from beanie import Document from pydantic import Field from typing import Optional, Dict, Any, List from datetime import datetime from enum import Enum class PermissionType(str, Enum): READ = "read" WRITE = "write" DELETE = "delete" ADMIN = "admin" EXECUTE = "execute" class ResourceType(str, Enum): USER = "user" PROFILE = "profile" POST = "post" COMMENT = "comment" SYSTEM = "system" ANALYTICS = "analytics" SETTINGS = "settings" class Permission(Document): # Permission Identity name: str = Field(..., min_length=3, max_length=100) # e.g., "user.read", "post.write" display_name: str # Human-readable name description: Optional[str] = None # Permission Details resource_type: ResourceType permission_type: PermissionType # Scoping scope: Optional[str] = None # e.g., "own", "all", "department" conditions: Dict[str, Any] = Field(default_factory=dict) # JSON conditions # Hierarchy parent_permission: Optional[str] = None # Reference to parent permission child_permissions: List[str] = Field(default_factory=list) # Status is_active: bool = True is_system_permission: bool = False # Cannot be deleted # Metadata created_at: datetime = Field(default_factory=datetime.utcnow) updated_at: datetime = Field(default_factory=datetime.utcnow) created_by: Optional[str] = None # User ID who created this permission class Config: arbitrary_types_allowed = True class Settings: name = "permissions" indexes = [ "name", # Simple index, not unique to avoid conflicts "resource_type", "permission_type", "is_active", "is_system_permission", "created_at" ] @classmethod async def create_system_permissions(cls): """Create default system permissions""" system_permissions = [ # User permissions { "name": "user.read", "display_name": "Read Users", "description": "View user information", "resource_type": ResourceType.USER, "permission_type": PermissionType.READ, "is_system_permission": True }, { "name": "user.write", "display_name": "Write Users", "description": "Create and update users", "resource_type": ResourceType.USER, "permission_type": PermissionType.WRITE, "is_system_permission": True }, { "name": "user.delete", "display_name": "Delete Users", "description": "Delete user accounts", "resource_type": ResourceType.USER, "permission_type": PermissionType.DELETE, "is_system_permission": True }, { "name": "user.admin", "display_name": "User Admin", "description": "Full user management access", "resource_type": ResourceType.USER, "permission_type": PermissionType.ADMIN, "is_system_permission": True }, # Profile permissions { "name": "profile.read.own", "display_name": "Read Own Profile", "description": "View own profile information", "resource_type": ResourceType.PROFILE, "permission_type": PermissionType.READ, "scope": "own", "is_system_permission": True }, { "name": "profile.read.all", "display_name": "Read All Profiles", "description": "View all user profiles", "resource_type": ResourceType.PROFILE, "permission_type": PermissionType.READ, "scope": "all", "is_system_permission": True }, { "name": "profile.write.own", "display_name": "Edit Own Profile", "description": "Update own profile information", "resource_type": ResourceType.PROFILE, "permission_type": PermissionType.WRITE, "scope": "own", "is_system_permission": True }, { "name": "profile.write.all", "display_name": "Edit All Profiles", "description": "Update any user profile", "resource_type": ResourceType.PROFILE, "permission_type": PermissionType.WRITE, "scope": "all", "is_system_permission": True }, # System permissions { "name": "system.admin", "display_name": "System Administrator", "description": "Full system access", "resource_type": ResourceType.SYSTEM, "permission_type": PermissionType.ADMIN, "is_system_permission": True }, { "name": "system.settings.read", "display_name": "Read System Settings", "description": "View system configuration", "resource_type": ResourceType.SETTINGS, "permission_type": PermissionType.READ, "is_system_permission": True }, { "name": "system.settings.write", "display_name": "Write System Settings", "description": "Modify system configuration", "resource_type": ResourceType.SETTINGS, "permission_type": PermissionType.WRITE, "is_system_permission": True }, # Analytics permissions { "name": "analytics.read", "display_name": "Read Analytics", "description": "View system analytics and reports", "resource_type": ResourceType.ANALYTICS, "permission_type": PermissionType.READ, "is_system_permission": True } ] for perm_data in system_permissions: existing = await cls.find_one(cls.name == perm_data["name"]) if not existing: permission = cls(**perm_data) await permission.save() def matches_resource_action(self, resource: str, action: str, scope: str = None) -> bool: """Check if this permission matches a resource and action""" # Basic matching if self.resource_type.value != resource or self.permission_type.value != action: return False # Scope matching if scope and self.scope and self.scope != scope: return False return True async def get_child_permissions(self) -> List["Permission"]: """Get all child permissions""" if not self.child_permissions: return [] return await Permission.find( {"name": {"$in": self.child_permissions}}, Permission.is_active == True ).to_list() async def get_parent_permission(self) -> Optional["Permission"]: """Get parent permission if exists""" if not self.parent_permission: return None return await Permission.find_one(Permission.name == self.parent_permission)