissions or [])
|
||||
function_assignment_ids = collect_function_assignment_ids(session, user)
|
||||
function_assignment_ids.extend(item.id for item in idm_assignments)
|
||||
effective_owner_ids = owner_ids if owner_ids is not None else tenant_owner_user_ids(session, user.tenant_id)
|
||||
return UserAdminItem(
|
||||
id=user.id,
|
||||
@@ -151,9 +168,9 @@ def _user_item(session: Session, user: User, *, owner_ids: set[str] | None = Non
|
||||
last_login_at=account.last_login_at,
|
||||
groups=[_group_summary(session, group, include_members=False) for group in groups],
|
||||
roles=[_role_summary(session, role) for role in roles],
|
||||
function_assignment_ids=collect_function_assignment_ids(session, user),
|
||||
function_assignment_ids=sorted(dict.fromkeys(function_assignment_ids)),
|
||||
function_delegation_ids=collect_function_delegation_ids(session, user),
|
||||
effective_scopes=collect_user_scopes(session, user, include_system=False),
|
||||
effective_scopes=expand_scopes(effective_scopes),
|
||||
is_owner=user.id in effective_owner_ids,
|
||||
is_last_active_owner=user.id in effective_owner_ids and len(effective_owner_ids) == 1,
|
||||
created_at=user.created_at,
|
||||
|
||||
Reference in New Issue
Block a user