Merge pull request 'Merge to LOAF-PROD for Demo' (#27) from dev into loaf-prod

Reviewed-on: #27

add_directory_permissions.py

@@ -0,0 +1,141 @@
+#!/usr/bin/env python3
+"""
+Add Directory Permissions Script
+
+This script adds the new directory.view and directory.manage permissions
+without clearing existing permissions.
+
+Usage:
+    python add_directory_permissions.py
+"""
+
+import os
+import sys
+from sqlalchemy import create_engine, text
+from sqlalchemy.orm import sessionmaker
+from database import Base
+from models import Permission, RolePermission, Role, UserRole
+from dotenv import load_dotenv
+
+# Load environment variables
+load_dotenv()
+
+# Database connection
+DATABASE_URL = os.getenv("DATABASE_URL")
+if not DATABASE_URL:
+    print("Error: DATABASE_URL environment variable not set")
+    sys.exit(1)
+
+engine = create_engine(DATABASE_URL)
+SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
+
+# New directory permissions
+NEW_PERMISSIONS = [
+    {"code": "directory.view", "name": "View Directory Settings", "description": "View member directory field configuration", "module": "directory"},
+    {"code": "directory.manage", "name": "Manage Directory Fields", "description": "Enable/disable directory fields shown in Profile and Directory pages", "module": "directory"},
+]
+
+# Roles that should have these permissions
+ROLE_PERMISSION_MAP = {
+    "directory.view": ["admin", "superadmin"],
+    "directory.manage": ["admin", "superadmin"],
+}
+
+
+def add_directory_permissions():
+    """Add directory permissions and assign to appropriate roles"""
+    db = SessionLocal()
+
+    try:
+        print("=" * 60)
+        print("Adding Directory Permissions")
+        print("=" * 60)
+
+        # Step 1: Add permissions if they don't exist
+        print("\n1. Adding permissions...")
+        permission_map = {}
+
+        for perm_data in NEW_PERMISSIONS:
+            existing = db.query(Permission).filter(Permission.code == perm_data["code"]).first()
+            if existing:
+                print(f"   - {perm_data['code']}: Already exists")
+                permission_map[perm_data["code"]] = existing
+            else:
+                permission = Permission(
+                    code=perm_data["code"],
+                    name=perm_data["name"],
+                    description=perm_data["description"],
+                    module=perm_data["module"]
+                )
+                db.add(permission)
+                db.flush()  # Get the ID
+                permission_map[perm_data["code"]] = permission
+                print(f"   - {perm_data['code']}: Created")
+
+        db.commit()
+
+        # Step 2: Get roles
+        print("\n2. Fetching roles...")
+        roles = db.query(Role).all()
+        role_map = {role.code: role for role in roles}
+        print(f"   Found {len(roles)} roles: {', '.join(role_map.keys())}")
+
+        # Enum mapping for backward compatibility
+        role_enum_map = {
+            'guest': UserRole.guest,
+            'member': UserRole.member,
+            'admin': UserRole.admin,
+            'superadmin': UserRole.superadmin,
+            'finance': UserRole.finance
+        }
+
+        # Step 3: Assign permissions to roles
+        print("\n3. Assigning permissions to roles...")
+        for perm_code, role_codes in ROLE_PERMISSION_MAP.items():
+            permission = permission_map.get(perm_code)
+            if not permission:
+                print(f"   Warning: Permission {perm_code} not found")
+                continue
+
+            for role_code in role_codes:
+                role = role_map.get(role_code)
+                if not role:
+                    print(f"   Warning: Role {role_code} not found")
+                    continue
+
+                # Check if mapping already exists
+                existing_mapping = db.query(RolePermission).filter(
+                    RolePermission.role_id == role.id,
+                    RolePermission.permission_id == permission.id
+                ).first()
+
+                if existing_mapping:
+                    print(f"   - {role_code} -> {perm_code}: Already assigned")
+                else:
+                    role_enum = role_enum_map.get(role_code, UserRole.guest)
+                    mapping = RolePermission(
+                        role=role_enum,
+                        role_id=role.id,
+                        permission_id=permission.id
+                    )
+                    db.add(mapping)
+                    print(f"   - {role_code} -> {perm_code}: Assigned")
+
+        db.commit()
+
+        print("\n" + "=" * 60)
+        print("Directory permissions added successfully!")
+        print("=" * 60)
+
+    except Exception as e:
+        db.rollback()
+        print(f"\nError: {str(e)}")
+        import traceback
+        traceback.print_exc()
+        raise
+    finally:
+        db.close()
+
+
+if __name__ == "__main__":
+    add_directory_permissions()

