You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
105 lines
3.4 KiB
105 lines
3.4 KiB
"""
|
|
Permission system for Plutus payment processing application.
|
|
|
|
Provides role-based access control with three permission levels:
|
|
- Admin: Full access to all features
|
|
- Finance: All features except user management
|
|
- Helpdesk: View-only access + single payment processing
|
|
"""
|
|
|
|
from functools import wraps
|
|
from flask import abort, flash, redirect, url_for, request
|
|
from flask_login import current_user
|
|
|
|
|
|
# Permission levels (hierarchical)
|
|
PERMISSION_LEVELS = {
|
|
'Admin': 3,
|
|
'Finance': 2,
|
|
'Helpdesk': 1
|
|
}
|
|
|
|
def get_user_permission_level(user):
|
|
"""Get the numeric permission level for a user."""
|
|
if not user or not user.is_authenticated:
|
|
return 0
|
|
|
|
user_permission = getattr(user, 'Permissions', '').strip()
|
|
return PERMISSION_LEVELS.get(user_permission, 0)
|
|
|
|
def has_permission(required_permission):
|
|
"""Check if current user has the required permission level."""
|
|
if not current_user or not current_user.is_authenticated:
|
|
return False
|
|
|
|
user_level = get_user_permission_level(current_user)
|
|
required_level = PERMISSION_LEVELS.get(required_permission, 999)
|
|
|
|
return user_level >= required_level
|
|
|
|
def require_permission(required_permission):
|
|
"""
|
|
Decorator to require a specific permission level for route access.
|
|
|
|
Args:
|
|
required_permission (str): Permission level required ('Admin', 'Finance', 'Helpdesk')
|
|
"""
|
|
def decorator(f):
|
|
@wraps(f)
|
|
def decorated_function(*args, **kwargs):
|
|
if not current_user.is_authenticated:
|
|
flash('Please log in to access this page.', 'error')
|
|
return redirect(url_for('auth.login', next=request.url))
|
|
|
|
if not has_permission(required_permission):
|
|
flash('You do not have permission to access this page.', 'error')
|
|
return redirect(url_for('main.index'))
|
|
|
|
return f(*args, **kwargs)
|
|
return decorated_function
|
|
return decorator
|
|
|
|
def admin_required(f):
|
|
"""Decorator requiring Admin permission."""
|
|
return require_permission('Admin')(f)
|
|
|
|
def finance_required(f):
|
|
"""Decorator requiring Finance permission or higher."""
|
|
return require_permission('Finance')(f)
|
|
|
|
def helpdesk_required(f):
|
|
"""Decorator requiring Helpdesk permission or higher."""
|
|
return require_permission('Helpdesk')(f)
|
|
|
|
# Template helper functions
|
|
def can_manage_users():
|
|
"""Check if current user can manage users (Admin only)."""
|
|
return has_permission('Admin')
|
|
|
|
def can_manage_payments():
|
|
"""Check if current user can manage payments (Finance or Admin)."""
|
|
return has_permission('Finance')
|
|
|
|
def can_view_data():
|
|
"""Check if current user can view data (any authenticated user)."""
|
|
return has_permission('Helpdesk')
|
|
|
|
def can_process_single_payments():
|
|
"""Check if current user can process single payments (Helpdesk or higher)."""
|
|
return has_permission('Helpdesk')
|
|
|
|
def can_manage_batch_payments():
|
|
"""Check if current user can manage batch payments (Finance or Admin)."""
|
|
return has_permission('Finance')
|
|
|
|
def can_manage_payment_plans():
|
|
"""Check if current user can manage payment plans (Finance or Admin)."""
|
|
return has_permission('Finance')
|
|
|
|
def can_view_logs():
|
|
"""Check if current user can view system logs (Finance or Admin)."""
|
|
return has_permission('Finance')
|
|
|
|
def can_export_data():
|
|
"""Check if current user can export data (Finance or Admin)."""
|
|
return has_permission('Finance')
|