o Ah.@shddlmZmZmZmZddlmZmZmZddl m Z ddl m Z ddl mZddlmZmZmZddlmZmZmZddlmZdd lmZmZeZejd d gd eefd dZdedeeee ffddZ!de dee"fddZ#dedee"fddZ$ejddgd eej%eefdej&fddZ'ej(ddgd eej%eefdej&fd d!Z)d"S)#) APIRouterDepends HTTPExceptionstatus)OptionalDictList)jsonable_encoder)ObjectId)database)Role RoleCreate RoleUpdate)create_role_serviceupdate_role_serviceget_role_service)get_current_userdetails) features_list default_rolesz /featuresFeatures)tagscs8|d}|dkr tS|dkrdtdiStddd)z Returns the list of features. - If current user has role 1 (Superadmin), return both SaaS and Platform features. - If current user has role 100 (Account admin), return only Platform features. rolesdplatformInsufficient permissions status_codedetail)getrr) current_user user_roler#4/var/www/html/moveengine/app/v1/routers/saas/rbac.py get_featuress   r%role_idreturncCsi}|dkrtd}|dkr!gd}|D] }|||d<q|S|dkrBhd}gd}|D]}|d|vr?|||d<q/|S|d krchd }gd}|D]}|d|vr`|||d<qP|S|d krhd }gd}|D]}|d|vr|||d<qq|S|d krd h}gd}|D]}|d|vr|||d<q|S|dkrmtd}|dkrgd}ddh}|D]}|d|vr|||d<q|S|dkrgd}ddh}|D]}|d|vr|||d<q|S|dkr|D]}|ddvrgd||d<qdg||d<q|S|dkr2ddh}|D]}|d|vr.gd||d<q|S|dkrRhd}|D]}|d|vrNgd||d<q=|S|dkrk|D]}|ddkridg||d<qY|StD]}|D] }dg||d<quqq|S)u Generate a permissions mapping for a given system role based on its name, using module IDs as keys. SaaS roles: - Superadmin: Full access (IDs 1-13, all actions). - Sales/Accounts: Access to modules [1,2,3,4,5,6,10,11,12] with actions: create, read, update. - Partner (and Tech Team): Limited access (only IDs [1,2,3,4,5,10,11,12]) with actions: create, read, update. Platform roles: - Admin: Full access to all modules (IDs 21–35). - Manager: All modules with actions: create, read, update, delete. - Finance: For Transactions (ID 32) and Invoices (ID 33), full access; read-only for other modules. - Customer: Only access to modules [22, 23] with actions: create, read, update. - Vendor: Limited access to modules [21, 24, 25, 26, 27] with actions: create, read, update. - Workforce: Only access to the Workforce module (ID 27, read-only). csaasr)createreadupdatedeleteid> rr/ )r*r+r,r0>rr/r0r1r2r4r5r6r1r2r5rref> !r+hi>grC)rcopyvalues)r& permissionsmodulesactionsfeature allowed_ids disabled_idscategoryr#r#r$generate_role_permissionssE ? 9 2 +  !      rNnamec|d}||ddS)zD Check if a system default role with the given name exists. rT)rOis_system_defaultfind_one)dbrOroles_collectionr#r#r$get_role_by_name~rVr.crP)zG Check if a system default role with the given role_id exists. rT)r&rQrR)rTr.rUr#r#r$get_role_by_idrWrXz/accessRBACrTcs||d}|dkr t}n|dkrdtdi}ntddd|d}|s)d |iSt||Id H}|s9td d d||d S)zn Returns the list of features (tailored to the user's role) and the role rights from the roles table. rrrrrrrr&rHNizRole not found)rHrole)r rrr)rTr!r"rHr&rZr#r#r$ get_accesss     r[z/defaultRolesc s|ddkrtddd|d}tD]-\}}|D]&}d|vr+|dd |d<|}||d <|j|d |d d |iddqqtddtD}|d}|jddid d|iiddg} tD]b} t|| dIdH} t | d} | r| d| d| | d| d| ddd} t d!i| }t | d||}| |qct | d| d| d| d| d| d| ddd}t||}| |qctd| ittid S)"a Create or update default system roles and insert the features list into the features collection. This endpoint performs the following: 1. Inserts/updates the features list (with descriptions) into a dedicated "features" collection. 2. Updates the features counter (using _id: "features_id") so new features have an appropriate ID. 3. Creates or updates default system roles with mapped permissions. Default system roles: - SaaS Roles (role_id 1-4): 1: Superadmin (full access, is_global_access=True, is_saas_only=True) 2: Sales/Accounts (access only to allowed modules, is_global_access=True, is_saas_only=True) 3: Partner (limited access, is_global_access=False, is_saas_only=True) 4: Tech Team (limited access, is_global_access=False, is_saas_only=True) - Platform Roles (role_id 100+): 100: Admin (full access, is_global_access=True) 101: Manager (read & update, is_global_access=True) 102: Finance (full on Transactions/Invoices, read-only otherwise, is_global_access=True) 103: Workforce (minimal; only Workforce module, is_global_access=False) 104: Customer (access only to Dashboard and Booking, read-only, is_global_access=True) 105: Vendor (limited access, is_global_access=False) These roles are marked with is_system_default=True so they are not modifiable. System roles do not use an account_id. rrrz.Not authorized to create default system roles.rfeatures descriptionrOz featurerMr.) features_idrMz$setT)upsertcss&|]}t|D]}|dVqqdS)r.N)r).0rMrJr#r#r$ s  z.create_default_system_roles..counters_idr_sequence_valuer&NrQis_global_access is_saas_onlyF)rOr^rGrQrfrg)r&rOr^rG account_idrQrfrg created_roles)custom_encoderr#)r rritemsrE update_onemaxrrXrNrrappendr rr r str)rTr!features_collectionrMr]rJ feature_docmax_feature_idcounters_collectionrjrole_defexistingrG update_datarole_update_model updated_role role_createnew_roler#r#r$create_default_system_rolessj        r|N)*fastapirrrrtypingrrrfastapi.encodersr bsonr app.dbr app.v1.models.saas.rolemodelr r rapp.v1.services.saas.rolesrrrapp.v1.dependencies.authrapp.v1.models.defaultrrrouterr r%intrprNdictrVrX get_mongo_dbMongoDBr[postr|r#r#r#r$s6    `