feat: enhance project and scenario management with role-based access control
- Implemented role-based access control for project and scenario routes. - Added authorization checks to ensure users have appropriate roles for viewing and managing projects and scenarios. - Introduced utility functions for ensuring project and scenario access based on user roles. - Refactored project and scenario routes to utilize new authorization helpers. - Created initial data seeding script to set up default roles and an admin user. - Added tests for authorization helpers and initial data seeding functionality. - Updated exception handling to include authorization errors.
This commit is contained in:
@@ -6,8 +6,13 @@ from fastapi import APIRouter, Depends, Form, HTTPException, Request, status
|
||||
from fastapi.responses import HTMLResponse, RedirectResponse
|
||||
from fastapi.templating import Jinja2Templates
|
||||
|
||||
from dependencies import get_unit_of_work
|
||||
from models import MiningOperationType, Project, ScenarioStatus
|
||||
from dependencies import (
|
||||
get_unit_of_work,
|
||||
require_any_role,
|
||||
require_project_resource,
|
||||
require_roles,
|
||||
)
|
||||
from models import MiningOperationType, Project, ScenarioStatus, User
|
||||
from schemas.project import ProjectCreate, ProjectRead, ProjectUpdate
|
||||
from services.exceptions import EntityConflictError, EntityNotFoundError
|
||||
from services.unit_of_work import UnitOfWork
|
||||
@@ -15,11 +20,20 @@ from services.unit_of_work import UnitOfWork
|
||||
router = APIRouter(prefix="/projects", tags=["Projects"])
|
||||
templates = Jinja2Templates(directory="templates")
|
||||
|
||||
READ_ROLES = ("viewer", "analyst", "project_manager", "admin")
|
||||
MANAGE_ROLES = ("project_manager", "admin")
|
||||
|
||||
|
||||
def _to_read_model(project: Project) -> ProjectRead:
|
||||
return ProjectRead.model_validate(project)
|
||||
|
||||
|
||||
def _require_project_repo(uow: UnitOfWork):
|
||||
if not uow.projects:
|
||||
raise RuntimeError("Project repository not initialised")
|
||||
return uow.projects
|
||||
|
||||
|
||||
def _operation_type_choices() -> list[tuple[str, str]]:
|
||||
return [
|
||||
(op.value, op.name.replace("_", " ").title()) for op in MiningOperationType
|
||||
@@ -27,18 +41,23 @@ def _operation_type_choices() -> list[tuple[str, str]]:
|
||||
|
||||
|
||||
@router.get("", response_model=List[ProjectRead])
|
||||
def list_projects(uow: UnitOfWork = Depends(get_unit_of_work)) -> List[ProjectRead]:
|
||||
projects = uow.projects.list()
|
||||
def list_projects(
|
||||
_: User = Depends(require_any_role(*READ_ROLES)),
|
||||
uow: UnitOfWork = Depends(get_unit_of_work),
|
||||
) -> List[ProjectRead]:
|
||||
projects = _require_project_repo(uow).list()
|
||||
return [_to_read_model(project) for project in projects]
|
||||
|
||||
|
||||
@router.post("", response_model=ProjectRead, status_code=status.HTTP_201_CREATED)
|
||||
def create_project(
|
||||
payload: ProjectCreate, uow: UnitOfWork = Depends(get_unit_of_work)
|
||||
payload: ProjectCreate,
|
||||
_: User = Depends(require_roles(*MANAGE_ROLES)),
|
||||
uow: UnitOfWork = Depends(get_unit_of_work),
|
||||
) -> ProjectRead:
|
||||
project = Project(**payload.model_dump())
|
||||
try:
|
||||
created = uow.projects.create(project)
|
||||
created = _require_project_repo(uow).create(project)
|
||||
except EntityConflictError as exc:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_409_CONFLICT, detail=str(exc)
|
||||
@@ -53,9 +72,11 @@ def create_project(
|
||||
name="projects.project_list_page",
