snapshot: preserve scalable app registry and landing visibility rules

2026-03-26 12:59:45 +01:00
parent 007d4e329a
commit 9437aaa29a
9 changed files with 762 additions and 242 deletions
--- a/backend/workflows/app_registry.py
+++ b/backend/workflows/app_registry.py
@@ -6,7 +6,7 @@ from django.urls import reverse
 from django.utils.translation import gettext_lazy as _

 from .models import PortalAppConfig
-from .roles import user_has_capability
+from .roles import ROLE_ADMIN, ROLE_IT_STAFF, ROLE_LABELS, ROLE_PLATFORM_OWNER, ROLE_STAFF, ROLE_SUPER_ADMIN, get_user_role_key, user_has_capability


@dataclass(frozen=True)
@@ -160,6 +160,108 @@ APP_DEFINITIONS: tuple[AppDefinition, ...] = (
 )


+DEFAULT_ROLE_VISIBILITY = {
+    'onboarding': {
+        ROLE_SUPER_ADMIN: True,
+        ROLE_ADMIN: True,
+        ROLE_IT_STAFF: True,
+        ROLE_STAFF: True,
+    },
+    'offboarding': {
+        ROLE_SUPER_ADMIN: True,
+        ROLE_ADMIN: True,
+        ROLE_IT_STAFF: True,
+        ROLE_STAFF: True,
+    },
+    'requests_dashboard': {
+        ROLE_SUPER_ADMIN: True,
+        ROLE_ADMIN: True,
+        ROLE_IT_STAFF: True,
+        ROLE_STAFF: False,
+    },
+    'branding': {
+        ROLE_SUPER_ADMIN: False,
+        ROLE_ADMIN: False,
+        ROLE_IT_STAFF: False,
+        ROLE_STAFF: False,
+    },
+    'app_registry': {
+        ROLE_SUPER_ADMIN: False,
+        ROLE_ADMIN: False,
+        ROLE_IT_STAFF: False,
+        ROLE_STAFF: False,
+    },
+    'integrations': {
+        ROLE_SUPER_ADMIN: True,
+        ROLE_ADMIN: True,
+        ROLE_IT_STAFF: False,
+        ROLE_STAFF: False,
+    },
+    'users': {
+        ROLE_SUPER_ADMIN: True,
+        ROLE_ADMIN: False,
+        ROLE_IT_STAFF: False,
+        ROLE_STAFF: False,
+    },
+    'audit_log': {
+        ROLE_SUPER_ADMIN: True,
+        ROLE_ADMIN: True,
+        ROLE_IT_STAFF: False,
+        ROLE_STAFF: False,
+    },
+    'backups': {
+        ROLE_SUPER_ADMIN: True,
+        ROLE_ADMIN: True,
+        ROLE_IT_STAFF: False,
+        ROLE_STAFF: False,
+    },
+    'welcome_emails': {
+        ROLE_SUPER_ADMIN: True,
+        ROLE_ADMIN: True,
+        ROLE_IT_STAFF: False,
+        ROLE_STAFF: False,
+    },
+    'form_builder': {
+        ROLE_SUPER_ADMIN: True,
+        ROLE_ADMIN: True,
+        ROLE_IT_STAFF: False,
+        ROLE_STAFF: False,
+    },
+    'intro_builder': {
+        ROLE_SUPER_ADMIN: True,
+        ROLE_ADMIN: True,
+        ROLE_IT_STAFF: False,
+        ROLE_STAFF: False,
+    },
+    'handbook': {
+        ROLE_SUPER_ADMIN: True,
+        ROLE_ADMIN: True,
+        ROLE_IT_STAFF: False,
+        ROLE_STAFF: False,
+    },
+    'django_admin': {
+        ROLE_SUPER_ADMIN: False,
+        ROLE_ADMIN: False,
+        ROLE_IT_STAFF: False,
+        ROLE_STAFF: False,
+    },
+}
+
+
+def _default_visibility_summary(definition_key: str) -> str:
+    visibility = DEFAULT_ROLE_VISIBILITY.get(definition_key, {})
+    enabled_roles = [
+        role
+        for role in (ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF, ROLE_STAFF)
+        if visibility.get(role)
+    ]
+    if not enabled_roles:
+        return str(_('Nur Platform'))
+    if enabled_roles == [ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF, ROLE_STAFF]:
+        return str(_('Alle Firmenrollen'))
+    return ' + '.join(str(ROLE_LABELS[role]) for role in enabled_roles if role in ROLE_LABELS)
+
+
 SECTION_META = {
    PortalAppConfig.SECTION_APP: {
        'title': _('Apps'),
@@ -184,12 +286,17 @@ SECTION_META = {

 def ensure_portal_app_configs() -> None:
    for index, definition in enumerate(APP_DEFINITIONS):
+        visibility = DEFAULT_ROLE_VISIBILITY.get(definition.key, {})
        PortalAppConfig.objects.get_or_create(
            key=definition.key,
            defaults={
                'section': definition.section,
                'sort_order': index,
                'is_enabled': True,
+                'visible_to_super_admin': visibility.get(ROLE_SUPER_ADMIN, False),
+                'visible_to_admin': visibility.get(ROLE_ADMIN, False),
+                'visible_to_it_staff': visibility.get(ROLE_IT_STAFF, False),
+                'visible_to_staff': visibility.get(ROLE_STAFF, False),
            },
        )

@@ -206,6 +313,7 @@ def get_portal_app_registry_rows() -> list[dict[str, object]]:
                'config': config,
                'default_section': definition.section,
                'default_sort_order': index,
+                'default_visibility_summary': _default_visibility_summary(definition.key),
            }
        )
    return rows
@@ -215,6 +323,7 @@ def build_portal_app_sections(user) -> list[dict[str, object]]:
    ensure_portal_app_configs()
    config_map = {config.key: config for config in PortalAppConfig.objects.all()}
    grouped: dict[str, list[dict[str, object]]] = {key: [] for key in SECTION_META}
+    role_key = get_user_role_key(user)

    for definition in APP_DEFINITIONS:
        config = config_map.get(definition.key)
@@ -222,6 +331,15 @@ def build_portal_app_sections(user) -> list[dict[str, object]]:
            continue
        if definition.capability and not user_has_capability(user, definition.capability):
            continue
+        if role_key != ROLE_PLATFORM_OWNER:
+            if role_key == ROLE_SUPER_ADMIN and not config.visible_to_super_admin:
+                continue
+            if role_key == ROLE_ADMIN and not config.visible_to_admin:
+                continue
+            if role_key == ROLE_IT_STAFF and not config.visible_to_it_staff:
+                continue
+            if role_key == ROLE_STAFF and not config.visible_to_staff:
+                continue
        grouped[config.section].append(
            {
                'key': definition.key,