o "i@sxdZddlmZddlmZmZddlmZddlm Z m Z m Z m Z m Z ddlmZddlZeeZGdd d ZdS) z Permission management service )Session)ListDict)Role) get_enforceradd_permission_for_roleremove_permission_for_rolecheck_permissionget_redis_client) AppExceptionNc @seZdZdZgdZgdZededede e e e fdede f d d Z ededede e e e ffd d Zedefd dZede e e effddZededededede f ddZededededede f ddZedededede fddZdS)PermissionServicez Service for managing permissions) usersrolesknowledge_basesknowledge_categoriesknowledge_tagsagents workflows documents audit_logsmenus providersmodels)readcreateupdatedeleteexecutedbrole_id permissions tenant_idreturnc Cs^|ttj|k}|stdd|jrtddt}d|j}t |}| d||}zJ| d|||D]*} | d} | d} | rJ| sQt d | t||| | } | sdtd | d | q:t|td t|d |jWdSty} z(td| | d|||D]}|j|qtdt | dt | d} ~ ww)z>Assign permissions to a role with Casbin-first atomic approach角色不存在Role not foundu系统角色权限不可修改z*System role permissions cannot be modifiedrole:rresourceactionzInvalid permission: zFailed to add permission: :u ✅ Assigned z permissions to role Tu0❌ Permission assignment failed, rolling back: u权限分配失败: zPermission assignment failed: N)queryrfilteridfirstr is_systemrcodestrget_filtered_policyremove_filtered_policyget ValueErrorr Exceptionr _invalidate_cacheloggerinfolenerror add_policy)rrr r!roleenforcer role_codedomain old_policiespermr&r'successepolicyrDN/lsinfo/ai/hellotax_ai/base_platform/app/services/access/permission_service.pyassign_permissionss>       z$PermissionService.assign_permissionscCsbddlm}|ttj|k}|sgSd|j}t|ddp$d}|||}dd|DS)z*Get all permissions for a role from Casbinr)get_permissions_for_roler%r!cSsg|] }|d|ddqS))r&r'rD).0prDrDrE `sz:PermissionService.get_role_permissions..) app.core.permissionsrGr)rr*r+r,r.getattr)rrrGr;r=r!policiesrDrDrEget_role_permissionsRs   z&PermissionService.get_role_permissionsc Csz.t}d|d}d} |j||dd\}}|r|j||dkr#nq td|Wd StyI}ztd|WYd }~d Sd }~ww) z!Invalidate Redis cache for tenantzperm:*:z:*:*rTd)matchcountu,✅ Invalidated permission cache for tenant u#⚠️ Failed to invalidate cache: N)r scanrr6r7r4warning)r! redis_clientpatterncursorkeysrBrDrDrEr5es   z#PermissionService._invalidate_cachecCsddtjDS)z+Get list of available resources and actionscSsg|]}|tjdqS))r&actions)r ACTIONS)rJr&rDrDrErLys z=PermissionService.get_available_resources..)r RESOURCESrDrDrDrEget_available_resourcesvsz)PermissionService.get_available_resourcesmenu_idc Cb|ttj|k}|stddd|}d}d|j}t||||}|r/t ||S)zGrant menu permission to roler#r$menu:viewr%) r)rr*r+r,r r.rr r5 rrr^r!r;r&r'r=rArDrDrEgrant_menu_permission~    z'PermissionService.grant_menu_permissionc Cr_)z Revoke menu permission from roler#r$r`rar%) r)rr*r+r,r r.rr r5rbrDrDrErevoke_menu_permissionrdz(PermissionService.revoke_menu_permissionuser_idcCsd|}d}t||||S)z)Check if user has permission to view menur`ra)r )rfr^r!r&r'rDrDrEcheck_menu_permissions z'PermissionService.check_menu_permissionN)__name__ __module__ __qualname____doc__r\r[ staticmethodrintrrr/boolrFrPr5anyr]rcrergrDrDrDrEr s8 4$   r )rksqlalchemy.ormrtypingrrapp.models.rolerrMrrrr r app.core.exceptionsr logging getLoggerrhr6r rDrDrDrEs