|
||||
)
|
||||
def project_list_page(
|
||||
request: Request, uow: UnitOfWork = Depends(get_unit_of_work)
|
||||
request: Request,
|
||||
_: User = Depends(require_any_role(*READ_ROLES)),
|
||||
uow: UnitOfWork = Depends(get_unit_of_work),
|
||||
) -> HTMLResponse:
|
||||
projects = uow.projects.list(with_children=True)
|
||||
projects = _require_project_repo(uow).list(with_children=True)
|
||||
for project in projects:
|
||||
setattr(project, "scenario_count", len(project.scenarios))
|
||||
return templates.TemplateResponse(
|
||||
@@ -73,7 +94,9 @@ def project_list_page(
|
||||
include_in_schema=False,
|
||||
name="projects.create_project_form",
|
||||
)
|
||||
def create_project_form(request: Request) -> HTMLResponse:
|
||||
def create_project_form(
|
||||
request: Request, _: User = Depends(require_roles(*MANAGE_ROLES))
|
||||
) -> HTMLResponse:
|
||||
return templates.TemplateResponse(
|
||||
request,
|
||||
"projects/form.html",
|
||||
@@ -93,6 +116,7 @@ def create_project_form(request: Request) -> HTMLResponse:
|
||||
)
|
||||
def create_project_submit(
|
||||
request: Request,
|
||||
_: User = Depends(require_roles(*MANAGE_ROLES)),
|
||||
name: str = Form(...),
|
||||
location: str | None = Form(None),
|
||||
operation_type: str = Form(...),
|
||||
@@ -128,7 +152,7 @@ def create_project_submit(
|
||||
description=_normalise(description),
|
||||
)
|
||||
try:
|
||||
uow.projects.create(project)
|
||||
_require_project_repo(uow).create(project)
|
||||
except EntityConflictError as exc:
|
||||
return templates.TemplateResponse(
|
||||
request,
|
||||
@@ -150,29 +174,18 @@ def create_project_submit(
|
||||
|
||||
|
||||
@router.get("/{project_id}", response_model=ProjectRead)
|
||||
def get_project(project_id: int, uow: UnitOfWork = Depends(get_unit_of_work)) -> ProjectRead:
|
||||
try:
|
||||
project = uow.projects.get(project_id)
|
||||
except EntityNotFoundError as exc:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND, detail=str(exc)
|
||||
) from exc
|
||||
def get_project(project: Project = Depends(require_project_resource())) -> ProjectRead:
|
||||
return _to_read_model(project)
|
||||
|
||||
|
||||
@router.put("/{project_id}", response_model=ProjectRead)
|
||||
def update_project(
|
||||
project_id: int,
|
||||
payload: ProjectUpdate,
|
||||
project: Project = Depends(
|
||||
require_project_resource(require_manage=True)
|
||||
),
|
||||
uow: UnitOfWork = Depends(get_unit_of_work),
|
||||
) -> ProjectRead:
|
||||
try:
|
||||
project = uow.projects.get(project_id)
|
||||
except EntityNotFoundError as exc:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND, detail=str(exc)
|
||||
) from exc
|
||||
|
||||
update_data = payload.model_dump(exclude_unset=True)
|
||||
for field, value in update_data.items():
|
||||
setattr(project, field, value)
|
||||
@@ -182,13 +195,11 @@ def update_project(
|
||||
|
||||
|
||||
@router.delete("/{project_id}", status_code=status.HTTP_204_NO_CONTENT)
|
||||
def delete_project(project_id: int, uow: UnitOfWork = Depends(get_unit_of_work)) -> None:
|
||||
try:
|
||||
uow.projects.delete(project_id)
|
||||
except EntityNotFoundError as exc:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND, detail=str(exc)
|
||||
) from exc
|
||||
def delete_project(
|
||||
project: Project = Depends(require_project_resource(require_manage=True)),
|
||||
uow: UnitOfWork = Depends(get_unit_of_work),
|
||||
) -> None:
|
||||
_require_project_repo(uow).delete(project.id)
|
||||
|
||||
|
||||
@router.get(
|
||||
