fixed automation and trustee

2026-01-24 02:06:49 +01:00 · 2026-01-24 02:06:49 +01:00 · 50e3fce12b
commit 50e3fce12b
parent a0b9a6e4b5
8 changed files with 296 additions and 35 deletions
--- a/app.py
+++ b/app.py
@ -47,6 +47,9 @@ class DailyRotatingFileHandler(RotatingFileHandler):
    def _updateFileIfNeeded(self):
        """Update the log file if the date has changed"""
        # Guard against interpreter shutdown when datetime may be None
        if datetime is None:
            return False
        today = datetime.now().strftime("%Y%m%d")
        if self.currentDate != today:
--- a/modules/features/automation/routeFeatureAutomation.py
+++ b/modules/features/automation/routeFeatureAutomation.py
@ -14,7 +14,7 @@ import json
 # Import interfaces and models
 from modules.interfaces.interfaceDbChat import getInterface as getChatInterface
-from modules.auth import getCurrentUser, limiter
+from modules.auth import getCurrentUser, limiter, getRequestContext, RequestContext
 from modules.features.automation.datamodelFeatureAutomation import AutomationDefinition
 from modules.datamodels.datamodelChat import ChatWorkflow
 from modules.datamodels.datamodelPagination import PaginationParams, PaginatedResponse, PaginationMetadata, normalize_pagination_dict
@ -46,7 +46,7 @@ router = APIRouter(
 async def get_automations(
    request: Request,
    pagination: Optional[str] = Query(None, description="JSON-encoded PaginationParams object"),
-    currentUser = Depends(getCurrentUser)
+    context: RequestContext = Depends(getRequestContext)
 ) -> PaginatedResponse[AutomationDefinition]:
    """
    Get automation definitions with optional pagination, sorting, and filtering.
@ -69,7 +69,7 @@ async def get_automations(
                    detail=f"Invalid pagination parameter: {str(e)}"
                )
-        chatInterface = getChatInterface(currentUser)
+        chatInterface = getChatInterface(context.user, mandateId=str(context.mandateId) if context.mandateId else None, featureInstanceId=str(context.featureInstanceId) if context.featureInstanceId else None)
        result = chatInterface.getAllAutomationDefinitions(pagination=paginationParams)
        # If pagination was requested, result is PaginatedResult
@ -111,11 +111,11 @@ async def get_automations(
 async def create_automation(
    request: Request,
    automation: AutomationDefinition,
-    currentUser = Depends(getCurrentUser)
+    context: RequestContext = Depends(getRequestContext)
 ) -> AutomationDefinition:
    """Create a new automation definition"""
    try:
-        chatInterface = getChatInterface(currentUser)
+        chatInterface = getChatInterface(context.user, mandateId=str(context.mandateId) if context.mandateId else None, featureInstanceId=str(context.featureInstanceId) if context.featureInstanceId else None)
        automationData = automation.model_dump()
        created = chatInterface.createAutomationDefinition(automationData)
        return created
@ -132,7 +132,7 @@ async def create_automation(
@limiter.limit("30/minute")
 async def get_automation_templates(
    request: Request,
-    currentUser = Depends(getCurrentUser)
+    context: RequestContext = Depends(getRequestContext)
 ) -> JSONResponse:
    """
    Get automation templates from backend module.
