feat: implement authorization with roles

apps/api/src/services/courses/activities/video.py

@@ -2,11 +2,20 @@ from typing import Literal
 
 from pydantic import BaseModel
 from sqlmodel import Session, select
+from src.security.rbac.rbac import (
+    authorization_verify_based_on_roles_and_authorship,
+    authorization_verify_if_user_is_anon,
+)
 from src.db.chapters import Chapter
-from src.db.activities import Activity, ActivityRead, ActivitySubTypeEnum, ActivityTypeEnum
+from src.db.activities import (
+    Activity,
+    ActivityRead,
+    ActivitySubTypeEnum,
+    ActivityTypeEnum,
+)
 from src.db.chapter_activities import ChapterActivity
 from src.db.course_chapters import CourseChapter
-from src.db.users import PublicUser
+from src.db.users import AnonymousUser, PublicUser
 from src.services.courses.activities.uploads.videos import upload_video
 from fastapi import HTTPException, status, UploadFile, Request
 from uuid import uuid4
@@ -21,6 +30,9 @@ async def create_video_activity(
     db_session: Session,
     video_file: UploadFile | None = None,
 ):
+    # RBAC check
+    await rbac_check(request, "activity_x", current_user, "create", db_session)
+
     # get chapter_id
     statement = select(Chapter).where(Chapter.id == chapter_id)
     chapter = db_session.exec(statement).first()
@@ -95,8 +107,8 @@ async def create_video_activity(
 
     # update chapter
     chapter_activity_object = ChapterActivity(
-        chapter_id=coursechapter.id is not None,
-        activity_id=activity.id is not None,
+        chapter_id=chapter.id,  # type: ignore
+        activity_id=activity.id,  # type: ignore
         course_id=coursechapter.course_id,
         org_id=coursechapter.org_id,
         creation_date=str(datetime.now()),
@@ -111,6 +123,7 @@ async def create_video_activity(
 
     return ActivityRead.from_orm(activity)
 
+
 class ExternalVideo(BaseModel):
     name: str
     uri: str
@@ -124,10 +137,13 @@ class ExternalVideoInDB(BaseModel):
 
 async def create_external_video_activity(
     request: Request,
-    current_user: PublicUser,
+    current_user: PublicUser | AnonymousUser,
     data: ExternalVideo,
     db_session: Session,
 ):
+    # RBAC check
+    await rbac_check(request, "activity_x", current_user, "create", db_session)
+
     # get chapter_id
     statement = select(Chapter).where(Chapter.id == data.chapter_id)
     chapter = db_session.exec(statement).first()
@@ -174,8 +190,8 @@ async def create_external_video_activity(
 
     # update chapter
     chapter_activity_object = ChapterActivity(
-        chapter_id=coursechapter.id is not None,
-        activity_id=activity.id is not None,
+        chapter_id=coursechapter.id,  # type: ignore
+        activity_id=activity.id,  # type: ignore
         creation_date=str(datetime.now()),
         update_date=str(datetime.now()),
         order=1,
@@ -186,3 +202,24 @@ async def create_external_video_activity(
     db_session.commit()
 
     return ActivityRead.from_orm(activity)
+
+
+async def rbac_check(
+    request: Request,
+    course_id: str,
+    current_user: PublicUser | AnonymousUser,
+    action: Literal["create", "read", "update", "delete"],
+    db_session: Session,
+):
+    await authorization_verify_if_user_is_anon(current_user.id)
+
+    await authorization_verify_based_on_roles_and_authorship(
+        request,
+        current_user.id,
+        action,
+        course_id,
+        db_session,
+    )
+
+
+## 🔒 RBAC Utils ##