feat: implement authorization with roles

2025-12-19 04:19:25 +00:00 · 2023-11-28 20:25:14 +01:00 · 2023-11-28 20:25:14 +01:00 · 7738316200
commit 7738316200
parent 0595bfdb3f
19 changed files with 596 additions and 170 deletions
--- a/apps/api/src/services/courses/activities/pdf.py
+++ b/apps/api/src/services/courses/activities/pdf.py
@ -1,4 +1,9 @@
+from typing import Literal
 from sqlmodel import Session, select
+from src.security.rbac.rbac import (
+    authorization_verify_based_on_roles_and_authorship,
+    authorization_verify_if_user_is_anon,
+)
 from src.db.chapters import Chapter
 from src.db.activities import (
    Activity,
@ -8,7 +13,7 @@ from src.db.activities import (
 )
 from src.db.chapter_activities import ChapterActivity
 from src.db.course_chapters import CourseChapter
-from src.db.users import PublicUser
+from src.db.users import AnonymousUser, PublicUser
 from src.services.courses.activities.uploads.pdfs import upload_pdf
 from fastapi import HTTPException, status, UploadFile, Request
 from uuid import uuid4
@ -19,10 +24,13 @@ async def create_documentpdf_activity(
    request: Request,
    name: str,
    chapter_id: str,
-    current_user: PublicUser,
+    current_user: PublicUser | AnonymousUser,
    db_session: Session,
    pdf_file: UploadFile | None = None,
 ):
+    # RBAC check
+    await rbac_check(request, "activity_x", current_user, "create", db_session)
+
    # get chapter_id
    statement = select(Chapter).where(Chapter.id == chapter_id)
    chapter = db_session.exec(statement).first()
@ -94,7 +102,7 @@ async def create_documentpdf_activity(
    # Add activity to chapter
    activity_chapter = ChapterActivity(
        chapter_id=(int(chapter_id)),
-        activity_id=activity.id is not None,
+        activity_id=activity.id,  # type: ignore
        course_id=coursechapter.course_id,
        org_id=coursechapter.org_id,
        creation_date=str(datetime.now()),
@ -113,3 +121,27 @@ async def create_documentpdf_activity(
    db_session.refresh(activity_chapter)

    return ActivityRead.from_orm(activity)
+
+
+## 🔒 RBAC Utils ##
+
+
+async def rbac_check(
+    request: Request,
+    course_id: str,
+    current_user: PublicUser | AnonymousUser,
+    action: Literal["create", "read", "update", "delete"],
+    db_session: Session,
+):
+    await authorization_verify_if_user_is_anon(current_user.id)
+
+    await authorization_verify_based_on_roles_and_authorship(
+        request,
+        current_user.id,
+        action,
+        course_id,
+        db_session,
+    )
+
+
+## 🔒 RBAC Utils ##