@ -160,11 +160,11 @@ async def get_automation_attributes(
 async def get_automation(
    request: Request,
    automationId: str = Path(..., description="Automation ID"),
-    currentUser = Depends(getCurrentUser)
+    context: RequestContext = Depends(getRequestContext)
 ) -> AutomationDefinition:
    """Get a single automation definition by ID"""
    try:
-        chatInterface = getChatInterface(currentUser)
+        chatInterface = getChatInterface(context.user, mandateId=str(context.mandateId) if context.mandateId else None, featureInstanceId=str(context.featureInstanceId) if context.featureInstanceId else None)
        automation = chatInterface.getAutomationDefinition(automationId)
        if not automation:
            raise HTTPException(
@ -188,11 +188,11 @@ async def update_automation(
    request: Request,
    automationId: str = Path(..., description="Automation ID"),
    automation: AutomationDefinition = Body(...),
-    currentUser = Depends(getCurrentUser)
+    context: RequestContext = Depends(getRequestContext)
 ) -> AutomationDefinition:
    """Update an automation definition"""
    try:
-        chatInterface = getChatInterface(currentUser)
+        chatInterface = getChatInterface(context.user, mandateId=str(context.mandateId) if context.mandateId else None, featureInstanceId=str(context.featureInstanceId) if context.featureInstanceId else None)
        automationData = automation.model_dump()
        updated = chatInterface.updateAutomationDefinition(automationId, automationData)
        return updated
@ -215,11 +215,11 @@ async def update_automation(
 async def delete_automation(
    request: Request,
    automationId: str = Path(..., description="Automation ID"),
-    currentUser = Depends(getCurrentUser)
+    context: RequestContext = Depends(getRequestContext)
 ) -> Response:
    """Delete an automation definition"""
    try:
-        chatInterface = getChatInterface(currentUser)
+        chatInterface = getChatInterface(context.user, mandateId=str(context.mandateId) if context.mandateId else None, featureInstanceId=str(context.featureInstanceId) if context.featureInstanceId else None)
        success = chatInterface.deleteAutomationDefinition(automationId)
        if success:
            return Response(status_code=204)
@ -244,15 +244,15 @@ async def delete_automation(
@router.post("/{automationId}/execute", response_model=ChatWorkflow)
@limiter.limit("5/minute")
-async def execute_automation(
+async def execute_automation_route(
    request: Request,
    automationId: str = Path(..., description="Automation ID"),
-    currentUser = Depends(getCurrentUser)
+    context: RequestContext = Depends(getRequestContext)
 ) -> ChatWorkflow:
    """Execute an automation immediately (test mode)"""
    try:
        from modules.services import getInterface as getServices
-        services = getServices(currentUser, None)
+        services = getServices(context.user, context.mandateId)
        workflow = await executeAutomation(automationId, services)
        return workflow
    except HTTPException:
--- a/modules/features/featureRegistry.py
+++ b/modules/features/featureRegistry.py
@ -37,6 +37,7 @@ def discoverFeatureContainers() -> List[str]:
 def loadFeatureRouters(app: FastAPI) -> Dict[str, Any]:
    """
    Dynamically load and register routers from all discovered feature containers.
    Also registers feature template roles and AccessRules in the database.
    """
    results = {}
    pattern = os.path.join(FEATURES_DIR, "*", "routeFeature*.py")
@ -64,6 +65,15 @@ def loadFeatureRouters(app: FastAPI) -> Dict[str, Any]:
            logger.error(f"Failed to load router from {featureDir}: {e}")
            results[featureDir] = {"status": "error", "error": str(e)}
    # Register features in RBAC catalog and sync template roles to database
    from modules.security.rbacCatalog import getCatalogService
    catalogService = getCatalogService()
    registrationResults = registerAllFeaturesInCatalog(catalogService)
    for featureName, success in registrationResults.items():
        if featureName in results:
            results[featureName]["rbac_registered"] = success
    return results
--- a/modules/features/trustee/mainTrustee.py
+++ b/modules/features/trustee/mainTrustee.py
@ -103,7 +103,8 @@ RESOURCE_OBJECTS = [
    },
 ]
-# Template roles for this feature
+# Template roles for this feature with AccessRules
 # Each role defines default UI and DATA permissions
 TEMPLATE_ROLES = [
    {
        "roleLabel": "trustee-admin",
@ -111,7 +112,13 @@ TEMPLATE_ROLES = [
            "en": "Trustee Administrator - Full access to all trustee data and settings",
            "de": "Treuhand-Administrator - Vollzugriff auf alle Treuhand-Daten und Einstellungen",
