v0.1.14 - b2b portal
This commit is contained in:
@@ -184,6 +184,29 @@ def require_client_module_access(module_key: str, minimum_level: str = "view"):
|
||||
return dependency
|
||||
|
||||
|
||||
def require_ordering_admin_session(
|
||||
session: AuthSession = Depends(get_auth_session),
|
||||
db: Session = Depends(get_db),
|
||||
) -> AuthSession:
|
||||
"""Internal-side authorization for managing the ordering portal.
|
||||
|
||||
Accepts the single Lean admin (``role == "admin"``) or an internal Hunter
|
||||
user holding ``manage`` on the ordering module. Client/customer users are
|
||||
rejected — they use the customer-facing ``require_client_module_access``
|
||||
dependency instead.
|
||||
"""
|
||||
if session.role == "admin":
|
||||
return session
|
||||
if session.role == "internal":
|
||||
permissions = session.module_permissions or {}
|
||||
if not has_access_level(permissions.get("ordering"), "manage"):
|
||||
log_security_event("authz.denied", role=session.role, module="ordering", access_level="manage")
|
||||
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Ordering administration requires manage access")
|
||||
return session
|
||||
log_security_event("authz.denied", role=session.role, module="ordering", required="admin")
|
||||
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Ordering administration requires internal admin access")
|
||||
|
||||
|
||||
def require_client_access_manager_session(
|
||||
session: AuthSession = Depends(get_auth_session),
|
||||
db: Session = Depends(get_db),
|
||||
|
||||
Reference in New Issue
Block a user