add_registration_permissions.py

@@ -0,0 +1,141 @@
+#!/usr/bin/env python3
+"""
+Add Registration Permissions Script
+
+This script adds the new registration.view and registration.manage permissions
+without clearing existing permissions.
+
+Usage:
+    python add_registration_permissions.py
+"""
+
+import os
+import sys
+from sqlalchemy import create_engine, text
+from sqlalchemy.orm import sessionmaker
+from database import Base
+from models import Permission, RolePermission, Role, UserRole
+from dotenv import load_dotenv
+
+# Load environment variables
+load_dotenv()
+
+# Database connection
+DATABASE_URL = os.getenv("DATABASE_URL")
+if not DATABASE_URL:
+    print("Error: DATABASE_URL environment variable not set")
+    sys.exit(1)
+
+engine = create_engine(DATABASE_URL)
+SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
+
+# New registration permissions
+NEW_PERMISSIONS = [
+    {"code": "registration.view", "name": "View Registration Settings", "description": "View registration form schema and settings", "module": "registration"},
+    {"code": "registration.manage", "name": "Manage Registration Form", "description": "Edit registration form schema, steps, and fields", "module": "registration"},
+]
+
+# Roles that should have these permissions
+ROLE_PERMISSION_MAP = {
+    "registration.view": ["admin", "superadmin"],
+    "registration.manage": ["admin", "superadmin"],
+}
+
+
+def add_registration_permissions():
+    """Add registration permissions and assign to appropriate roles"""
+    db = SessionLocal()
+
+    try:
+        print("=" * 60)
+        print("Adding Registration Permissions")
+        print("=" * 60)
+
+        # Step 1: Add permissions if they don't exist
+        print("\n1. Adding permissions...")
+        permission_map = {}
+
+        for perm_data in NEW_PERMISSIONS:
+            existing = db.query(Permission).filter(Permission.code == perm_data["code"]).first()
+            if existing:
+                print(f"   - {perm_data['code']}: Already exists")
+                permission_map[perm_data["code"]] = existing
+            else:
+                permission = Permission(
+                    code=perm_data["code"],
+                    name=perm_data["name"],
+                    description=perm_data["description"],
+                    module=perm_data["module"]
+                )
+                db.add(permission)
+                db.flush()  # Get the ID
+                permission_map[perm_data["code"]] = permission
+                print(f"   - {perm_data['code']}: Created")
+
+        db.commit()
+
+        # Step 2: Get roles
+        print("\n2. Fetching roles...")
+        roles = db.query(Role).all()
+        role_map = {role.code: role for role in roles}
+        print(f"   Found {len(roles)} roles: {', '.join(role_map.keys())}")
+
+        # Enum mapping for backward compatibility
+        role_enum_map = {
+            'guest': UserRole.guest,
+            'member': UserRole.member,
+            'admin': UserRole.admin,
+            'superadmin': UserRole.superadmin,
+            'finance': UserRole.finance
+        }
+
+        # Step 3: Assign permissions to roles
+        print("\n3. Assigning permissions to roles...")
+        for perm_code, role_codes in ROLE_PERMISSION_MAP.items():
+            permission = permission_map.get(perm_code)
+            if not permission:
+                print(f"   Warning: Permission {perm_code} not found")
+                continue
+
+            for role_code in role_codes:
+                role = role_map.get(role_code)
+                if not role:
+                    print(f"   Warning: Role {role_code} not found")
+                    continue
+
+                # Check if mapping already exists
+                existing_mapping = db.query(RolePermission).filter(
+                    RolePermission.role_id == role.id,
+                    RolePermission.permission_id == permission.id
+                ).first()
+
+                if existing_mapping:
+                    print(f"   - {role_code} -> {perm_code}: Already assigned")
+                else:
+                    role_enum = role_enum_map.get(role_code, UserRole.guest)
+                    mapping = RolePermission(
+                        role=role_enum,
+                        role_id=role.id,
+                        permission_id=permission.id
+                    )
+                    db.add(mapping)
+                    print(f"   - {role_code} -> {perm_code}: Assigned")
+
+        db.commit()
+
+        print("\n" + "=" * 60)
+        print("Registration permissions added successfully!")
+        print("=" * 60)
+
+    except Exception as e:
+        db.rollback()
+        print(f"\nError: {str(e)}")
+        import traceback
+        traceback.print_exc()
+        raise
+    finally:
+        db.close()
+
+
+if __name__ == "__main__":
+    add_registration_permissions()