            "fr": "Administrateur fiduciaire - Accès complet aux données et paramètres fiduciaires"
-        }
+        },
        "accessRules": [
            # Full UI access
            {"context": "UI", "item": None, "view": True},
            # Full DATA access
            {"context": "DATA", "item": None, "view": True, "read": "a", "create": "a", "update": "a", "delete": "a"},
        ]
    },
    {
        "roleLabel": "trustee-accountant",
@ -119,7 +126,13 @@ TEMPLATE_ROLES = [
            "en": "Trustee Accountant - Manage accounting and financial data",
            "de": "Treuhand-Buchhalter - Buchhaltungs- und Finanzdaten verwalten",
            "fr": "Comptable fiduciaire - Gérer les données comptables et financières"
-        }
+        },
        "accessRules": [
            # Full UI access
            {"context": "UI", "item": None, "view": True},
            # Group-level DATA access
            {"context": "DATA", "item": None, "view": True, "read": "g", "create": "g", "update": "g", "delete": "g"},
        ]
    },
    {
        "roleLabel": "trustee-client",
@ -127,7 +140,13 @@ TEMPLATE_ROLES = [
            "en": "Trustee Client - View own accounting data and documents",
            "de": "Treuhand-Kunde - Eigene Buchhaltungsdaten und Dokumente einsehen",
            "fr": "Client fiduciaire - Consulter ses propres données comptables et documents"
-        }
+        },
        "accessRules": [
            # Full UI access
            {"context": "UI", "item": None, "view": True},
            # Own records only (MY level)
            {"context": "DATA", "item": None, "view": True, "read": "m", "create": "m", "update": "m", "delete": "n"},
        ]
    },
 ]
@ -185,9 +204,198 @@ def registerFeature(catalogService) -> bool:
                meta=resObj.get("meta")
            )
        # Sync template roles to database (with AccessRules)
        _syncTemplateRolesToDb()
        logger.info(f"Feature '{FEATURE_CODE}' registered {len(UI_OBJECTS)} UI objects and {len(RESOURCE_OBJECTS)} resource objects")
        return True
    except Exception as e:
        logger.error(f"Failed to register feature '{FEATURE_CODE}': {e}")
        return False
 def _syncTemplateRolesToDb() -> int:
    """
    Sync template roles and their AccessRules to the database.
    Creates global template roles (mandateId=None) if they don't exist.
    Returns:
        Number of roles created/updated
    """
    try:
        from modules.interfaces.interfaceDbApp import getRootInterface
        from modules.datamodels.datamodelRbac import Role, AccessRule, AccessRuleContext
        rootInterface = getRootInterface()
        db = rootInterface.db
        # Get existing template roles for this feature
        existingRoles = db.getRecordset(
            Role,
            recordFilter={"featureCode": FEATURE_CODE, "mandateId": None}
        )
        existingRoleLabels = {r.get("roleLabel"): r.get("id") for r in existingRoles}
        createdCount = 0
        for roleTemplate in TEMPLATE_ROLES:
            roleLabel = roleTemplate["roleLabel"]
            if roleLabel in existingRoleLabels:
                roleId = existingRoleLabels[roleLabel]
                logger.debug(f"Template role '{roleLabel}' already exists with ID {roleId}")
                # Ensure AccessRules exist for this role
                _ensureAccessRulesForRole(db, roleId, roleTemplate.get("accessRules", []))
            else:
                # Create new template role
                newRole = Role(
                    roleLabel=roleLabel,
                    description=roleTemplate.get("description", {}),
                    featureCode=FEATURE_CODE,
                    mandateId=None,  # Global template
                    featureInstanceId=None,
                    isSystemRole=False
                )
                createdRole = db.recordCreate(Role, newRole.model_dump())
                roleId = createdRole.get("id")
                # Create AccessRules for this role
                _ensureAccessRulesForRole(db, roleId, roleTemplate.get("accessRules", []))
                logger.info(f"Created template role '{roleLabel}' with ID {roleId}")
                createdCount += 1
        if createdCount > 0:
            logger.info(f"Feature '{FEATURE_CODE}': Created {createdCount} template roles")
        # Repair instance-specific roles that are missing AccessRules
        _repairInstanceRolesAccessRules(db, existingRoleLabels)
        return createdCount
    except Exception as e:
        logger.error(f"Error syncing template roles for feature '{FEATURE_CODE}': {e}")
        return 0
 def _repairInstanceRolesAccessRules(db, templateRoleLabels: Dict[str, str]) -> int:
    """
    Repair instance-specific roles by copying AccessRules from their template roles.
