feat: add multi-policies for roles

2025-12-19 04:19:25 +00:00 · 2023-03-14 20:16:04 +01:00 · 2023-03-14 20:16:04 +01:00 · 10eb94c0dd
commit 10eb94c0dd
parent be0c2ef262
4 changed files with 24 additions and 13 deletions
--- a/front/app/_orgs/[orgslug]/settings/layout.tsx
+++ b/front/app/_orgs/[orgslug]/settings/layout.tsx
@ -24,6 +24,11 @@ function SettingsLayout({ children, params }: { children: React.ReactNode, param
                            <li><Link href="/settings/account/profile">Profile</Link></li>
                            <li><Link href="/settings/account/passwords">Passwords</Link></li>
                        </ul>
                        <MenuTitle>Organization</MenuTitle>
                        <ul>
                            <li><Link href="/settings/organization/general">General</Link></li>
                            <li><Link href="/settings/organization/roles">Roles</Link></li>
                        </ul>
                    </LeftMenuWrapper>
                </LeftWrapper>
                <RightWrapper>
--- a/src/services/mocks/initial.py
+++ b/src/services/mocks/initial.py
@ -10,7 +10,7 @@ from src.services.courses.thumbnails import upload_thumbnail
 from src.services.users import PublicUser, User, UserInDB, UserWithPassword
 from src.services.orgs import OrganizationInDB, Organization, create_org
-from src.services.roles import Permission, Elements, create_role
+from src.services.roles import Permission, Elements, RolePolicy, create_role
 from src.services.users import create_user
 from src.services.courses.courses import Course, CourseInDB, create_course
 from src.services.roles import Role
@ -87,11 +87,14 @@ async def create_initial_data(request: Request):
    database_roles = request.app.db["roles"]
    await database_roles.delete_many({})
    roles = []
    admin_role = Role(
        name="admin",
        description="admin",
-        permissions=Permission(
+        policies=[RolePolicy(permissions=Permission(
            action_create=True,
            action_read=True,
            action_update=True,
@ -105,7 +108,7 @@ async def create_initial_data(request: Request):
            organizations=["*"],
            coursechapters=["*"],
            lectures=["*"],
-        ),
+        ))],
        linked_users=[admin_user.user_id],
    )
    roles.append(admin_role)
--- a/src/services/roles.py
+++ b/src/services/roles.py
@ -28,14 +28,16 @@ class Elements(BaseModel):
    lectures : List[str]
 class RolePolicy(BaseModel):
    permissions: Permission
    elements: Elements
 class Role(BaseModel):
    name: str
    description: str
-    permissions: Permission
+    policies: List[RolePolicy]
    elements: Elements
    linked_users: List[str]
 class RoleInDB(Role):
    role_id: str
    creationDate: str
--- a/src/services/security.py
+++ b/src/services/security.py
@ -46,14 +46,15 @@ async def verify_user_rights_with_roles(request: Request,action: str, user_id: s
        user_roles.append(role)
    for role in user_roles:
-        element = role["elements"][await check_element_type(element_id)]
+        for policy in role['policies']:
-        permission_state = role["permissions"][f'action_{action}']
+            element = policy["elements"][await check_element_type(element_id)]
            permission_state = policy["permissions"][f'action_{action}']
-        ##
+            ##
-        if ("*" in element or element_id in element) and (permission_state is True):
+            if ("*" in element or element_id in element) and (permission_state is True):
-            return True
+                return True
-        else:
+            else:
-            return False
+                return False
 async def check_element_type(element_id):