o =)j%@sdZddlmZddlZddlmZmZmZmZm Z ddl m Z e ddhZ e hdZe d d hZd:d dZd;ddZdd"d#Zd?d$d%Zd@d'd(ZdAd)d*Zd+d,dBd/d0ZdCd2d3Z dDdEd5d6ZdFd8d9ZdS)Gu Role + scope helpers for FastAPI. Design: additive / non-breaking rollout - Master admin, business admin, admin, and user roles keep full business access (current behavior). - Manager/agent scopes apply ONLY when explicit mappings exist in user_group_mapping / user_agent_mapping; otherwise those roles also see full business data (migration-safe). - Set RBAC_STRICT=1 to always enforce manager/agent scopes (even with empty mappings → no rows). ) annotationsN)AnyDictListOptionalTuple) AuthHandleradminbusiness_admin>userr r manageragentreturnboolcCstdddvS)N RBAC_STRICT)1trueyeson)osgetenvstriplowerrr//home/aiteam/pcaa-dev/dashboard-backend/rbac.py rbac_strictsrrole Optional[str]strcCs t|SN)rnormalize_role)rrrrr!s r!r Dict[str, Any]bidOptional[Dict[str, Any]]cCs`|sdS|drt|ddgddidS|dpgD]}t|dt|kr-|SqdS) N is_masterr *typeallr#r permissionsscope businessesr#)getr)r r#businessrrrget_business_entrys r/Freload auth_handlerrr1c s"|drtddgddidSt|}|s#tdgddidS|d }|rm|rm||p2g}tfd d |Dd }|rmt|d }t|dpT|||} t|dpb| ||} t|| | dSt|d }t|dp{g} t|dpddi} t|| | dS)zQReturn role, permissions, scope for one business (reload from DB when requested).r%r r&r'r(r)r noneidc3s*|]}t|dtkr|VqdS)r#N)rr-).0br#rr As(z+resolve_business_context..Nrr*r+r.) r-rr/get_user_businessesnextr!listget_permissions_for_userdictget_user_scope) r r#r2r1entryuser_idr,db_entryrr*r+rr7rresolve_business_context*s,   rB permissioncCsD|drdSt||||d}|dpg}d|vrdSt||vS)Nr%Tr0r*r&)r-rBr)r r#rCr2r1ctxpermsrrrhas_permissionOs  rFcCs2|drdSt||}|sdSt|dtvS)Nr%TFr)r-r/r! ADMIN_ROLES)r r#r?rrris_business_admin`s  rHr+cCs|sdSt|dp d}|dkrMdd|dpgD}dd|d p(gD}d d|d p4gD}d d|d p@gD}t|pK|pK|pK|S|dkr}dd|d pZgD}dd|d pfgD}dd|d prgD}t|p{|p{|SdS)NFr'rteamcSg|]}|r|qSrrr5grrr nz&scope_has_mappings.. groupnamescSrJrrr5arrrrMorN agent_namescSrJrrr5prrrrMprN agent_phonescSrJrrr5errrrMqrNagent_extensions own_agentcSrJrrrPrrrrMtrNcSrJrrrSrrrrMurNcSrJrrrVrrrrMvrN)rr-rr)r+ scope_typegroupsagentsphonesextsrrrscope_has_mappingsisr_cCsj|drdSt|||t|dd}|d}|tvrdS|tvr%dS|dp+i}tr1dSt|S)z7True when SQL/row filters should restrict visible data.r%Fr4r0rr+T)r-rBrFULL_ACCESS_ROLES SCOPED_ROLESrr_)r r#r2rDrr+rrrshould_apply_data_scope{s  rbr)aliasrdTuple[str, List[Any]]csht|dpd}|dvr|dkrdgfSdgfSggd#fd d }|dkrqdd|dp5gD}|rUddgt|}dd|d||d|dp]g|d|dpgg|dpmgn|dkr|d|dp}g|d|dpg|dpgstrdgfSdgfStdkrdfSd d!dfS)$zx Build AND (...) SQL fragment for raw_calls row filter. Returns ("", []) when scope is business-wide / all. r'r.)r(r.r3r3z1=0rcolumnrvalues List[Any]rNonec s`dd|D}|s dSddgt|}dd|d|dd d|DdS) NcSrJrrr5vrrrrMrNz@build_raw_call_scope_sql.._in_clause.., %s TRIM(CAST(.z AS CHAR)) IN ()cSsg|]}t|qSrrrrjrrrrMs)joinlenappendextend)rfrgclean placeholdersrdparamspartsrr _in_clauses z,build_raw_call_scope_sql.._in_clauserIcSrJrrrKrrrrMrNz,build_raw_call_scope_sql..rOrlrmrnz.groupname AS CHAR)) IN (rp agentnamerRagent_callinforUrXrYr(z OR N)rfrrgrhrri)rr-rrrrsrtrur)r+rdrZr{r[rwrrxrbuild_raw_call_scope_sqls4  $"  rrowc Cs|sdSt|dp d}|dvrdS|dkrdSt|dp'|dp'd }t|d p2d }t|d p=d }|d krd d|dpNgD}dd|dpZgD}dd|dpfgD}dd|dprgD} || B} |r||vrdS|r||vrdS| r|| vrdSdS|dkrdd|dpgD}dd|dpgD}dd|dpgD} || B} |r||vrdS| r|| vrdSdSdS)NFr'r.)r(r.Tr3r| agent_namerr} groupnamerIcSh|] }|rt|qSrrqrKrrr z'call_record_in_scope..rOcSrrrqr5nrrrrrrRcSrrrqrSrrrrrrUcSrrrqrVrrrrrrXrYcSrrrqrrrrrrcSrrrqrSrrrrrcSrrrqrVrrrrr)rr-rr) rr+rZrr}rr[namesr]r^ identifiersrrrcall_record_in_scopesD      rrequested_agent_namescCs\|r|St|||s dSt|||dddpi}dd|dp"gD}|s)dSd|S) zNReturn comma-separated agent names when scope should default the agent filter.NTr0r+cSsg|] }|rt|qSrrqrrrrrMrz3effective_agent_names_for_scope..rR,)rbrBr-rr)r r#r2rr+rrrreffective_agent_names_for_scopes  rrequested_groupnamecCs||r|St|||s dSt|||}|dpi}t|ddkr&dSdd|dp/gD}t|dkr<|d SdS) z For managers with a single assigned group and no explicit filter, default to that group. Otherwise pass through requested_groupname unchanged. Nr+r'rIcSrJrrrKrrrrMrNz1effective_groupname_for_scope..rOr~r)rbrBr-rrrs)r r#r2rrDr+r[rrreffective_groupname_for_scopes    r)rr)rrrr)r r"r#rrr$) r r"r#rr2rr1rrr") r r"r#rrCrr2rr1rrr)r r"r#rrr)r+r"rr)r r"r#rr2rrr)r+r"rdrrre)rr"r+r"rrr ) r r"r#rr2rrrrr) r r"r#rr2rrrrr)__doc__ __future__rrtypingrrrrrr2r frozensetrGr`rarr!r/rBrFrHr_rbrrrrrrrrs0        +   0-