alembic/versions/014_add_custom_registration_data.py

@@ -0,0 +1,39 @@
+"""add_custom_registration_data
+
+Revision ID: 014_custom_registration
+Revises: a1b2c3d4e5f6
+Create Date: 2026-02-01 10:00:00.000000
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = '014_custom_registration'
+down_revision: Union[str, None] = 'a1b2c3d4e5f6'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Add custom_registration_data column to users table
+    # This stores dynamic registration field responses as JSON
+    op.add_column('users', sa.Column(
+        'custom_registration_data',
+        sa.JSON,
+        nullable=False,
+        server_default='{}'
+    ))
+
+    # Add comment for documentation
+    op.execute("""
+        COMMENT ON COLUMN users.custom_registration_data IS
+        'Dynamic registration field responses stored as JSON for custom form fields';
+    """)
+
+
+def downgrade() -> None:
+    op.drop_column('users', 'custom_registration_data')

alembic/versions/add_payment_methods.py

@@ -0,0 +1,100 @@
+"""add_payment_methods
+
+Revision ID: a1b2c3d4e5f6
+Revises: 956ea1628264
+Create Date: 2026-01-30 10:00:00.000000
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision: str = 'a1b2c3d4e5f6'
+down_revision: Union[str, None] = '956ea1628264'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    conn = op.get_bind()
+
+    # Create PaymentMethodType enum
+    paymentmethodtype = postgresql.ENUM(
+        'card', 'cash', 'bank_transfer', 'check',
+        name='paymentmethodtype',
+        create_type=False
+    )
+    paymentmethodtype.create(conn, checkfirst=True)
+
+    # Check if stripe_customer_id column exists on users table
+    result = conn.execute(sa.text("""
+        SELECT column_name FROM information_schema.columns
+        WHERE table_name = 'users' AND column_name = 'stripe_customer_id'
+    """))
+    if result.fetchone() is None:
+        # Add stripe_customer_id to users table
+        op.add_column('users', sa.Column(
+            'stripe_customer_id',
+            sa.String(),
+            nullable=True,
+            comment='Stripe Customer ID for payment method management'
+        ))
+        op.create_index('ix_users_stripe_customer_id', 'users', ['stripe_customer_id'])
+
+    # Check if payment_methods table exists
+    result = conn.execute(sa.text("""
+        SELECT table_name FROM information_schema.tables
+        WHERE table_name = 'payment_methods'
+    """))
+    if result.fetchone() is None:
+        # Create payment_methods table
+        op.create_table(
+            'payment_methods',
+            sa.Column('id', postgresql.UUID(as_uuid=True), primary_key=True),
+            sa.Column('user_id', postgresql.UUID(as_uuid=True), sa.ForeignKey('users.id', ondelete='CASCADE'), nullable=False),
+            sa.Column('stripe_payment_method_id', sa.String(), nullable=True, unique=True, comment='Stripe pm_xxx reference'),
+            sa.Column('card_brand', sa.String(20), nullable=True, comment='Card brand: visa, mastercard, amex, etc.'),
+            sa.Column('card_last4', sa.String(4), nullable=True, comment='Last 4 digits of card'),
+            sa.Column('card_exp_month', sa.Integer(), nullable=True, comment='Card expiration month'),
+            sa.Column('card_exp_year', sa.Integer(), nullable=True, comment='Card expiration year'),
+            sa.Column('card_funding', sa.String(20), nullable=True, comment='Card funding type: credit, debit, prepaid'),
+            sa.Column('payment_type', paymentmethodtype, nullable=False, server_default='card'),
