feat: implement comprehensive RBAC checks for courses, chapters, collections, and activities, enhancing user rights management and security documentation

2025-12-19 04:19:25 +00:00 · 2025-08-09 12:13:12 +02:00 · 2025-08-09 12:13:12 +02:00 · 3ce019abec
commit 3ce019abec
parent 887046203e
22 changed files with 1788 additions and 598 deletions
--- a/apps/api/src/services/payments/payments_courses.py
+++ b/apps/api/src/services/payments/payments_courses.py
@ -4,7 +4,7 @@ from src.db.payments.payments_courses import PaymentsCourse
 from src.db.payments.payments_products import PaymentsProduct
 from src.db.courses.courses import Course
 from src.db.users import PublicUser, AnonymousUser
-from src.services.courses.courses import rbac_check
+from src.security.courses_security import courses_rbac_check

 async def link_course_to_product(
    request: Request,
@ -22,7 +22,7 @@ async def link_course_to_product(
        raise HTTPException(status_code=404, detail="Course not found")

    # RBAC check
-    await rbac_check(request, course.course_uuid, current_user, "update", db_session)
+    await courses_rbac_check(request, course.course_uuid, current_user, "update", db_session)

    # Check if product exists
    statement = select(PaymentsProduct).where(
@ -71,7 +71,7 @@ async def unlink_course_from_product(
        raise HTTPException(status_code=404, detail="Course not found")

    # RBAC check
-    await rbac_check(request, course.course_uuid, current_user, "update", db_session)
+    await courses_rbac_check(request, course.course_uuid, current_user, "update", db_session)

    # Find and delete the payment course link
    statement = select(PaymentsCourse).where(