Move working documents to its own area, rename dashboard

2026-04-29 01:21:16 +12:00
parent 7e9663fa06
commit 761ebb050d
32 changed files with 1779 additions and 526 deletions
@@ -10,11 +10,11 @@ from app.db.migrations import bootstrap_schema, sync_tenant_ids
 from app.db.session import Base
 from app.main import app
 from app.models.assumption import FreightCostRule, PackagingCostRule, ProcessCostRule
-from app.models.client_access import ClientAccount, ClientFeatureAccess, ClientUser
+from app.models.client_access import ClientAccessAuditEvent, ClientAccount, ClientFeatureAccess, ClientUser
 from app.models.mix import Mix, MixIngredient
 from app.models.product import Product
 from app.models.raw_material import RawMaterial, RawMaterialPriceVersion
-from app.services.client_access_service import build_client_access_export, serialize_client_account
+from app.services.client_access_service import build_client_access_export, ensure_user_module_permissions, serialize_client_account
 from app.services.costing_engine import calculate_mix_cost, calculate_product_cost, calculate_raw_material_cost


@@ -101,6 +101,8 @@ def test_root_and_login_endpoints():
    assert client_login_response.status_code == 200
    assert client_login_response.json()["email"] == settings.client_email
    assert client_login_response.json()["tenant_id"] == settings.client_tenant_id
+    assert client_login_response.json()["client_role"] == "superadmin"
+    assert client_login_response.json()["module_permissions"]["client_access"] == "manage"

    admin_login_response = client.post(
        "/api/auth/admin/login",
@@ -125,7 +127,7 @@ def test_client_access_export_helpers():
            ClientUser(
                full_name="Amelia Hart",
                email="amelia.hart@specialtyfeeds.example",
-                role="admin",
+                role="superadmin",
                status="active",
                is_new_user=False,
            ),
@@ -155,6 +157,23 @@ def test_client_access_export_helpers():
        ]
    )
    db.add(client)
+    db.flush()
+    for user in client.users:
+        ensure_user_module_permissions(db, user)
+    client.audit_events.append(
+        ClientAccessAuditEvent(
+            tenant_id=client.tenant_id,
+            actor_type="lean_admin",
+            actor_name="Lean 101",
+            actor_email="admin@lean101.local",
+            actor_role="admin",
+            action="client_access.seeded",
+            target_type="client_account",
+            target_id=client.id,
+            module_key="client_access",
+            summary="Initial client access controls were seeded.",
+        )
+    )
    db.commit()
    db.refresh(client)

@@ -167,6 +186,8 @@ def test_client_access_export_helpers():
    assert export["client_rows"][0]["client_code"] == "SPEC"
    assert export["user_rows"][0]["client_name"] == "Specialty Feeds"
    assert len(export["feature_rows"]) == 2
+    assert len(export["permission_rows"]) >= 1
+    assert len(export["audit_rows"]) == 1


 def test_client_access_endpoints():
@@ -181,10 +202,52 @@ def test_client_access_endpoints():
        access_response = client.get("/api/client-access", headers=headers)
        assert access_response.status_code == 200
        assert len(access_response.json()) >= 1
+        assert "audit_history" in access_response.json()[0]
+        assert "module_permissions" in access_response.json()[0]["users"][0]

        export_response = client.get("/api/powerbi/client-access", headers=headers)
        assert export_response.status_code == 200
        assert "client_rows" in export_response.json()
+        assert "permission_rows" in export_response.json()
+
+        client_login_response = client.post(
+            "/api/auth/client/login",
+            json={"email": settings.client_email, "password": settings.client_password},
+        )
+        client_headers = {"Authorization": f"Bearer {client_login_response.json()['token']}"}
+        superadmin_access_response = client.get("/api/client-access", headers=client_headers)
+        assert superadmin_access_response.status_code == 200
+        assert len(superadmin_access_response.json()) == 1
+
+
+def test_module_permission_blocks_client_module_access():
+    with TestClient(app) as client:
+        admin_login_response = client.post(
+            "/api/auth/admin/login",
+            json={"email": settings.admin_email, "password": settings.admin_password},
+        )
+        admin_headers = {"Authorization": f"Bearer {admin_login_response.json()['token']}"}
+        access_response = client.get("/api/client-access", headers=admin_headers)
+        first_client = access_response.json()[0]
+        first_user = first_client["users"][0]
+
+        permission = next(
+            permission for permission in first_user["module_permissions"] if permission["module_key"] == "raw_materials"
+        )
+        client.patch(
+            f"/api/client-access/users/{first_user['id']}/module-permissions/{permission['module_key']}",
+            json={"access_level": "none"},
+            headers=admin_headers,
+        )
+
+        client_login_response = client.post(
+            "/api/auth/client/login",
+            json={"email": settings.client_email, "password": settings.client_password},
+        )
+        client_headers = {"Authorization": f"Bearer {client_login_response.json()['token']}"}
+        raw_materials_response = client.get("/api/raw-materials", headers=client_headers)
+
+        assert raw_materials_response.status_code == 403


 def test_bootstrap_schema_creates_missing_tables_and_patches_legacy_tenant_columns():