feat: Evotor user lifecycle, RBAC, admin panel

- Receive Evotor webhooks: POST /user/create, /user/verify, /user/token - Create users in pending status; match to existing users by email/phone - Send invite link via Celery notification task; user sets password at /invite - Abstract EmailProvider/SMSProvider with ConsoleEmailProvider default - Role-based access control: role enum on users + roles/permissions tables - Admin panel: /admin/users (list, filter, search, paginate), user detail card with activate/suspend/reset-password/send-invite/edit/delete actions - Admin roles management: /admin/roles with per-role permission assignment - Extend user profile card: role, status, Evotor ID, email confirmation badge - Auth routes: register, login, logout, confirm-email, forgot/reset password - Alembic migrations 0002 (full schema + new fields) and 0003 (RBAC + seeds) - Port Pico CSS + Bootstrap Icons UI from Node.js commit (854c912) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-28 12:01:25 +03:00
parent ba34adbbcf
commit 5ead89e0cf
44 changed files with 3101 additions and 3 deletions
--- a/web/auth/init.py
+++ b/web/auth/init.py
--- a/web/auth/password.py
+++ b/web/auth/password.py
@@ -0,0 +1,11 @@
+from passlib.context import CryptContext
+
+_ctx = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+
+def hash_password(plain: str) -> str:
+    return _ctx.hash(plain)
+
+
+def verify_password(plain: str, hashed: str) -> bool:
+    return _ctx.verify(plain, hashed)
--- a/web/auth/rbac.py
+++ b/web/auth/rbac.py
@@ -0,0 +1,35 @@
+from fastapi import Depends, HTTPException
+from sqlalchemy.orm import Session
+from starlette.requests import Request
+
+from web.auth.session import get_current_user
+from web.database import get_db
+from web.models.rbac import Permission, UserRole, role_permissions
+from web.models.user import User, UserRoleEnum
+
+
+def require_role(*roles: str):
+    def dep(request: Request, db: Session = Depends(get_db)) -> User:
+        user = get_current_user(request, db)
+        if user.role.value not in roles:
+            raise HTTPException(status_code=403, detail="Недостаточно прав")
+        return user
+    return Depends(dep)
+
+
+def require_permission(permission_name: str):
+    def dep(request: Request, db: Session = Depends(get_db)) -> User:
+        user = get_current_user(request, db)
+        if user.role == UserRoleEnum.system:
+            return user
+        has = (
+            db.query(Permission)
+            .join(role_permissions, Permission.id == role_permissions.c.permission_id)
+            .join(UserRole, UserRole.role_id == role_permissions.c.role_id)
+            .filter(UserRole.user_id == user.id, Permission.name == permission_name)
+            .first()
+        )
+        if not has:
+            raise HTTPException(status_code=403, detail="Недостаточно прав")
+        return user
+    return Depends(dep)
--- a/web/auth/session.py
+++ b/web/auth/session.py
@@ -0,0 +1,25 @@
+from fastapi import HTTPException
+from fastapi.responses import RedirectResponse
+from sqlalchemy.orm import Session
+from starlette.requests import Request
+
+from web.models.user import User, UserStatusEnum
+
+
+def get_session_user_id(request: Request) -> int | None:
+    return request.session.get("user_id")
+
+
+def get_current_user(request: Request, db: Session) -> User:
+    user_id = get_session_user_id(request)
+    if not user_id:
+        raise HTTPException(status_code=307, headers={"Location": "/login"})
+    user = db.get(User, user_id)
+    if not user or user.status == UserStatusEnum.suspended:
+        request.session.clear()
+        raise HTTPException(status_code=307, headers={"Location": "/login"})
+    return user
+
+
+def login_redirect() -> RedirectResponse:
+    return RedirectResponse("/login", status_code=303)