39 lines
1.4 KiB
Python
39 lines
1.4 KiB
Python
from fastapi import Depends, HTTPException, status
|
|
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
|
|
from sqlalchemy.orm import Session
|
|
|
|
from app.core.security import decode_access_token
|
|
from app.db.session import get_db
|
|
from app.models import AdminUser
|
|
|
|
bearer_scheme = HTTPBearer(auto_error=False)
|
|
|
|
ROLE_ALIASES = {
|
|
"admin": "system_admin",
|
|
}
|
|
|
|
|
|
def get_current_admin(
|
|
credentials: HTTPAuthorizationCredentials | None = Depends(bearer_scheme),
|
|
db: Session = Depends(get_db),
|
|
) -> AdminUser:
|
|
if credentials is None:
|
|
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Not authenticated")
|
|
payload = decode_access_token(credentials.credentials)
|
|
if not payload:
|
|
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token")
|
|
admin = db.get(AdminUser, int(payload["sub"]))
|
|
if not admin or admin.status != "active":
|
|
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Inactive user")
|
|
return admin
|
|
|
|
|
|
def require_roles(*role_codes: str):
|
|
def checker(admin: AdminUser = Depends(get_current_admin)) -> AdminUser:
|
|
role_code = ROLE_ALIASES.get(admin.role_code, admin.role_code)
|
|
if role_code not in role_codes:
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Permission denied")
|
|
return admin
|
|
|
|
return checker
|