+            sa.Column('is_default', sa.Boolean(), nullable=False, server_default='false', comment='Whether this is the default payment method for auto-renewals'),
+            sa.Column('is_active', sa.Boolean(), nullable=False, server_default='true', comment='Soft delete flag - False means removed'),
+            sa.Column('is_manual', sa.Boolean(), nullable=False, server_default='false', comment='True for manually recorded methods (cash/check)'),
+            sa.Column('manual_notes', sa.Text(), nullable=True, comment='Admin notes for manual payment methods'),
+            sa.Column('created_by', postgresql.UUID(as_uuid=True), sa.ForeignKey('users.id', ondelete='SET NULL'), nullable=True, comment='Admin who added this on behalf of user'),
+            sa.Column('created_at', sa.DateTime(timezone=True), nullable=False, server_default=sa.func.now()),
+            sa.Column('updated_at', sa.DateTime(timezone=True), nullable=False, server_default=sa.func.now(), onupdate=sa.func.now()),
+        )
+
+        # Create indexes
+        op.create_index('ix_payment_methods_user_id', 'payment_methods', ['user_id'])
+        op.create_index('ix_payment_methods_stripe_pm_id', 'payment_methods', ['stripe_payment_method_id'])
+        op.create_index('idx_payment_method_user_default', 'payment_methods', ['user_id', 'is_default'])
+        op.create_index('idx_payment_method_active', 'payment_methods', ['user_id', 'is_active'])
+
+
+def downgrade() -> None:
+    # Drop indexes
+    op.drop_index('idx_payment_method_active', table_name='payment_methods')
+    op.drop_index('idx_payment_method_user_default', table_name='payment_methods')
+    op.drop_index('ix_payment_methods_stripe_pm_id', table_name='payment_methods')
+    op.drop_index('ix_payment_methods_user_id', table_name='payment_methods')
+
+    # Drop payment_methods table
+    op.drop_table('payment_methods')
+
+    # Drop stripe_customer_id from users
+    op.drop_index('ix_users_stripe_customer_id', table_name='users')
+    op.drop_column('users', 'stripe_customer_id')
+
+    # Drop PaymentMethodType enum
+    paymentmethodtype = postgresql.ENUM(
+        'card', 'cash', 'bank_transfer', 'check',
+        name='paymentmethodtype'
+    )
+    paymentmethodtype.drop(op.get_bind(), checkfirst=True)

auth.py

@@ -128,7 +128,7 @@ async def get_current_admin_user(current_user: User = Depends(get_current_user))
     return current_user
 
 async def get_active_member(current_user: User = Depends(get_current_user)) -> User:
-    """Require user to be active member with valid payment"""
+    """Require user to be active member or staff with valid status"""
     from models import UserStatus
 
     if current_user.status != UserStatus.active:
@@ -138,7 +138,7 @@ async def get_active_member(current_user: User = Depends(get_current_user)) -> U
         )
 
     role_code = get_user_role_code(current_user)
-    if role_code not in ["member", "admin", "superadmin"]:
+    if role_code not in ["member", "admin", "superadmin", "finance"]:
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,
             detail="Member access only"

migrations/000_initial_schema.sql

@@ -530,7 +530,7 @@ CREATE TABLE IF NOT EXISTS storage_usage (
     id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
 
     total_bytes_used BIGINT NOT NULL DEFAULT 0,
-    max_bytes_allowed BIGINT NOT NULL DEFAULT 10737418240,  -- 10GB
+    max_bytes_allowed BIGINT NOT NULL DEFAULT 1073741824,  -- 1GB
     last_updated TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
 );
 
