From 01f2a29f0b5dc684b3818ebae3690cd892a65de7 Mon Sep 17 00:00:00 2001
From: Maciej Pienczyn <maciej.pienczyn@inpi.pl>
Date: Wed, 18 Feb 2026 20:07:34 +0100
Subject: [PATCH] fix: grant full permissions to MANAGER+ roles in
 get_or_create

Previously all new permission records had contacts/social/analytics
disabled by default regardless of role. Now MANAGER+ users get
full permissions automatically.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 blueprints/admin/routes_users_api.py | 16 +++-------------
 database.py                          | 21 +++++++++++++++++++--
 2 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/blueprints/admin/routes_users_api.py b/blueprints/admin/routes_users_api.py
index 7ca59fd..3cd4b35 100644
--- a/blueprints/admin/routes_users_api.py
+++ b/blueprints/admin/routes_users_api.py
@@ -343,20 +343,10 @@ def admin_users_change_role():
 
         # Note: company_role is now managed independently via change-company-role endpoint
 
-        # Create default permissions for EMPLOYEE if they have a company
+        # Create default permissions if user has a company
         if new_role == 'EMPLOYEE' and user.company_id:
-            existing_perms = db.query(UserCompanyPermissions).filter_by(
-                user_id=user.id,
-                company_id=user.company_id
-            ).first()
-
-            if not existing_perms:
-                perms = UserCompanyPermissions(
-                    user_id=user.id,
-                    company_id=user.company_id,
-                    granted_by_id=current_user.id
-                )
-                db.add(perms)
+            perms = UserCompanyPermissions.get_or_create(db, user.id, user.company_id)
+            perms.granted_by_id = current_user.id
 
         db.commit()
 
diff --git a/database.py b/database.py
index d8e80bf..db87682 100644
--- a/database.py
+++ b/database.py
@@ -613,14 +613,31 @@ class UserCompanyPermissions(Base):
 
     @classmethod
     def get_or_create(cls, session, user_id: int, company_id: int) -> 'UserCompanyPermissions':
-        """Get existing permissions or create default ones."""
+        """Get existing permissions or create default ones.
+
+        MANAGER+ roles get full permissions automatically.
+        EMPLOYEE gets restricted defaults (no contacts/social/analytics).
+        """
         perms = session.query(cls).filter_by(
             user_id=user_id,
             company_id=company_id
         ).first()
 
         if not perms:
-            perms = cls(user_id=user_id, company_id=company_id)
+            # Check if user has MANAGER+ role → grant full permissions
+            user = session.query(User).filter_by(id=user_id).first()
+            is_manager = False
+            if user:
+                role = user.get_company_role(company_id) if company_id else user.company_role_enum
+                is_manager = role >= CompanyRole.MANAGER
+
+            perms = cls(
+                user_id=user_id,
+                company_id=company_id,
+                can_edit_contacts=is_manager,
+                can_edit_social=is_manager,
+                can_view_analytics=is_manager,
+            )
             session.add(perms)
             session.flush()