o "i@sdZddlmZmZmZddlmZddlmZddl m Z ddl m Z deded e fd d Zded e fd d Zded e fddZded e fddZded e fddZded e fddZded e fddZd e fddZd e fddZd e fddZdS)z4 Permission checking dependencies for API endpoints )Depends HTTPExceptionstatus)User)get_current_user)check_permission)Callableresourceactionreturncs$ttfdtdtffdd }|S)a Create a dependency that requires specific permission Args: resource: Resource name (e.g., "knowledge_bases", "agents") action: Action name (e.g., "read", "create", "update", "delete") Returns: Dependency function Example: @router.post("/knowledge-bases") async def create_kb( kb: KBCreate, current_user: User = Depends(require_permission("knowledge_bases", "create")) ): ... current_userr cs|j}|s+ddlm}||jd}dd|D}tdd|Ds)ttjddd}t|j|d }|sCttjd d d|S) z%Check if user has required permissionrget_user_rolescSg|]}|dqS role_code.0rolerr;/lsinfo/ai/hellotax_ai/base_platform/app/api/permissions.py +zBrequire_permission..permission_checker..cs|]}|dvVqdS))platform_admin platform_userNrrcoderrr -zArequire_permission..permission_checker..z(Non-platform users must have a tenant_id status_codedetail)user_id tenant_idr r zPermission denied: z on ) r$app.core.permissionsridanyrrHTTP_403_FORBIDDENcasbin_check_permission)r r$r user_roles role_codeshas_permissionr r rrpermission_checkers0  z.require_permission..permission_checkerrrr)r r r.rr-rrequire_permission s'r0cC t|dS)z#Require read permission on resourcereadr0r rrr require_readJ r5cCr1)z%Require create permission on resourcecreater3r4rrrrequire_createOr6r8cCr1)z%Require update permission on resourceupdater3r4rrrrequire_updateTr6r:cCr1)z%Require delete permission on resourcedeleter3r4rrrrequire_deleteYr6r<cCr1)z&Require execute permission on resourceexecuter3r4rrrrequire_execute^r6r>cCr1)z7Require write permission on resource (alias for update)r9r3r4rrr require_writecr6r?cCttfdtdtfdd}|S)z Require platform_admin or customer_admin role Uses Casbin role checking instead of deprecated user.role field Use this to replace: if current_user.role not in ["platform_admin", "customer_admin"] r r csVddlm}|jp d}||j|}dd|D}tdd|Ds)ttjdd|S) Nrr cSrrrrrrrrurz8require_admin..admin_checker..csr))rcustomer_adminNrrrrrrwrz7require_admin..admin_checker..zAdmin access requiredr )r%rr$r&r'rrr(r rr$r*r+rrr admin_checkerps   z$require_admin..admin_checkerr/)rCrrr require_admini rDcCr@)z Require platform_admin role only Uses Casbin role checking instead of deprecated user.role field Use this to replace: if current_user.role != "platform_admin" r r cLddlm}|jp d}||j|}dd|D}d|vr$ttjdd|S)Nrr cSrrrrrrrrrzJrequire_platform_admin..platform_admin_checker..rzPlatform admin access requiredr r%rr$r&rrr(rBrrrplatform_admin_checker   z6require_platform_admin..platform_admin_checkerr/)rHrrrrequire_platform_adminrErJcCr@)z Require customer_admin role Uses Casbin role checking instead of deprecated user.role field Use this to replace: if current_user.role != "customer_admin" r r crF)Nrr cSrrrrrrrrrzFrequire_tenant_admin..tenant_admin_checker..rAzTenant admin access requiredr rGrBrrrtenant_admin_checkerrIz2require_tenant_admin..tenant_admin_checkerr/)rKrrrrequire_tenant_adminrErLN)__doc__fastapirrrapp.models.userr app.api.depsrr%rr)typingrstrr0r5r8r:r<r>r?rDrJrLrrrrs     ?