@@ -659,7 +659,7 @@ INSERT INTO storage_usage (id, total_bytes_used, max_bytes_allowed, last_updated
 SELECT
     gen_random_uuid(),
     0,
-    10737418240,  -- 10GB
+    1073741824,  -- 1GB
     CURRENT_TIMESTAMP
 WHERE NOT EXISTS (SELECT 1 FROM storage_usage);
 

models.py

@@ -44,6 +44,13 @@ class DonationStatus(enum.Enum):
     completed = "completed"
     failed = "failed"
 
+
+class PaymentMethodType(enum.Enum):
+    card = "card"
+    cash = "cash"
+    bank_transfer = "bank_transfer"
+    check = "check"
+
 class User(Base):
     __tablename__ = "users"
     
@@ -141,6 +148,13 @@ class User(Base):
     role_changed_at = Column(DateTime(timezone=True), nullable=True, comment="Timestamp when role was last changed")
     role_changed_by = Column(UUID(as_uuid=True), ForeignKey('users.id', ondelete='SET NULL'), nullable=True, comment="Admin who changed the role")
 
+    # Stripe Customer ID - Centralized for payment method management
+    stripe_customer_id = Column(String, nullable=True, index=True, comment="Stripe Customer ID for payment method management")
+
+    # Dynamic Registration Form - Custom field responses
+    custom_registration_data = Column(JSON, default=dict, nullable=False,
+        comment="Dynamic registration field responses stored as JSON for custom form fields")
+
     created_at = Column(DateTime, default=lambda: datetime.now(timezone.utc))
     updated_at = Column(DateTime, default=lambda: datetime.now(timezone.utc), onupdate=lambda: datetime.now(timezone.utc))
 
@@ -150,6 +164,52 @@ class User(Base):
     rsvps = relationship("EventRSVP", back_populates="user")
     subscriptions = relationship("Subscription", back_populates="user", foreign_keys="Subscription.user_id")
     role_changer = relationship("User", foreign_keys=[role_changed_by], remote_side="User.id", post_update=True)
+    payment_methods = relationship("PaymentMethod", back_populates="user", foreign_keys="PaymentMethod.user_id")
+
+
+class PaymentMethod(Base):
+    """Stored payment methods for users (Stripe or manual records)"""
+    __tablename__ = "payment_methods"
+
+    id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
+    user_id = Column(UUID(as_uuid=True), ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
+
+    # Stripe payment method reference
+    stripe_payment_method_id = Column(String, nullable=True, unique=True, index=True, comment="Stripe pm_xxx reference")
+
+    # Card details (stored for display purposes - PCI compliant)
+    card_brand = Column(String(20), nullable=True, comment="Card brand: visa, mastercard, amex, etc.")
+    card_last4 = Column(String(4), nullable=True, comment="Last 4 digits of card")
+    card_exp_month = Column(Integer, nullable=True, comment="Card expiration month")
+    card_exp_year = Column(Integer, nullable=True, comment="Card expiration year")
+    card_funding = Column(String(20), nullable=True, comment="Card funding type: credit, debit, prepaid")
+
+    # Payment type classification
+    payment_type = Column(SQLEnum(PaymentMethodType), default=PaymentMethodType.card, nullable=False)
+
+    # Status flags
+    is_default = Column(Boolean, default=False, nullable=False, comment="Whether this is the default payment method for auto-renewals")
+    is_active = Column(Boolean, default=True, nullable=False, comment="Soft delete flag - False means removed")
+    is_manual = Column(Boolean, default=False, nullable=False, comment="True for manually recorded methods (cash/check)")
+
+    # Manual payment notes (for cash/check records)
+    manual_notes = Column(Text, nullable=True, comment="Admin notes for manual payment methods")
+
+    # Audit trail
+    created_by = Column(UUID(as_uuid=True), ForeignKey("users.id", ondelete="SET NULL"), nullable=True, comment="Admin who added this on behalf of user")
+    created_at = Column(DateTime(timezone=True), default=lambda: datetime.now(timezone.utc), nullable=False)
+    updated_at = Column(DateTime(timezone=True), default=lambda: datetime.now(timezone.utc), onupdate=lambda: datetime.now(timezone.utc), nullable=False)
+
+    # Relationships
+    user = relationship("User", back_populates="payment_methods", foreign_keys=[user_id])
+    creator = relationship("User", foreign_keys=[created_by])
+
+    # Composite index for efficient queries
+    __table_args__ = (
+        Index('idx_payment_method_user_default', 'user_id', 'is_default'),
+        Index('idx_payment_method_active', 'user_id', 'is_active'),
+    )
+
 