@@ -198,14 +209,11 @@ def delete_project(project_id: int, uow: UnitOfWork = Depends(get_unit_of_work))
|
||||
name="projects.view_project",
|
||||
)
|
||||
def view_project(
|
||||
project_id: int, request: Request, uow: UnitOfWork = Depends(get_unit_of_work)
|
||||
request: Request,
|
||||
project: Project = Depends(require_project_resource()),
|
||||
uow: UnitOfWork = Depends(get_unit_of_work),
|
||||
) -> HTMLResponse:
|
||||
try:
|
||||
project = uow.projects.get(project_id, with_children=True)
|
||||
except EntityNotFoundError as exc:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND, detail=str(exc)
|
||||
) from exc
|
||||
project = _require_project_repo(uow).get(project.id, with_children=True)
|
||||
|
||||
scenarios = sorted(project.scenarios, key=lambda s: s.created_at)
|
||||
scenario_stats = {
|
||||
@@ -236,15 +244,11 @@ def view_project(
|
||||
name="projects.edit_project_form",
|
||||
)
|
||||
def edit_project_form(
|
||||
project_id: int, request: Request, uow: UnitOfWork = Depends(get_unit_of_work)
|
||||
request: Request,
|
||||
project: Project = Depends(
|
||||
require_project_resource(require_manage=True)
|
||||
),
|
||||
) -> HTMLResponse:
|
||||
try:
|
||||
project = uow.projects.get(project_id)
|
||||
except EntityNotFoundError as exc:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND, detail=str(exc)
|
||||
) from exc
|
||||
|
||||
return templates.TemplateResponse(
|
||||
request,
|
||||
"projects/form.html",
|
||||
@@ -252,10 +256,10 @@ def edit_project_form(
|
||||
"project": project,
|
||||
"operation_types": _operation_type_choices(),
|
||||
"form_action": request.url_for(
|
||||
"projects.edit_project_submit", project_id=project_id
|
||||
"projects.edit_project_submit", project_id=project.id
|
||||
),
|
||||
"cancel_url": request.url_for(
|
||||
"projects.view_project", project_id=project_id
|
||||
"projects.view_project", project_id=project.id
|
||||
),
|
||||
},
|
||||
)
|
||||
@@ -267,21 +271,16 @@ def edit_project_form(
|
||||
name="projects.edit_project_submit",
|
||||
)
|
||||
def edit_project_submit(
|
||||
project_id: int,
|
||||
request: Request,
|
||||
project: Project = Depends(
|
||||
require_project_resource(require_manage=True)
|
||||
),
|
||||
name: str = Form(...),
|
||||
location: str | None = Form(None),
|
||||
operation_type: str | None = Form(None),
|
||||
description: str | None = Form(None),
|
||||
uow: UnitOfWork = Depends(get_unit_of_work),
|
||||
):
|
||||
try:
|
||||
project = uow.projects.get(project_id)
|
||||
except EntityNotFoundError as exc:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND, detail=str(exc)
|
||||
) from exc
|
||||
|
||||
def _normalise(value: str | None) -> str | None:
|
||||
if value is None:
|
||||
return None
|
||||
@@ -301,10 +300,10 @@ def edit_project_submit(
|
||||
"project": project,
|
||||
"operation_types": _operation_type_choices(),
|
||||
"form_action": request.url_for(
|
||||
"projects.edit_project_submit", project_id=project_id
|
||||
"projects.edit_project_submit", project_id=project.id
|
||||
),
|
||||
"cancel_url": request.url_for(
|
||||
"projects.view_project", project_id=project_id
|
||||
"projects.view_project", project_id=project.id
|
||||
),
|
||||
"error": "Invalid operation type.",
|
||||
},
|
||||
@@ -315,6 +314,6 @@ def edit_project_submit(
|
||||
uow.flush()
|
||||
|
||||
return RedirectResponse(
|
||||
request.url_for("projects.view_project", project_id=project_id),
|
||||
request.url_for("projects.view_project", project_id=project.id),
|
||||
status_code=status.HTTP_303_SEE_OTHER,
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user