fix: grant full permissions to MANAGER+ roles in get_or_create
Some checks are pending
NordaBiz Tests / Unit & Integration Tests (push) Waiting to run
NordaBiz Tests / E2E Tests (Playwright) (push) Blocked by required conditions
NordaBiz Tests / Smoke Tests (Production) (push) Blocked by required conditions
NordaBiz Tests / Send Failure Notification (push) Blocked by required conditions
Some checks are pending
NordaBiz Tests / Unit & Integration Tests (push) Waiting to run
NordaBiz Tests / E2E Tests (Playwright) (push) Blocked by required conditions
NordaBiz Tests / Smoke Tests (Production) (push) Blocked by required conditions
NordaBiz Tests / Send Failure Notification (push) Blocked by required conditions
Previously all new permission records had contacts/social/analytics disabled by default regardless of role. Now MANAGER+ users get full permissions automatically. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
893ccf7551
commit
01f2a29f0b
@ -343,20 +343,10 @@ def admin_users_change_role():
|
|||||||
|
|
||||||
# Note: company_role is now managed independently via change-company-role endpoint
|
# Note: company_role is now managed independently via change-company-role endpoint
|
||||||
|
|
||||||
# Create default permissions for EMPLOYEE if they have a company
|
# Create default permissions if user has a company
|
||||||
if new_role == 'EMPLOYEE' and user.company_id:
|
if new_role == 'EMPLOYEE' and user.company_id:
|
||||||
existing_perms = db.query(UserCompanyPermissions).filter_by(
|
perms = UserCompanyPermissions.get_or_create(db, user.id, user.company_id)
|
||||||
user_id=user.id,
|
perms.granted_by_id = current_user.id
|
||||||
company_id=user.company_id
|
|
||||||
).first()
|
|
||||||
|
|
||||||
if not existing_perms:
|
|
||||||
perms = UserCompanyPermissions(
|
|
||||||
user_id=user.id,
|
|
||||||
company_id=user.company_id,
|
|
||||||
granted_by_id=current_user.id
|
|
||||||
)
|
|
||||||
db.add(perms)
|
|
||||||
|
|
||||||
db.commit()
|
db.commit()
|
||||||
|
|
||||||
|
|||||||
21
database.py
21
database.py
@ -613,14 +613,31 @@ class UserCompanyPermissions(Base):
|
|||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def get_or_create(cls, session, user_id: int, company_id: int) -> 'UserCompanyPermissions':
|
def get_or_create(cls, session, user_id: int, company_id: int) -> 'UserCompanyPermissions':
|
||||||
"""Get existing permissions or create default ones."""
|
"""Get existing permissions or create default ones.
|
||||||
|
|
||||||
|
MANAGER+ roles get full permissions automatically.
|
||||||
|
EMPLOYEE gets restricted defaults (no contacts/social/analytics).
|
||||||
|
"""
|
||||||
perms = session.query(cls).filter_by(
|
perms = session.query(cls).filter_by(
|
||||||
user_id=user_id,
|
user_id=user_id,
|
||||||
company_id=company_id
|
company_id=company_id
|
||||||
).first()
|
).first()
|
||||||
|
|
||||||
if not perms:
|
if not perms:
|
||||||
perms = cls(user_id=user_id, company_id=company_id)
|
# Check if user has MANAGER+ role → grant full permissions
|
||||||
|
user = session.query(User).filter_by(id=user_id).first()
|
||||||
|
is_manager = False
|
||||||
|
if user:
|
||||||
|
role = user.get_company_role(company_id) if company_id else user.company_role_enum
|
||||||
|
is_manager = role >= CompanyRole.MANAGER
|
||||||
|
|
||||||
|
perms = cls(
|
||||||
|
user_id=user_id,
|
||||||
|
company_id=company_id,
|
||||||
|
can_edit_contacts=is_manager,
|
||||||
|
can_edit_social=is_manager,
|
||||||
|
can_view_analytics=is_manager,
|
||||||
|
)
|
||||||
session.add(perms)
|
session.add(perms)
|
||||||
session.flush()
|
session.flush()
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user