 class Event(Base):
     __tablename__ = "events"

permissions_seed.py

@@ -327,6 +327,38 @@ PERMISSIONS = [
         "module": "gallery"
     },
 
+    # ========== PAYMENT METHODS MODULE ==========
+    {
+        "code": "payment_methods.view",
+        "name": "View Payment Methods",
+        "description": "View user payment methods (masked)",
+        "module": "payment_methods"
+    },
+    {
+        "code": "payment_methods.view_sensitive",
+        "name": "View Sensitive Payment Details",
+        "description": "View full payment method details including Stripe IDs (requires password)",
+        "module": "payment_methods"
+    },
+    {
+        "code": "payment_methods.create",
+        "name": "Create Payment Methods",
+        "description": "Add payment methods on behalf of users",
+        "module": "payment_methods"
+    },
+    {
+        "code": "payment_methods.delete",
+        "name": "Delete Payment Methods",
+        "description": "Delete user payment methods",
+        "module": "payment_methods"
+    },
+    {
+        "code": "payment_methods.set_default",
+        "name": "Set Default Payment Method",
+        "description": "Set a user's default payment method",
+        "module": "payment_methods"
+    },
+
     # ========== SETTINGS MODULE ==========
     {
         "code": "settings.view",
@@ -453,6 +485,10 @@ DEFAULT_ROLE_PERMISSIONS = {
         "gallery.edit",
         "gallery.delete",
         "gallery.moderate",
+        "payment_methods.view",
+        "payment_methods.create",
+        "payment_methods.delete",
+        "payment_methods.set_default",
         "settings.view",
         "settings.edit",
         "settings.email_templates",
@@ -460,6 +496,36 @@ DEFAULT_ROLE_PERMISSIONS = {
         "settings.logs",
     ],
 
+    UserRole.finance: [
+        # Finance role has all admin permissions plus sensitive payment access
+        "users.view",
+        "users.export",
+        "events.view",
+        "events.rsvps",
+        "events.calendar_export",
+        "subscriptions.view",
+        "subscriptions.create",
+        "subscriptions.edit",
+        "subscriptions.cancel",
+        "subscriptions.activate",
+        "subscriptions.plans",
+        "financials.view",
+        "financials.create",
+        "financials.edit",
+        "financials.delete",
+        "financials.export",
+        "financials.payments",
+        "newsletters.view",
+        "bylaws.view",
+        "gallery.view",
+        "payment_methods.view",
+        "payment_methods.view_sensitive",  # Finance can view sensitive payment details
+        "payment_methods.create",
+        "payment_methods.delete",
+        "payment_methods.set_default",
+        "settings.view",
+    ],
+
     # Superadmin gets all permissions automatically in code,
     # so we don't need to explicitly assign them
     UserRole.superadmin: []

r2_storage.py

@@ -35,6 +35,21 @@ class R2Storage:
         'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet': ['.xlsx']
     }
 
