web/auth/rbac.py

from fastapi import Depends, HTTPException
from sqlalchemy.orm import Session
from starlette.requests import Request

from web.auth.session import get_current_user
from web.database import get_db
from web.models.rbac import Permission, UserRole, role_permissions
from web.models.user import User, UserRoleEnum


def require_role(*roles: str):
    def dep(request: Request, db: Session = Depends(get_db)) -> User:
        user = get_current_user(request, db)
        if user.role.value not in roles:
            raise HTTPException(status_code=403, detail="Недостаточно прав")
        return user
    return Depends(dep)


def require_permission(permission_name: str):
    def dep(request: Request, db: Session = Depends(get_db)) -> User:
        user = get_current_user(request, db)
        if user.role == UserRoleEnum.system:
            return user
        has = (
            db.query(Permission)
            .join(role_permissions, Permission.id == role_permissions.c.permission_id)
            .join(UserRole, UserRole.role_id == role_permissions.c.role_id)
            .filter(UserRole.user_id == user.id, Permission.name == permission_name)
            .first()
        )
        if not has:
            raise HTTPException(status_code=403, detail="Недостаточно прав")
        return user
    return Depends(dep)
feat: Evotor user lifecycle, RBAC, admin panel - Receive Evotor webhooks: POST /user/create, /user/verify, /user/token - Create users in pending status; match to existing users by email/phone - Send invite link via Celery notification task; user sets password at /invite - Abstract EmailProvider/SMSProvider with ConsoleEmailProvider default - Role-based access control: role enum on users + roles/permissions tables - Admin panel: /admin/users (list, filter, search, paginate), user detail card with activate/suspend/reset-password/send-invite/edit/delete actions - Admin roles management: /admin/roles with per-role permission assignment - Extend user profile card: role, status, Evotor ID, email confirmation badge - Auth routes: register, login, logout, confirm-email, forgot/reset password - Alembic migrations 0002 (full schema + new fields) and 0003 (RBAC + seeds) - Port Pico CSS + Bootstrap Icons UI from Node.js commit (854c912) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-28 12:01:25 +03:00			`from fastapi import Depends, HTTPException`
			`from sqlalchemy.orm import Session`
			`from starlette.requests import Request`

			`from web.auth.session import get_current_user`
			`from web.database import get_db`
			`from web.models.rbac import Permission, UserRole, role_permissions`
			`from web.models.user import User, UserRoleEnum`


			`def require_role(*roles: str):`
			`def dep(request: Request, db: Session = Depends(get_db)) -> User:`
			`user = get_current_user(request, db)`
			`if user.role.value not in roles:`
			`raise HTTPException(status_code=403, detail="Недостаточно прав")`
			`return user`
			`return Depends(dep)`


			`def require_permission(permission_name: str):`
			`def dep(request: Request, db: Session = Depends(get_db)) -> User:`
			`user = get_current_user(request, db)`
			`if user.role == UserRoleEnum.system:`
			`return user`
			`has = (`
			`db.query(Permission)`
			`.join(role_permissions, Permission.id == role_permissions.c.permission_id)`
			`.join(UserRole, UserRole.role_id == role_permissions.c.role_id)`
			`.filter(UserRole.user_id == user.id, Permission.name == permission_name)`
			`.first()`
			`)`
			`if not has:`
			`raise HTTPException(status_code=403, detail="Недостаточно прав")`
			`return user`
			`return Depends(dep)`