# Copyright (c) 2025 Patrick Motsch # All rights reserved. """ Feature management routes for the backend API. Implements endpoints for Feature and FeatureInstance management. Multi-Tenant Design: - Feature definitions are global (SysAdmin can manage) - FeatureInstances belong to mandates (Mandate Admin can manage) - Template roles are copied on instance creation """ from fastapi import APIRouter, HTTPException, Depends, Request, Query from typing import List, Dict, Any, Optional from fastapi import status import logging from pydantic import BaseModel, Field from modules.auth import limiter, getRequestContext, RequestContext, requireSysAdmin from modules.datamodels.datamodelUam import User from modules.datamodels.datamodelFeatures import Feature, FeatureInstance from modules.interfaces.interfaceDbApp import getRootInterface from modules.interfaces.interfaceFeatures import getFeatureInterface logger = logging.getLogger(__name__) router = APIRouter( prefix="/api/features", tags=["Features"], responses={404: {"description": "Not found"}} ) # ============================================================================= # Request/Response Models # ============================================================================= class FeatureInstanceCreate(BaseModel): """Request model for creating a feature instance""" featureCode: str = Field(..., description="Feature code (e.g., 'trustee', 'chatbot')") label: str = Field(..., description="Instance label (e.g., 'Buchhaltung 2025')") copyTemplateRoles: bool = Field(True, description="Whether to copy template roles on creation") class FeatureInstanceResponse(BaseModel): """Response model for feature instance""" id: str featureCode: str mandateId: str label: str enabled: bool class SyncRolesResult(BaseModel): """Response model for role synchronization""" added: int removed: int unchanged: int # ============================================================================= # Feature Endpoints (Global - mostly read-only for non-SysAdmin) # ============================================================================= @router.get("/", response_model=List[Dict[str, Any]]) @limiter.limit("60/minute") async def listFeatures( request: Request, context: RequestContext = Depends(getRequestContext) ) -> List[Dict[str, Any]]: """ List all available features. Returns global feature definitions that can be activated for mandates. Any authenticated user can see available features. """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) features = featureInterface.getAllFeatures() return [f.model_dump() for f in features] except Exception as e: logger.error(f"Error listing features: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to list features: {str(e)}" ) # ============================================================================= # My Feature Instances (No mandate context needed) # IMPORTANT: Must be before /{featureCode} to avoid route matching conflict # ============================================================================= class FeaturesMyResponse(BaseModel): """Hierarchical response for GET /features/my""" mandates: List[Dict[str, Any]] @router.get("/my", response_model=FeaturesMyResponse) @limiter.limit("60/minute") async def getMyFeatureInstances( request: Request, context: RequestContext = Depends(getRequestContext) ) -> FeaturesMyResponse: """ Get all feature instances the current user has access to. Returns hierarchical structure: mandates -> features -> instances -> permissions This endpoint does not require X-Mandate-Id header. """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) # Get all feature accesses for this user featureAccesses = rootInterface.getFeatureAccessesForUser(str(context.user.id)) if not featureAccesses: return FeaturesMyResponse(mandates=[]) # Build hierarchical structure: mandate -> feature -> instances mandatesMap: Dict[str, Dict[str, Any]] = {} featuresMap: Dict[str, Dict[str, Any]] = {} # key: mandateId_featureCode for access in featureAccesses: if not access.enabled: continue instance = featureInterface.getFeatureInstance(str(access.featureInstanceId)) if not instance or not instance.enabled: continue # Get mandate info mandateId = str(instance.mandateId) if mandateId not in mandatesMap: mandate = rootInterface.getMandate(mandateId) if mandate: mandatesMap[mandateId] = { "id": mandateId, "name": mandate.name if hasattr(mandate, 'name') else mandateId, "code": mandate.code if hasattr(mandate, 'code') else None, "features": [] } else: mandatesMap[mandateId] = { "id": mandateId, "name": mandateId, "code": None, "features": [] } # Get feature info featureKey = f"{mandateId}_{instance.featureCode}" if featureKey not in featuresMap: feature = featureInterface.getFeature(instance.featureCode) featuresMap[featureKey] = { "code": instance.featureCode, "label": feature.label if feature and hasattr(feature, 'label') else {"de": instance.featureCode, "en": instance.featureCode}, "icon": feature.icon if feature and hasattr(feature, 'icon') else "folder", "instances": [], "_mandateId": mandateId # Temporary for grouping } # Get user's role in this instance userRole = _getUserRoleInInstance(rootInterface, str(context.user.id), str(instance.id)) # Get permissions for this instance permissions = _getInstancePermissions(rootInterface, str(context.user.id), str(instance.id)) # Add instance to feature featuresMap[featureKey]["instances"].append({ "id": str(instance.id), "featureCode": instance.featureCode, "mandateId": mandateId, "mandateName": mandatesMap[mandateId]["name"], "instanceLabel": instance.label, "userRole": userRole, "permissions": permissions }) # Build final structure for featureKey, featureData in featuresMap.items(): mandateId = featureData.pop("_mandateId") mandatesMap[mandateId]["features"].append(featureData) return FeaturesMyResponse(mandates=list(mandatesMap.values())) except Exception as e: logger.error(f"Error getting user's feature instances: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to get feature instances: {str(e)}" ) def _getUserRoleInInstance(rootInterface, userId: str, instanceId: str) -> str: """Get the user's primary role label in a feature instance.""" try: from modules.datamodels.datamodelRbac import Role from modules.datamodels.datamodelMembership import FeatureAccess, FeatureAccessRole # Get FeatureAccess for this user and instance featureAccesses = rootInterface.db.getRecordset( FeatureAccess, recordFilter={"userId": userId, "featureInstanceId": instanceId} ) if featureAccesses: featureAccessId = featureAccesses[0].get("id") # Get role IDs via FeatureAccessRole junction table featureAccessRoles = rootInterface.db.getRecordset( FeatureAccessRole, recordFilter={"featureAccessId": featureAccessId} ) if featureAccessRoles: roleId = featureAccessRoles[0].get("roleId") roles = rootInterface.db.getRecordset(Role, recordFilter={"id": roleId}) if roles: return roles[0].get("roleLabel", "user") return "user" # Default except Exception as e: logger.debug(f"Error getting user role: {e}") return "user" def _getInstancePermissions(rootInterface, userId: str, instanceId: str) -> Dict[str, Any]: """Get summarized permissions for a user in an instance.""" # Default permissions structure permissions = { "tables": {}, "views": {}, "fields": {} } try: from modules.datamodels.datamodelRbac import AccessRule, AccessRuleContext from modules.datamodels.datamodelMembership import FeatureAccess, FeatureAccessRole # Get FeatureAccess for this user and instance featureAccesses = rootInterface.db.getRecordset( FeatureAccess, recordFilter={"userId": userId, "featureInstanceId": instanceId} ) if not featureAccesses: return permissions # Get role IDs via FeatureAccessRole junction table featureAccessId = featureAccesses[0].get("id") featureAccessRoles = rootInterface.db.getRecordset( FeatureAccessRole, recordFilter={"featureAccessId": featureAccessId} ) roleIds = [far.get("roleId") for far in featureAccessRoles] if not roleIds: return permissions # Get permissions (AccessRules) for all roles for roleId in roleIds: accessRules = rootInterface.db.getRecordset( AccessRule, recordFilter={"roleId": roleId} ) for rule in accessRules: context = rule.get("context", "") item = rule.get("item", "") # Handle DATA context (tables/fields) if context == "DATA" or context == AccessRuleContext.DATA: if item: # Check if it's a field (table.field) or table if "." in item: tableName, fieldName = item.split(".", 1) if fieldName not in permissions["fields"]: permissions["fields"][fieldName] = {"view": False} permissions["fields"][fieldName]["view"] = permissions["fields"][fieldName]["view"] or rule.get("view", False) else: tableName = item if tableName not in permissions["tables"]: permissions["tables"][tableName] = { "view": False, "read": "n", "create": "n", "update": "n", "delete": "n" } # Merge permissions (highest wins) current = permissions["tables"][tableName] current["view"] = current["view"] or rule.get("view", False) current["read"] = _mergeAccessLevel(current["read"], rule.get("read") or "n") current["create"] = _mergeAccessLevel(current["create"], rule.get("create") or "n") current["update"] = _mergeAccessLevel(current["update"], rule.get("update") or "n") current["delete"] = _mergeAccessLevel(current["delete"], rule.get("delete") or "n") # Handle UI context (views) elif context == "UI" or context == AccessRuleContext.UI: if item: permissions["views"][item] = permissions["views"].get(item, False) or rule.get("view", False) return permissions except Exception as e: logger.debug(f"Error getting instance permissions: {e}") return permissions def _mergeAccessLevel(current: str, new: str) -> str: """Merge two access levels, returning the highest.""" levels = {"n": 0, "m": 1, "g": 2, "a": 3} currentLevel = levels.get(current, 0) newLevel = levels.get(new, 0) if newLevel > currentLevel: return new return current @router.post("/", response_model=Dict[str, Any]) @limiter.limit("10/minute") async def createFeature( request: Request, code: str = Query(..., description="Unique feature code"), label: Dict[str, str] = None, icon: str = Query("mdi-puzzle", description="Icon identifier"), sysAdmin: User = Depends(requireSysAdmin) ) -> Dict[str, Any]: """ Create a new feature definition. SysAdmin only - creates a global feature that can be activated for mandates. Args: code: Unique feature code (e.g., 'trustee') label: I18n labels (e.g., {"en": "Trustee", "de": "Treuhand"}) icon: Icon identifier """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) # Check if feature already exists existing = featureInterface.getFeature(code) if existing: raise HTTPException( status_code=status.HTTP_409_CONFLICT, detail=f"Feature '{code}' already exists" ) feature = featureInterface.createFeature( code=code, label=label or {"en": code.title(), "de": code.title()}, icon=icon ) logger.info(f"SysAdmin {sysAdmin.id} created feature '{code}'") return feature.model_dump() except HTTPException: raise except Exception as e: logger.error(f"Error creating feature: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to create feature: {str(e)}" ) # ============================================================================= # Feature Instance Endpoints (Mandate-scoped) # ============================================================================= @router.get("/instances", response_model=List[Dict[str, Any]]) @limiter.limit("60/minute") async def listFeatureInstances( request: Request, featureCode: Optional[str] = Query(None, description="Filter by feature code"), context: RequestContext = Depends(getRequestContext) ) -> List[Dict[str, Any]]: """ List feature instances for the current mandate. Returns instances the user has access to within the selected mandate. Args: featureCode: Optional filter by feature code """ if not context.mandateId: raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, detail="X-Mandate-Id header is required" ) try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) instances = featureInterface.getFeatureInstancesForMandate( mandateId=str(context.mandateId), featureCode=featureCode ) return [inst.model_dump() for inst in instances] except HTTPException: raise except Exception as e: logger.error(f"Error listing feature instances: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to list feature instances: {str(e)}" ) @router.get("/instances/{instanceId}", response_model=Dict[str, Any]) @limiter.limit("60/minute") async def getFeatureInstance( request: Request, instanceId: str, context: RequestContext = Depends(getRequestContext) ) -> Dict[str, Any]: """ Get a specific feature instance. Args: instanceId: FeatureInstance ID """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) instance = featureInterface.getFeatureInstance(instanceId) if not instance: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail=f"Feature instance '{instanceId}' not found" ) # Verify mandate access (unless SysAdmin) if context.mandateId and str(instance.mandateId) != str(context.mandateId): if not context.isSysAdmin: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Access denied to this feature instance" ) return instance.model_dump() except HTTPException: raise except Exception as e: logger.error(f"Error getting feature instance {instanceId}: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to get feature instance: {str(e)}" ) @router.post("/instances", response_model=Dict[str, Any]) @limiter.limit("10/minute") async def createFeatureInstance( request: Request, data: FeatureInstanceCreate, context: RequestContext = Depends(getRequestContext) ) -> Dict[str, Any]: """ Create a new feature instance for the current mandate. Requires Mandate-Admin role. Template roles are optionally copied. Args: data: Feature instance creation data """ if not context.mandateId: raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, detail="X-Mandate-Id header is required" ) # Check mandate admin permission if not _hasMandateAdminRole(context): raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Mandate-Admin role required to create feature instances" ) try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) # Verify feature exists feature = featureInterface.getFeature(data.featureCode) if not feature: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail=f"Feature '{data.featureCode}' not found" ) instance = featureInterface.createFeatureInstance( featureCode=data.featureCode, mandateId=str(context.mandateId), label=data.label, copyTemplateRoles=data.copyTemplateRoles ) logger.info( f"User {context.user.id} created feature instance '{data.label}' " f"for feature '{data.featureCode}' in mandate {context.mandateId}" ) return instance.model_dump() except HTTPException: raise except Exception as e: logger.error(f"Error creating feature instance: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to create feature instance: {str(e)}" ) @router.delete("/instances/{instanceId}", response_model=Dict[str, str]) @limiter.limit("10/minute") async def deleteFeatureInstance( request: Request, instanceId: str, context: RequestContext = Depends(getRequestContext) ) -> Dict[str, str]: """ Delete a feature instance. Requires Mandate-Admin role. CASCADE will delete associated roles and access records. Args: instanceId: FeatureInstance ID """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) # Get instance to verify access instance = featureInterface.getFeatureInstance(instanceId) if not instance: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail=f"Feature instance '{instanceId}' not found" ) # Verify mandate access if context.mandateId and str(instance.mandateId) != str(context.mandateId): if not context.isSysAdmin: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Access denied to this feature instance" ) # Check mandate admin permission if not _hasMandateAdminRole(context) and not context.isSysAdmin: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Mandate-Admin role required to delete feature instances" ) featureInterface.deleteFeatureInstance(instanceId) logger.info(f"User {context.user.id} deleted feature instance {instanceId}") return {"message": "Feature instance deleted", "instanceId": instanceId} except HTTPException: raise except Exception as e: logger.error(f"Error deleting feature instance {instanceId}: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to delete feature instance: {str(e)}" ) @router.post("/instances/{instanceId}/sync-roles", response_model=SyncRolesResult) @limiter.limit("10/minute") async def syncInstanceRoles( request: Request, instanceId: str, addOnly: bool = Query(True, description="Only add missing roles, don't remove extras"), context: RequestContext = Depends(getRequestContext) ) -> SyncRolesResult: """ Synchronize roles of a feature instance with current templates. IMPORTANT: Templates are only copied when a FeatureInstance is created. This sync function is for manual re-synchronization, not automatic propagation. Args: instanceId: FeatureInstance ID addOnly: If True, only add missing roles. If False, also remove extras. """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) # Get instance to verify access instance = featureInterface.getFeatureInstance(instanceId) if not instance: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail=f"Feature instance '{instanceId}' not found" ) # Verify mandate access if context.mandateId and str(instance.mandateId) != str(context.mandateId): if not context.isSysAdmin: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Access denied to this feature instance" ) # Check admin permission (Mandate-Admin or Feature-Admin) if not _hasMandateAdminRole(context) and not context.isSysAdmin: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Admin role required to sync roles" ) result = featureInterface.syncRolesFromTemplate(instanceId, addOnly) logger.info( f"User {context.user.id} synced roles for instance {instanceId}: {result}" ) return SyncRolesResult(**result) except HTTPException: raise except Exception as e: logger.error(f"Error syncing roles for instance {instanceId}: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to sync roles: {str(e)}" ) # ============================================================================= # Template Role Endpoints (SysAdmin only) # ============================================================================= @router.get("/templates/roles", response_model=List[Dict[str, Any]]) @limiter.limit("60/minute") async def listTemplateRoles( request: Request, featureCode: Optional[str] = Query(None, description="Filter by feature code"), sysAdmin: User = Depends(requireSysAdmin) ) -> List[Dict[str, Any]]: """ List global template roles. SysAdmin only - returns template roles that are copied to new feature instances. Args: featureCode: Optional filter by feature code """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) roles = featureInterface.getTemplateRoles(featureCode) return [r.model_dump() for r in roles] except Exception as e: logger.error(f"Error listing template roles: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to list template roles: {str(e)}" ) @router.post("/templates/roles", response_model=Dict[str, Any]) @limiter.limit("10/minute") async def createTemplateRole( request: Request, roleLabel: str = Query(..., description="Role label (e.g., 'admin', 'viewer')"), featureCode: str = Query(..., description="Feature code this role belongs to"), description: Dict[str, str] = None, sysAdmin: User = Depends(requireSysAdmin) ) -> Dict[str, Any]: """ Create a global template role for a feature. SysAdmin only - new template roles are NOT automatically propagated to existing instances. Use the sync-roles endpoint to manually synchronize. Args: roleLabel: Role label featureCode: Feature code description: I18n descriptions """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) # Verify feature exists feature = featureInterface.getFeature(featureCode) if not feature: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail=f"Feature '{featureCode}' not found" ) role = featureInterface.createTemplateRole( roleLabel=roleLabel, featureCode=featureCode, description=description ) logger.info( f"SysAdmin {sysAdmin.id} created template role '{roleLabel}' " f"for feature '{featureCode}'" ) return role.model_dump() except HTTPException: raise except Exception as e: logger.error(f"Error creating template role: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to create template role: {str(e)}" ) # ============================================================================= # Feature Instance Users Endpoints # Manage which users have access to a specific feature instance # ============================================================================= class FeatureInstanceUserCreate(BaseModel): """Request model for adding a user to a feature instance""" userId: str = Field(..., description="User ID to add") roleIds: List[str] = Field(default_factory=list, description="Role IDs to assign") class FeatureInstanceUserResponse(BaseModel): """Response model for a user in a feature instance""" id: str # Use the FeatureAccess ID as primary key userId: str username: str email: Optional[str] fullName: Optional[str] roleIds: List[str] roleLabels: List[str] enabled: bool @router.get("/instances/{instanceId}/users", response_model=List[FeatureInstanceUserResponse]) @limiter.limit("60/minute") async def listFeatureInstanceUsers( request: Request, instanceId: str, context: RequestContext = Depends(getRequestContext) ) -> List[FeatureInstanceUserResponse]: """ List all users with access to a specific feature instance. Returns users and their roles for the given instance. Args: instanceId: FeatureInstance ID """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) # Verify instance exists instance = featureInterface.getFeatureInstance(instanceId) if not instance: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail=f"Feature instance '{instanceId}' not found" ) # Verify mandate access (unless SysAdmin) if context.mandateId and str(instance.mandateId) != str(context.mandateId): if not context.isSysAdmin: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Access denied to this feature instance" ) # Get all FeatureAccess records for this instance from modules.datamodels.datamodelMembership import FeatureAccess, FeatureAccessRole from modules.datamodels.datamodelRbac import Role featureAccesses = rootInterface.db.getRecordset( FeatureAccess, recordFilter={"featureInstanceId": instanceId} ) result = [] for fa in featureAccesses: userId = fa.get("userId") featureAccessId = fa.get("id") # Get user info users = rootInterface.db.getRecordset(UserInDB, recordFilter={"id": userId}) if not users: continue user = users[0] # Get role IDs via FeatureAccessRole junction table featureAccessRoles = rootInterface.db.getRecordset( FeatureAccessRole, recordFilter={"featureAccessId": featureAccessId} ) roleIds = [far.get("roleId") for far in featureAccessRoles] # Get role labels roleLabels = [] for roleId in roleIds: roles = rootInterface.db.getRecordset(Role, recordFilter={"id": roleId}) if roles: roleLabels.append(roles[0].get("roleLabel", "")) result.append(FeatureInstanceUserResponse( id=featureAccessId, # FeatureAccess ID as primary key userId=userId, username=user.get("username", ""), email=user.get("email"), fullName=user.get("fullName"), roleIds=roleIds, roleLabels=roleLabels, enabled=fa.get("enabled", True) )) return result except HTTPException: raise except Exception as e: logger.error(f"Error listing feature instance users: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to list feature instance users: {str(e)}" ) @router.post("/instances/{instanceId}/users", response_model=Dict[str, Any]) @limiter.limit("30/minute") async def addUserToFeatureInstance( request: Request, instanceId: str, data: FeatureInstanceUserCreate, context: RequestContext = Depends(getRequestContext) ) -> Dict[str, Any]: """ Add a user to a feature instance with specified roles. Creates a FeatureAccess record and associated FeatureAccessRole records. Args: instanceId: FeatureInstance ID data: User and role data """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) # Verify instance exists instance = featureInterface.getFeatureInstance(instanceId) if not instance: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail=f"Feature instance '{instanceId}' not found" ) # Verify mandate access if context.mandateId and str(instance.mandateId) != str(context.mandateId): if not context.isSysAdmin: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Access denied to this feature instance" ) # Check admin permission if not _hasMandateAdminRole(context) and not context.isSysAdmin: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Admin role required to add users to feature instances" ) # Verify user exists users = rootInterface.db.getRecordset(UserInDB, recordFilter={"id": data.userId}) if not users: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail=f"User '{data.userId}' not found" ) # Check if user already has access from modules.datamodels.datamodelMembership import FeatureAccess, FeatureAccessRole existingAccess = rootInterface.db.getRecordset( FeatureAccess, recordFilter={"userId": data.userId, "featureInstanceId": instanceId} ) if existingAccess: raise HTTPException( status_code=status.HTTP_409_CONFLICT, detail="User already has access to this feature instance" ) # Create FeatureAccess record featureAccess = FeatureAccess( userId=data.userId, featureInstanceId=instanceId, enabled=True ) createdAccess = rootInterface.db.recordCreate(FeatureAccess, featureAccess.model_dump()) featureAccessId = createdAccess.get("id") # Create FeatureAccessRole records for each role for roleId in data.roleIds: featureAccessRole = FeatureAccessRole( featureAccessId=featureAccessId, roleId=roleId ) rootInterface.db.recordCreate(FeatureAccessRole, featureAccessRole.model_dump()) logger.info( f"User {context.user.id} added user {data.userId} to feature instance {instanceId} " f"with roles {data.roleIds}" ) return { "featureAccessId": featureAccessId, "userId": data.userId, "featureInstanceId": instanceId, "roleIds": data.roleIds, "enabled": True } except HTTPException: raise except Exception as e: logger.error(f"Error adding user to feature instance: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to add user to feature instance: {str(e)}" ) @router.delete("/instances/{instanceId}/users/{userId}", response_model=Dict[str, str]) @limiter.limit("30/minute") async def removeUserFromFeatureInstance( request: Request, instanceId: str, userId: str, context: RequestContext = Depends(getRequestContext) ) -> Dict[str, str]: """ Remove a user's access from a feature instance. Deletes the FeatureAccess record (CASCADE will delete FeatureAccessRole records). Args: instanceId: FeatureInstance ID userId: User ID to remove """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) # Verify instance exists instance = featureInterface.getFeatureInstance(instanceId) if not instance: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail=f"Feature instance '{instanceId}' not found" ) # Verify mandate access if context.mandateId and str(instance.mandateId) != str(context.mandateId): if not context.isSysAdmin: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Access denied to this feature instance" ) # Check admin permission if not _hasMandateAdminRole(context) and not context.isSysAdmin: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Admin role required to remove users from feature instances" ) # Find FeatureAccess record from modules.datamodels.datamodelMembership import FeatureAccess existingAccess = rootInterface.db.getRecordset( FeatureAccess, recordFilter={"userId": userId, "featureInstanceId": instanceId} ) if not existingAccess: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail="User does not have access to this feature instance" ) featureAccessId = existingAccess[0].get("id") # Delete FeatureAccess (CASCADE will delete FeatureAccessRole