    This ensures instance roles created before AccessRules were defined get updated.
    Args:
        db: Database connector
        templateRoleLabels: Dict mapping roleLabel to template role ID
    Returns:
        Number of instance roles repaired
    """
    from modules.datamodels.datamodelRbac import Role, AccessRule, AccessRuleContext
    repairedCount = 0
    # Get all instance-specific roles for this feature (mandateId is NOT None)
    allRoles = db.getRecordset(Role, recordFilter={"featureCode": FEATURE_CODE})
    instanceRoles = [r for r in allRoles if r.get("mandateId") is not None]
    for instanceRole in instanceRoles:
        roleLabel = instanceRole.get("roleLabel")
        instanceRoleId = instanceRole.get("id")
        # Find matching template role
        templateRoleId = templateRoleLabels.get(roleLabel)
        if not templateRoleId:
            continue
        # Check if instance role has AccessRules
        existingRules = db.getRecordset(AccessRule, recordFilter={"roleId": instanceRoleId})
        if existingRules:
            continue  # Already has rules, skip
        # Copy AccessRules from template role
        templateRules = db.getRecordset(AccessRule, recordFilter={"roleId": templateRoleId})
        if not templateRules:
            continue  # Template has no rules
        for rule in templateRules:
            newRule = AccessRule(
                roleId=instanceRoleId,
                context=rule.get("context"),
                item=rule.get("item"),
                view=rule.get("view", False),
                read=rule.get("read"),
                create=rule.get("create"),
                update=rule.get("update"),
                delete=rule.get("delete"),
            )
            db.recordCreate(AccessRule, newRule.model_dump())
        logger.info(f"Repaired instance role '{roleLabel}' (ID: {instanceRoleId}): copied {len(templateRules)} AccessRules from template")
        repairedCount += 1
    if repairedCount > 0:
        logger.info(f"Feature '{FEATURE_CODE}': Repaired {repairedCount} instance roles with missing AccessRules")
    return repairedCount
 def _ensureAccessRulesForRole(db, roleId: str, ruleTemplates: List[Dict[str, Any]]) -> int:
    """
    Ensure AccessRules exist for a role based on templates.
    Args:
        db: Database connector
        roleId: Role ID
        ruleTemplates: List of rule templates
    Returns:
        Number of rules created
    """
    from modules.datamodels.datamodelRbac import AccessRule, AccessRuleContext
    # Get existing rules for this role
    existingRules = db.getRecordset(AccessRule, recordFilter={"roleId": roleId})
    # Create a set of existing rule signatures to avoid duplicates
    existingSignatures = set()
    for rule in existingRules:
        sig = (rule.get("context"), rule.get("item"))
        existingSignatures.add(sig)
    createdCount = 0
    for template in ruleTemplates:
        context = template.get("context", "UI")
        item = template.get("item")
        sig = (context, item)
        if sig in existingSignatures:
            continue
        # Map context string to enum
        if context == "UI":
            contextEnum = AccessRuleContext.UI
        elif context == "DATA":
            contextEnum = AccessRuleContext.DATA
        elif context == "RESOURCE":
            contextEnum = AccessRuleContext.RESOURCE
        else:
            contextEnum = context
        newRule = AccessRule(
            roleId=roleId,
            context=contextEnum,
            item=item,
            view=template.get("view", False),
            read=template.get("read"),
            create=template.get("create"),
            update=template.get("update"),
            delete=template.get("delete"),
        )
        db.recordCreate(AccessRule, newRule.model_dump())
        createdCount += 1
    if createdCount > 0:
        logger.debug(f"Created {createdCount} AccessRules for role {roleId}")
    return createdCount
--- a/modules/interfaces/interfaceDbChat.py
+++ b/modules/interfaces/interfaceDbChat.py
@ -1729,8 +1729,14 @@ class ChatObjects:
            totalPages=totalPages
        )
-    def getAutomationDefinition(self, automationId: str) -> Optional[AutomationDefinition]:
+    def getAutomationDefinition(self, automationId: str, includeSystemFields: bool = False) -> Optional[AutomationDefinition]:
-        """Returns an automation definition by ID if user has access, with computed status."""
