RBAC, Permissions, and Export/Import

2025-12-16 20:03:50 +07:00
parent b268c3fff8
commit ed5526e27b
27 changed files with 10284 additions and 73 deletions
--- a/update_permissions.py
+++ b/update_permissions.py
@@ -0,0 +1,115 @@
+"""
+Script to update admin endpoints with permission checks
+Replaces get_current_admin_user with require_permission calls
+"""
+
+import re
+
+# Mapping of endpoint patterns to permissions
+ENDPOINT_PERMISSIONS = {
+    # Calendar
+    r'POST /admin/calendar/sync': 'events.edit',
+    r'DELETE /admin/calendar/unsync': 'events.edit',
+
+    # Event Gallery
+    r'POST /admin/events/\{event_id\}/gallery': 'gallery.upload',
+    r'DELETE /admin/event-gallery': 'gallery.delete',
+    r'PUT /admin/event-gallery': 'gallery.edit',
+
+    # Storage
+    r'GET /admin/storage/usage': 'settings.storage',
+    r'GET /admin/storage/breakdown': 'settings.storage',
+
+    # User Management (remaining)
+    r'PUT /admin/users/\{user_id\}/reset-password': 'users.reset_password',
+    r'POST /admin/users/\{user_id\}/resend-verification': 'users.resend_verification',
+
+    # Events
+    r'POST /admin/events(?!/)': 'events.create',  # Not followed by /
+    r'PUT /admin/events/\{event_id\}': 'events.edit',
+    r'GET /admin/events/\{event_id\}/rsvps': 'events.rsvps',
+    r'PUT /admin/events/\{event_id\}/attendance': 'events.attendance',
+    r'GET /admin/events(?!/)': 'events.view',  # Not followed by /
+    r'DELETE /admin/events': 'events.delete',
+
+    # Subscriptions
+    r'GET /admin/subscriptions/plans(?!/)': 'subscriptions.view',
+    r'GET /admin/subscriptions/plans/\{plan_id\}': 'subscriptions.view',
+    r'POST /admin/subscriptions/plans': 'subscriptions.plans',
+    r'PUT /admin/subscriptions/plans': 'subscriptions.plans',
+    r'DELETE /admin/subscriptions/plans': 'subscriptions.plans',
+    r'GET /admin/subscriptions/stats': 'subscriptions.view',
+    r'GET /admin/subscriptions(?!/)': 'subscriptions.view',
+    r'PUT /admin/subscriptions/\{subscription_id\}': 'subscriptions.edit',
+    r'POST /admin/subscriptions/\{subscription_id\}/cancel': 'subscriptions.cancel',
+
+    # Newsletters
+    r'POST /admin/newsletters': 'newsletters.create',
+    r'PUT /admin/newsletters': 'newsletters.edit',
+    r'DELETE /admin/newsletters': 'newsletters.delete',
+
+    # Financials
+    r'POST /admin/financials': 'financials.create',
+    r'PUT /admin/financials': 'financials.edit',
+    r'DELETE /admin/financials': 'financials.delete',
+
+    # Bylaws
+    r'POST /admin/bylaws': 'bylaws.create',
+    r'PUT /admin/bylaws': 'bylaws.edit',
+    r'DELETE /admin/bylaws': 'bylaws.delete',
+}
+
+def update_server_file():
+    """Read server.py, update permissions, write back"""
+
+    with open('server.py', 'r') as f:
+        content = f.read()
+
+    # Track changes
+    changes_made = 0
+
+    # Find all admin endpoints that still use get_current_admin_user
+    pattern = r'(@api_router\.(get|post|put|delete)\("(/admin/[^"]+)"\)[^@]+?)current_user: User = Depends\(get_current_admin_user\)'
+
+    def replace_permission(match):
+        nonlocal changes_made
+        full_match = match.group(0)
+        method = match.group(2).upper()
+        route = match.group(3)
+        endpoint_pattern = f'{method} {route}'
+
+        # Find matching permission
+        permission = None
+        for pattern_key, perm_value in ENDPOINT_PERMISSIONS.items():
+            if re.search(pattern_key, endpoint_pattern):
+                permission = perm_value
+                break
+
+        if permission:
+            changes_made += 1
+            replacement = full_match.replace(
+                'current_user: User = Depends(get_current_admin_user)',
+                f'current_user: User = Depends(require_permission("{permission}"))'
+            )
+            print(f'✓ Updated {endpoint_pattern} → {permission}')
+            return replacement
+        else:
+            print(f'⚠ No permission mapping for: {endpoint_pattern}')
+            return full_match
+
+    # Perform replacements
+    new_content = re.sub(pattern, replace_permission, content, flags=re.DOTALL)
+
+    if changes_made > 0:
+        with open('server.py', 'w') as f:
+            f.write(new_content)
+        print(f'\n✅ Updated {changes_made} endpoints with permission checks')
+    else:
+        print('\n⚠ No changes made')
+
+    return changes_made
+
+if __name__ == '__main__':
+    print('🔧 Updating admin endpoints with permission checks...\n')
+    changes = update_server_file()
+    print(f'\nDone! Updated {changes} endpoints.')