feat: implement full RBAC role-based access control
Backend: - deps.py: add require_admin, require_manager, require_labeler, require_guest_or_above - user.py: all write endpoints require admin - datasource.py: write/sync endpoints require admin - metadata.py: sync endpoint requires admin - classification.py: category/rule write requires admin; results query requires guest+ with data isolation - project.py: GET requires manager with created_by filtering; DELETE checks ownership - task.py: my-tasks requires labeler with assignee_id filtering; create-task requires manager - dashboard.py: requires guest_or_above - report.py: requires guest_or_above - project_service: list_projects adds created_by filter; list_results adds project_ids filter Frontend: - stores/user.ts: add hasRole, hasAnyRole, isAdmin, isManager, isLabeler, isSuperadmin - router/index.ts: add roles to route meta; beforeEach checks role permissions - Layout.vue: filter menu routes by user roles - System.vue: hide add/edit/delete buttons for non-admins - DataSource.vue: hide add/edit/delete/sync buttons for non-admins - Project.vue: hide add/delete buttons for non-admins
This commit is contained in:
hiderfong
@@ -5,7 +5,7 @@ from sqlalchemy.orm import Session
|
||||
from app.core.database import get_db
|
||||
from app.models.user import User
|
||||
from app.schemas.common import ResponseModel, ListResponse
|
||||
from app.api.deps import get_current_user
|
||||
from app.api.deps import get_current_user, require_manager, require_labeler, _is_admin
|
||||
from app.services import task_service, project_service
|
||||
|
||||
router = APIRouter()
|
||||
@@ -15,9 +15,11 @@ router = APIRouter()
|
||||
def my_tasks(
|
||||
status: Optional[str] = Query(None),
|
||||
db: Session = Depends(get_db),
|
||||
current_user: User = Depends(get_current_user),
|
||||
current_user: User = Depends(require_labeler),
|
||||
):
|
||||
items, _ = task_service.list_tasks(db, assignee_id=current_user.id, status=status)
|
||||
# Data isolation: non-admin users only see tasks assigned to them
|
||||
assignee_id = None if _is_admin(current_user) else current_user.id
|
||||
items, _ = task_service.list_tasks(db, assignee_id=assignee_id, status=status)
|
||||
data = []
|
||||
for t in items:
|
||||
project = project_service.get_project(db, t.project_id)
|
||||
@@ -100,7 +102,7 @@ def create_task_for_project(
|
||||
assignee_id: int,
|
||||
target_type: str = Query("column"),
|
||||
db: Session = Depends(get_db),
|
||||
current_user: User = Depends(get_current_user),
|
||||
current_user: User = Depends(require_manager),
|
||||
):
|
||||
task = task_service.create_task(
|
||||
db, project_id=project_id, name=name,
|
||||
|
||||
Reference in New Issue
Block a user