snapshot: preserve role management and user lifecycle controls

2026-03-26 10:07:49 +01:00
parent 438334bd92
commit b585287004
17 changed files with 1137 additions and 273 deletions
--- a/backend/workflows/roles.py
+++ b/backend/workflows/roles.py
@@ -0,0 +1,127 @@
+from __future__ import annotations
+
+from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Group
+from django.utils.translation import gettext_lazy as _
+
+ROLE_SUPER_ADMIN = 'super_admin'
+ROLE_ADMIN = 'admin'
+ROLE_IT_STAFF = 'it_staff'
+ROLE_STAFF = 'staff'
+
+ROLE_GROUP_NAMES = {
+    ROLE_SUPER_ADMIN: 'Super Admin',
+    ROLE_ADMIN: 'Admin',
+    ROLE_IT_STAFF: 'IT Staff',
+    ROLE_STAFF: 'Staff',
+}
+
+ROLE_LABELS = {
+    ROLE_SUPER_ADMIN: _('Super Admin'),
+    ROLE_ADMIN: _('Admin'),
+    ROLE_IT_STAFF: _('IT Staff'),
+    ROLE_STAFF: _('Mitarbeiter'),
+}
+
+CAPABILITIES = {
+    'manage_users': {ROLE_SUPER_ADMIN},
+    'access_requests_dashboard': {ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF},
+    'run_intro_session': {ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF},
+    'generate_intro_pdfs': {ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF},
+    'retry_requests': {ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF},
+    'delete_requests': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'manage_integrations': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'manage_welcome_emails': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'manage_builders': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'view_audit_log': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'manage_backups': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'view_docs': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'access_django_admin_link': {ROLE_SUPER_ADMIN},
+}
+
+
+def ensure_role_groups() -> None:
+    for name in ROLE_GROUP_NAMES.values():
+        Group.objects.get_or_create(name=name)
+
+
+def assign_user_role(user, role_key: str) -> None:
+    ensure_role_groups()
+    if role_key not in ROLE_GROUP_NAMES:
+        raise ValueError(f'Unknown role: {role_key}')
+
+    role_groups = Group.objects.filter(name__in=ROLE_GROUP_NAMES.values())
+    user.groups.remove(*role_groups)
+    user.groups.add(Group.objects.get(name=ROLE_GROUP_NAMES[role_key]))
+
+    is_super_admin = role_key == ROLE_SUPER_ADMIN
+    user.is_staff = is_super_admin
+    user.is_superuser = is_super_admin
+    user.save(update_fields=['is_staff', 'is_superuser'])
+
+
+def ensure_bootstrap_role_assignments() -> None:
+    user_model = get_user_model()
+    bootstrap_roles = {
+        'admin_test': ROLE_SUPER_ADMIN,
+        'user_test': ROLE_STAFF,
+    }
+    role_group_names = set(ROLE_GROUP_NAMES.values())
+    for username, role_key in bootstrap_roles.items():
+        try:
+            user = user_model.objects.get(username=username)
+        except user_model.DoesNotExist:
+            continue
+        if user.groups.filter(name__in=role_group_names).exists():
+            continue
+        assign_user_role(user, role_key)
+
+
+def get_user_role_key(user) -> str:
+    if not getattr(user, 'is_authenticated', False):
+        return ROLE_STAFF
+    if getattr(user, 'is_superuser', False):
+        return ROLE_SUPER_ADMIN
+
+    group_names = set(user.groups.values_list('name', flat=True))
+    for role_key in (ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF, ROLE_STAFF):
+        if ROLE_GROUP_NAMES[role_key] in group_names:
+            return role_key
+
+    if getattr(user, 'is_staff', False):
+        return ROLE_ADMIN
+    return ROLE_STAFF
+
+
+def get_user_role_label(user) -> str:
+    return str(ROLE_LABELS[get_user_role_key(user)])
+
+
+def user_has_capability(user, capability: str) -> bool:
+    if not getattr(user, 'is_authenticated', False):
+        return False
+    if getattr(user, 'is_superuser', False):
+        return True
+    allowed_roles = CAPABILITIES.get(capability, set())
+    return get_user_role_key(user) in allowed_roles
+
+
+def template_role_context(user) -> dict[str, object]:
+    role_key = get_user_role_key(user)
+    return {
+        'role_key': role_key,
+        'role_label': str(ROLE_LABELS[role_key]),
+        'can_manage_users': user_has_capability(user, 'manage_users'),
+        'can_access_requests_dashboard': user_has_capability(user, 'access_requests_dashboard'),
+        'can_run_intro_session': user_has_capability(user, 'run_intro_session'),
+        'can_generate_intro_pdfs': user_has_capability(user, 'generate_intro_pdfs'),
+        'can_retry_requests': user_has_capability(user, 'retry_requests'),
+        'can_delete_requests': user_has_capability(user, 'delete_requests'),
+        'can_manage_integrations': user_has_capability(user, 'manage_integrations'),
+        'can_manage_welcome_emails': user_has_capability(user, 'manage_welcome_emails'),
+        'can_manage_builders': user_has_capability(user, 'manage_builders'),
+        'can_view_audit_log': user_has_capability(user, 'view_audit_log'),
+        'can_manage_backups': user_has_capability(user, 'manage_backups'),
+        'can_view_docs': user_has_capability(user, 'view_docs'),
+        'can_access_django_admin_link': user_has_capability(user, 'access_django_admin_link'),
+    }