+        """Returns an automation definition by ID if user has access, with computed status.
        Args:
            automationId: ID of the automation to get
            includeSystemFields: If True, returns raw dict with system fields (_createdBy, etc).
                                If False (default), returns Pydantic model without system fields.
        """
        try:
            # Use RBAC filtering
            filtered = getRecordsetWithRBAC(self.db,
@ -1749,6 +1755,16 @@ class ChatObjects:
                automation["executionLogs"] = []
            # Enrich with user and mandate names
            self._enrichAutomationWithUserAndMandate(automation)
            # For internal use (execution), return raw dict with system fields
            if includeSystemFields:
                # Return as simple namespace object so getattr works
                class AutomationWithSystemFields:
                    def __init__(self, data):
                        for key, value in data.items():
                            setattr(self, key, value)
                return AutomationWithSystemFields(automation)
            # Clean metadata fields and return Pydantic model
            cleanedRecord = {k: v for k, v in automation.items() if not k.startswith("_")}
            return AutomationDefinition(**cleanedRecord)
@ -1771,9 +1787,12 @@ class ChatObjects:
            # Ensure database connector has correct userId context
            # The connector should have been initialized with userId, but ensure it's updated
-            if self.userId and hasattr(self.db, 'updateContext'):
+            if not self.userId:
                logger.error(f"createAutomationDefinition: userId is not set! Cannot set _createdBy. currentUser={self.currentUser}")
            elif hasattr(self.db, 'updateContext'):
                try:
                    self.db.updateContext(self.userId)
                    logger.debug(f"createAutomationDefinition: Updated database context with userId={self.userId}")
                except Exception as e:
                    logger.warning(f"Could not update database context: {e}")
--- a/modules/routes/routeAdminFeatures.py
+++ b/modules/routes/routeAdminFeatures.py
@ -248,7 +248,10 @@ def _getInstancePermissions(rootInterface, userId: str, instanceId: str) -> Dict
            recordFilter={"userId": userId, "featureInstanceId": instanceId}
        )
        logger.debug(f"_getInstancePermissions: userId={userId}, instanceId={instanceId}, featureAccesses={len(featureAccesses) if featureAccesses else 0}")
        if not featureAccesses:
            logger.debug(f"_getInstancePermissions: No FeatureAccess found for user {userId} and instance {instanceId}")
            return permissions
        # Get role IDs via FeatureAccessRole junction table
@ -259,7 +262,10 @@ def _getInstancePermissions(rootInterface, userId: str, instanceId: str) -> Dict
        )
        roleIds = [far.get("roleId") for far in featureAccessRoles]
        logger.debug(f"_getInstancePermissions: featureAccessId={featureAccessId}, roleIds={roleIds}")
        if not roleIds:
            logger.debug(f"_getInstancePermissions: No roles found for FeatureAccess {featureAccessId}")
            return permissions
        # Get permissions (AccessRules) for all roles
@ -269,6 +275,8 @@ def _getInstancePermissions(rootInterface, userId: str, instanceId: str) -> Dict
                recordFilter={"roleId": roleId}
            )
            logger.debug(f"_getInstancePermissions: roleId={roleId}, accessRules={len(accessRules) if accessRules else 0}")
            for rule in accessRules:
                context = rule.get("context", "")
                item = rule.get("item", "")
@ -303,8 +311,13 @@ def _getInstancePermissions(rootInterface, userId: str, instanceId: str) -> Dict
                # Handle UI context (views)
                elif context == "UI" or context == AccessRuleContext.UI:
                    ruleView = rule.get("view", False)
                    if item:
-                        permissions["views"][item] = permissions["views"].get(item, False) or rule.get("view", False)
+                        # Specific view rule
                        permissions["views"][item] = permissions["views"].get(item, False) or ruleView
                    elif ruleView:
                        # item=None means all views - set a wildcard flag
                        permissions["views"]["_all"] = True
        return permissions
--- a/modules/shared/attributeUtils.py
+++ b/modules/shared/attributeUtils.py
@ -5,6 +5,7 @@ Shared utilities for model attributes and labels.