+    # Branding assets (logo and favicon)
+    ALLOWED_BRANDING_TYPES = {
+        'image/jpeg': ['.jpg', '.jpeg'],
+        'image/png': ['.png'],
+        'image/webp': ['.webp'],
+        'image/svg+xml': ['.svg']
+    }
+
+    ALLOWED_FAVICON_TYPES = {
+        'image/x-icon': ['.ico'],
+        'image/vnd.microsoft.icon': ['.ico'],
+        'image/png': ['.png'],
+        'image/svg+xml': ['.svg']
+    }
+
     def __init__(self):
         """Initialize R2 client with credentials from environment"""
         self.account_id = os.getenv('R2_ACCOUNT_ID')

seed_permissions_rbac.py

@@ -2,7 +2,7 @@
 """
 Permission Seeding Script for Dynamic RBAC System
 
-This script populates the database with 59 granular permissions and assigns them
+This script populates the database with 65 granular permissions and assigns them
 to the appropriate dynamic roles (not the old enum roles).
 
 Usage:
@@ -33,7 +33,7 @@ engine = create_engine(DATABASE_URL)
 SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
 
 # ============================================================
-# Permission Definitions (59 permissions across 10 modules)
+# Permission Definitions (65 permissions across 11 modules)
 # ============================================================
 
 PERMISSIONS = [
@@ -116,6 +116,21 @@ PERMISSIONS = [
     {"code": "permissions.assign", "name": "Assign Permissions", "description": "Assign permissions to roles", "module": "permissions"},
     {"code": "permissions.manage_roles", "name": "Manage Roles", "description": "Create and manage user roles", "module": "permissions"},
     {"code": "permissions.audit", "name": "View Permission Audit Log", "description": "View permission change audit logs", "module": "permissions"},
+
+    # ========== PAYMENT METHODS MODULE (5) ==========
+    {"code": "payment_methods.view", "name": "View Payment Methods", "description": "View user payment methods (masked)", "module": "payment_methods"},
+    {"code": "payment_methods.view_sensitive", "name": "View Sensitive Payment Details", "description": "View full Stripe payment method IDs (requires password)", "module": "payment_methods"},
+    {"code": "payment_methods.create", "name": "Create Payment Methods", "description": "Add payment methods on behalf of users", "module": "payment_methods"},
+    {"code": "payment_methods.delete", "name": "Delete Payment Methods", "description": "Remove user payment methods", "module": "payment_methods"},
+    {"code": "payment_methods.set_default", "name": "Set Default Payment Method", "description": "Set default payment method for users", "module": "payment_methods"},
+
+    # ========== REGISTRATION MODULE (2) ==========
+    {"code": "registration.view", "name": "View Registration Settings", "description": "View registration form schema and settings", "module": "registration"},
+    {"code": "registration.manage", "name": "Manage Registration Form", "description": "Edit registration form schema, steps, and fields", "module": "registration"},
+
+    # ========== DIRECTORY MODULE (2) ==========
+    {"code": "directory.view", "name": "View Directory Settings", "description": "View member directory field configuration", "module": "directory"},
+    {"code": "directory.manage", "name": "Manage Directory Fields", "description": "Enable/disable directory fields shown in Profile and Directory pages", "module": "directory"},
 ]
 
 # Default system roles that must exist
@@ -170,6 +185,9 @@ DEFAULT_ROLE_PERMISSIONS = {
         "subscriptions.cancel", "subscriptions.activate", "subscriptions.plans",
         "subscriptions.export",
         "donations.view", "donations.export",
+        # Payment methods - finance can view sensitive details
+        "payment_methods.view", "payment_methods.view_sensitive",
+        "payment_methods.create", "payment_methods.delete", "payment_methods.set_default",
     ],
 
     "admin": [
@@ -191,6 +209,13 @@ DEFAULT_ROLE_PERMISSIONS = {
         "gallery.view", "gallery.upload", "gallery.edit", "gallery.delete", "gallery.moderate",
         "settings.view", "settings.edit", "settings.email_templates", "settings.storage",
         "settings.logs",
+        # Payment methods - admin can manage but not view sensitive details
+        "payment_methods.view", "payment_methods.create",
+        "payment_methods.delete", "payment_methods.set_default",
+        # Registration form management
+        "registration.view", "registration.manage",
+        # Directory configuration
+        "directory.view", "directory.manage",
     ],
 
     "superadmin": [