From 4de962d7d6bee3ba3d2b3a254c11755b3cfd2ac6 Mon Sep 17 00:00:00 2001 From: ValueOn AG Date: Sat, 24 Jan 2026 09:58:15 +0100 Subject: [PATCH] access rules editor fixed --- .../features/trustee/routeFeatureTrustee.py | 30 ++++++++++--------- modules/routes/routeAdminFeatures.py | 28 +++++++++-------- 2 files changed, 32 insertions(+), 26 deletions(-) diff --git a/modules/features/trustee/routeFeatureTrustee.py b/modules/features/trustee/routeFeatureTrustee.py index 9e30951a..4e796a7e 100644 --- a/modules/features/trustee/routeFeatureTrustee.py +++ b/modules/features/trustee/routeFeatureTrustee.py @@ -1280,11 +1280,13 @@ async def getInstanceRole( mandateId = await _validateInstanceAdmin(instanceId, context) rootInterface = getRootInterface() - role = rootInterface.db.getRecord(Role, roleId) + roles = rootInterface.db.getRecordset(Role, recordFilter={"id": roleId}) - if not role: + if not roles: raise HTTPException(status_code=404, detail=f"Role {roleId} not found") + role = roles[0] + # Verify role belongs to this instance if role.get("featureInstanceId") != instanceId: raise HTTPException(status_code=404, detail=f"Role {roleId} not found in this instance") @@ -1309,8 +1311,8 @@ async def getInstanceRoleRules( rootInterface = getRootInterface() # Verify role belongs to this instance - role = rootInterface.db.getRecord(Role, roleId) - if not role or role.get("featureInstanceId") != instanceId: + roles = rootInterface.db.getRecordset(Role, recordFilter={"id": roleId}) + if not roles or roles[0].get("featureInstanceId") != instanceId: raise HTTPException(status_code=404, detail=f"Role {roleId} not found in this instance") # Get AccessRules for this role @@ -1343,8 +1345,8 @@ async def createInstanceRoleRule( rootInterface = getRootInterface() # Verify role belongs to this instance - role = rootInterface.db.getRecord(Role, roleId) - if not role or role.get("featureInstanceId") != instanceId: + roles = rootInterface.db.getRecordset(Role, recordFilter={"id": roleId}) + if not roles or roles[0].get("featureInstanceId") != instanceId: raise HTTPException(status_code=404, detail=f"Role {roleId} not found in this instance") # Create the rule @@ -1394,13 +1396,13 @@ async def updateInstanceRoleRule( rootInterface = getRootInterface() # Verify role belongs to this instance - role = rootInterface.db.getRecord(Role, roleId) - if not role or role.get("featureInstanceId") != instanceId: + roles = rootInterface.db.getRecordset(Role, recordFilter={"id": roleId}) + if not roles or roles[0].get("featureInstanceId") != instanceId: raise HTTPException(status_code=404, detail=f"Role {roleId} not found in this instance") # Verify rule belongs to role - existingRule = rootInterface.db.getRecord(AccessRule, ruleId) - if not existingRule or existingRule.get("roleId") != roleId: + existingRules = rootInterface.db.getRecordset(AccessRule, recordFilter={"id": ruleId}) + if not existingRules or existingRules[0].get("roleId") != roleId: raise HTTPException(status_code=404, detail=f"Rule {ruleId} not found for this role") # Update only allowed fields @@ -1445,13 +1447,13 @@ async def deleteInstanceRoleRule( rootInterface = getRootInterface() # Verify role belongs to this instance - role = rootInterface.db.getRecord(Role, roleId) - if not role or role.get("featureInstanceId") != instanceId: + roles = rootInterface.db.getRecordset(Role, recordFilter={"id": roleId}) + if not roles or roles[0].get("featureInstanceId") != instanceId: raise HTTPException(status_code=404, detail=f"Role {roleId} not found in this instance") # Verify rule belongs to role - existingRule = rootInterface.db.getRecord(AccessRule, ruleId) - if not existingRule or existingRule.get("roleId") != roleId: + existingRules = rootInterface.db.getRecordset(AccessRule, recordFilter={"id": ruleId}) + if not existingRules or existingRules[0].get("roleId") != roleId: raise HTTPException(status_code=404, detail=f"Rule {ruleId} not found for this role") try: diff --git a/modules/routes/routeAdminFeatures.py b/modules/routes/routeAdminFeatures.py index 9cb023c6..265a3a5c 100644 --- a/modules/routes/routeAdminFeatures.py +++ b/modules/routes/routeAdminFeatures.py @@ -164,8 +164,8 @@ async def getMyFeatureInstances( "_mandateId": mandateId # Temporary for grouping } - # Get user's role in this instance - userRole = _getUserRoleInInstance(rootInterface, str(context.user.id), str(instance.id)) + # Get user's roles in this instance (can have multiple) + userRoles = _getUserRolesInInstance(rootInterface, str(context.user.id), str(instance.id)) # Get permissions for this instance permissions = _getInstancePermissions(rootInterface, str(context.user.id), str(instance.id)) @@ -177,7 +177,7 @@ async def getMyFeatureInstances( "mandateId": mandateId, "mandateName": mandatesMap[mandateId]["name"], "instanceLabel": instance.label, - "userRole": userRole, + "userRoles": userRoles, "permissions": permissions }) @@ -196,8 +196,8 @@ async def getMyFeatureInstances( ) -def _getUserRoleInInstance(rootInterface, userId: str, instanceId: str) -> str: - """Get the user's primary role label in a feature instance.""" +def _getUserRolesInInstance(rootInterface, userId: str, instanceId: str) -> List[str]: + """Get all role labels for a user in a feature instance.""" try: from modules.datamodels.datamodelRbac import Role from modules.datamodels.datamodelMembership import FeatureAccess, FeatureAccessRole @@ -218,15 +218,19 @@ def _getUserRoleInInstance(rootInterface, userId: str, instanceId: str) -> str: ) if featureAccessRoles: - roleId = featureAccessRoles[0].get("roleId") - roles = rootInterface.db.getRecordset(Role, recordFilter={"id": roleId}) - if roles: - return roles[0].get("roleLabel", "user") + # Get ALL roles, not just the first one + roleLabels = [] + for far in featureAccessRoles: + roleId = far.get("roleId") + roles = rootInterface.db.getRecordset(Role, recordFilter={"id": roleId}) + if roles: + roleLabels.append(roles[0].get("roleLabel", "user")) + return roleLabels if roleLabels else ["user"] - return "user" # Default + return ["user"] # Default except Exception as e: - logger.debug(f"Error getting user role: {e}") - return "user" + logger.debug(f"Error getting user roles: {e}") + return ["user"] def _getInstancePermissions(rootInterface, userId: str, instanceId: str) -> Dict[str, Any]: