""" Access control module for Chat interface. Handles user access management and permission checks. """ from typing import Dict, Any, List, Optional from modules.datamodels.datamodelUam import User, UserPrivilege from modules.datamodels.datamodelChat import ChatWorkflow, ChatMessage, ChatLog, ChatStat, ChatDocument class ChatAccess: """ Access control class for Chat interface. Handles user access management and permission checks. """ def __init__(self, currentUser: User, db): """Initialize with user context.""" self.currentUser = currentUser self.mandateId = currentUser.mandateId self.userId = currentUser.id if not self.mandateId or not self.userId: raise ValueError("Invalid user context: mandateId and userId are required") self.db = db def uam(self, model_class: type, recordset: List[Dict[str, Any]]) -> List[Dict[str, Any]]: """ Unified user access management function that filters data based on user privileges and adds access control attributes. Args: model_class: Pydantic model class for the table recordset: Recordset to filter based on access rules Returns: Filtered recordset with access control attributes """ userPrivilege = self.currentUser.privilege table_name = model_class.__name__ filtered_records = [] # Apply filtering based on privilege if userPrivilege == UserPrivilege.SYSADMIN: filtered_records = recordset # System admins see all records elif userPrivilege == UserPrivilege.ADMIN: # Admins see records in their mandate filtered_records = [r for r in recordset if r.get("mandateId","-") == self.mandateId] else: # Regular users # Users see only their records for other tables filtered_records = [r for r in recordset if r.get("mandateId","-") == self.mandateId and r.get("_createdBy") == self.userId] # Add access control attributes to each record for record in filtered_records: record_id = record.get("id") # Set access control flags based on user permissions if table_name == "ChatWorkflow": record["_hideView"] = False # Everyone can view record["_hideEdit"] = not self.canModify(ChatWorkflow, record_id) record["_hideDelete"] = not self.canModify(ChatWorkflow, record_id) elif table_name == "ChatMessage": record["_hideView"] = False # Everyone can view record["_hideEdit"] = not self.canModify(ChatWorkflow, record.get("workflowId")) record["_hideDelete"] = not self.canModify(ChatWorkflow, record.get("workflowId")) elif table_name == "ChatLog": record["_hideView"] = False # Everyone can view record["_hideEdit"] = not self.canModify(ChatWorkflow, record.get("workflowId")) record["_hideDelete"] = not self.canModify(ChatWorkflow, record.get("workflowId")) else: # Default access control for other tables record["_hideView"] = False record["_hideEdit"] = not self.canModify(model_class, record_id) record["_hideDelete"] = not self.canModify(model_class, record_id) return filtered_records def canModify(self, model_class: type, recordId: Optional[str] = None) -> bool: """ Checks if the current user can modify (create/update/delete) records in a table. Args: model_class: Pydantic model class for the table recordId: Optional record ID for specific record check Returns: Boolean indicating permission """ userPrivilege = self.currentUser.privilege # System admins can modify anything if userPrivilege == UserPrivilege.SYSADMIN: return True # For regular users and admins, check specific cases if recordId is not None: # Get the record to check ownership records: List[Dict[str, Any]] = self.db.getRecordset(model_class, recordFilter={"id": recordId}) if not records: return False record = records[0] # Admins can modify anything in their mandate, if mandate is specified for a record if userPrivilege == UserPrivilege.ADMIN and record.get("mandateId","-") == self.mandateId: return True # Regular users can only modify their own records if (record.get("mandateId","-") == self.mandateId and record.get("_createdBy") == self.userId): return True return False else: # For general modification permission (e.g., create) # Admins can create anything in their mandate if userPrivilege == UserPrivilege.ADMIN: return True # Regular users can create in most tables return True