RBAC, Permissions, and Export/Import

verify_admin_account.py

@@ -0,0 +1,113 @@
+#!/usr/bin/env python3
+"""
+Script to verify admin@loaf.org account configuration after RBAC migration
+"""
+import sys
+import os
+from sqlalchemy import create_engine
+from sqlalchemy.orm import sessionmaker
+from dotenv import load_dotenv
+
+# Add parent directory to path to import models
+sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
+
+from models import User, Role, Permission, RolePermission
+from database import DATABASE_URL
+
+# Load environment variables
+load_dotenv()
+
+# Create database engine and session
+engine = create_engine(DATABASE_URL)
+Session = sessionmaker(bind=engine)
+db = Session()
+
+def verify_admin_account():
+    print("=" * 80)
+    print("VERIFYING admin@loaf.org ACCOUNT")
+    print("=" * 80)
+
+    # Find the user
+    user = db.query(User).filter(User.email == "admin@loaf.org").first()
+
+    if not user:
+        print("\n❌ ERROR: User 'admin@loaf.org' not found in database!")
+        return
+
+    print(f"\n✅ User found: {user.first_name} {user.last_name}")
+    print(f"   Email: {user.email}")
+    print(f"   Status: {user.status}")
+    print(f"   Email Verified: {user.email_verified}")
+
+    # Check legacy role enum
+    print(f"\n📋 Legacy Role (enum): {user.role.value if user.role else 'None'}")
+
+    # Check new dynamic role
+    if user.role_id:
+        role = db.query(Role).filter(Role.id == user.role_id).first()
+        if role:
+            print(f"✅ Dynamic Role: {role.name} (code: {role.code})")
+            print(f"   Role ID: {role.id}")
+            print(f"   Is System Role: {role.is_system_role}")
+        else:
+            print(f"❌ ERROR: role_id set to {user.role_id} but role not found!")
+    else:
+        print("⚠️  WARNING: No dynamic role_id set")
+
+    # Check permissions
+    print("\n🔐 Checking Permissions:")
+
+    # Get all permissions for this role
+    if user.role_id:
+        role_perms = db.query(RolePermission).filter(
+            RolePermission.role_id == user.role_id
+        ).all()
+
+        print(f"   Total permissions assigned to role: {len(role_perms)}")
+
+        if len(role_perms) > 0:
+            print("\n   Sample permissions:")
+            for rp in role_perms[:10]:  # Show first 10
+                perm = db.query(Permission).filter(Permission.id == rp.permission_id).first()
+                if perm:
+                    print(f"   - {perm.code}: {perm.name}")
+            if len(role_perms) > 10:
+                print(f"   ... and {len(role_perms) - 10} more")
+        else:
+            print("   ⚠️  WARNING: No permissions assigned to this role!")
+    else:
+        # Check legacy role permissions
+        from auth import UserRole
+        role_enum = user.role
+        legacy_perms = db.query(RolePermission).filter(
+            RolePermission.role == role_enum
+        ).all()
+        print(f"   Legacy permissions (via enum): {len(legacy_perms)}")
+
+    # Check if user should have access
+    print("\n🎯 Access Check:")
+    if user.role and user.role.value in ['admin', 'superadmin']:
+        print("   ✅ User should have admin access (based on legacy enum)")
+    else:
+        print("   ❌ User does NOT have admin access (based on legacy enum)")
+
+    if user.role_id:
+        role = db.query(Role).filter(Role.id == user.role_id).first()
+        if role and role.code in ['admin', 'superadmin']:
+            print("   ✅ User should have admin access (based on dynamic role)")
+        else:
+            print("   ❌ User does NOT have admin access (based on dynamic role)")
+
+    print("\n" + "=" * 80)
+    print("VERIFICATION COMPLETE")
+    print("=" * 80)
+
+if __name__ == "__main__":
+    try:
+        verify_admin_account()
+    except Exception as e:
+        print(f"\n❌ ERROR: {e}")
+        import traceback
+        traceback.print_exc()
+    finally:
+        db.close()