 """
 from pydantic import BaseModel, Field, ConfigDict
 from pydantic_core import PydanticUndefined
 from typing import Dict, Any, List, Type, Optional, Union
 import inspect
 import importlib
@ -212,7 +213,8 @@ def getModelAttributeDefinitions(modelClass: Type[BaseModel] = None, userLanguag
                # Don't call it here - it's meant to be called per-instance
                # Instead, store a marker that indicates it exists
                field_default = None  # Frontend should use first option or specific logic
-            elif default_value is not ...:  # Ellipsis means no default
+            elif default_value is not ... and default_value is not PydanticUndefined:
                # Ellipsis or PydanticUndefined means no default
                # Convert enum to its value if it's an enum
                if hasattr(default_value, 'value'):
                    field_default = default_value.value
--- a/modules/workflows/automation/mainWorkflow.py
+++ b/modules/workflows/automation/mainWorkflow.py
@ -76,8 +76,8 @@ async def executeAutomation(automationId: str, services) -> ChatWorkflow:
    }
    try:
-        # 1. Load automation definition
+        # 1. Load automation definition (with system fields for _createdBy access)
-        automation = services.interfaceDbChat.getAutomationDefinition(automationId)
+        automation = services.interfaceDbChat.getAutomationDefinition(automationId, includeSystemFields=True)
        if not automation:
            raise ValueError(f"Automation {automationId} not found")
@ -105,18 +105,17 @@ async def executeAutomation(automationId: str, services) -> ChatWorkflow:
        # 3. Get user who created automation
        creatorUserId = getattr(automation, "_createdBy", None)
-        # CRITICAL: Automation MUST run as creator user only, or fail
+        # _createdBy is a system attribute - must be present
        if not creatorUserId:
            errorMsg = f"Automation {automationId} has no creator user (_createdBy field missing). Cannot execute automation."
            logger.error(errorMsg)
            executionLog["messages"].append(errorMsg)
            raise ValueError(errorMsg)
-        # Get user from database using services
+        # Get creator user from database
        creatorUser = services.interfaceDbApp.getUser(creatorUserId)
        if not creatorUser:
            raise ValueError(f"Creator user {creatorUserId} not found")
        executionLog["messages"].append(f"Using creator user: {creatorUserId}")
        # 4. Create UserInputRequest from plan
@ -205,10 +204,17 @@ async def syncAutomationEvents(services, eventUser) -> Dict[str, Any]:
    registeredEvents = {}
    for automation in filtered:
-        automationId = automation.id
+        # Handle both dict and object access patterns
-        isActive = automation.active if hasattr(automation, 'active') else False
+        if isinstance(automation, dict):
-        currentEventId = automation.eventId if hasattr(automation, 'eventId') else None
+            automationId = automation.get('id')
-        schedule = automation.schedule if hasattr(automation, 'schedule') else None
+            isActive = automation.get('active', False)
            currentEventId = automation.get('eventId')
            schedule = automation.get('schedule')
        else:
            automationId = automation.id
            isActive = automation.active if hasattr(automation, 'active') else False
            currentEventId = automation.eventId if hasattr(automation, 'eventId') else None
            schedule = automation.schedule if hasattr(automation, 'schedule') else None
        if not schedule:
            logger.warning(f"Automation {automationId} has no schedule, skipping")
@ -287,8 +293,8 @@ def createAutomationEventHandler(automationId: str, eventUser):
            # Get services for event user (provides access to interfaces)
            eventServices = getServices(eventUser, None)
-            # Load automation using event user context
+            # Load automation using event user context (with system fields for _createdBy access)
-            automation = eventServices.interfaceDbChat.getAutomationDefinition(automationId)
+            automation = eventServices.interfaceDbChat.getAutomationDefinition(automationId, includeSystemFields=True)
            if not automation or not getattr(automation, "active", False):
                logger.warning(f"Automation {automationId} not found or not active, skipping execution")
                return