records) rootInterface.db.recordDelete(FeatureAccess, featureAccessId) logger.info( f"User {context.user.id} removed user {userId} from feature instance {instanceId}" ) return { "message": "User access removed", "userId": userId, "featureInstanceId": instanceId } except HTTPException: raise except Exception as e: logger.error(f"Error removing user from feature instance: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to remove user from feature instance: {str(e)}" ) @router.put("/instances/{instanceId}/users/{userId}/roles", response_model=Dict[str, Any]) @limiter.limit("30/minute") async def updateFeatureInstanceUserRoles( request: Request, instanceId: str, userId: str, roleIds: List[str], context: RequestContext = Depends(getRequestContext) ) -> Dict[str, Any]: """ Update a user's roles in a feature instance. Replaces all existing FeatureAccessRole records with new ones. Args: instanceId: FeatureInstance ID userId: User ID to update roleIds: New list of role IDs """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) # Verify instance exists instance = featureInterface.getFeatureInstance(instanceId) if not instance: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail=f"Feature instance '{instanceId}' not found" ) # Verify mandate access if context.mandateId and str(instance.mandateId) != str(context.mandateId): if not context.isSysAdmin: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Access denied to this feature instance" ) # Check admin permission if not _hasMandateAdminRole(context) and not context.isSysAdmin: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Admin role required to update user roles" ) # Find FeatureAccess record from modules.datamodels.datamodelMembership import FeatureAccess, FeatureAccessRole existingAccess = rootInterface.db.getRecordset( FeatureAccess, recordFilter={"userId": userId, "featureInstanceId": instanceId} ) if not existingAccess: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail="User does not have access to this feature instance" ) featureAccessId = existingAccess[0].get("id") # Delete existing FeatureAccessRole records existingRoles = rootInterface.db.getRecordset( FeatureAccessRole, recordFilter={"featureAccessId": featureAccessId} ) for role in existingRoles: rootInterface.db.recordDelete(FeatureAccessRole, role.get("id")) # Create new FeatureAccessRole records for roleId in roleIds: featureAccessRole = FeatureAccessRole( featureAccessId=featureAccessId, roleId=roleId ) rootInterface.db.recordCreate(FeatureAccessRole, featureAccessRole.model_dump()) logger.info( f"User {context.user.id} updated roles for user {userId} in feature instance {instanceId}: {roleIds}" ) return { "featureAccessId": featureAccessId, "userId": userId, "featureInstanceId": instanceId, "roleIds": roleIds } except HTTPException: raise except Exception as e: logger.error(f"Error updating user roles in feature instance: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to update user roles: {str(e)}" ) @router.get("/instances/{instanceId}/available-roles", response_model=List[Dict[str, Any]]) @limiter.limit("60/minute") async def getFeatureInstanceAvailableRoles( request: Request, instanceId: str, context: RequestContext = Depends(getRequestContext) ) -> List[Dict[str, Any]]: """ Get available roles for a feature instance. Returns instance-specific roles (copied from templates) that can be assigned to users. Args: instanceId: FeatureInstance ID """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) # Verify instance exists instance = featureInterface.getFeatureInstance(instanceId) if not instance: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail=f"Feature instance '{instanceId}' not found" ) # Verify mandate access if context.mandateId and str(instance.mandateId) != str(context.mandateId): if not context.isSysAdmin: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Access denied to this feature instance" ) # Get roles for this instance from modules.datamodels.datamodelRbac import Role instanceRoles = rootInterface.db.getRecordset( Role, recordFilter={"featureInstanceId": instanceId} ) result = [] for role in instanceRoles: result.append({ "id": role.get("id"), "roleLabel": role.get("roleLabel"), "description": role.get("description", {}), "featureCode": role.get("featureCode"), "isSystemRole": role.get("isSystemRole", False) }) return result except HTTPException: raise except Exception as e: logger.error(f"Error getting available roles for feature instance: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to get available roles: {str(e)}" ) # ============================================================================= # Dynamic Feature Route (MUST be last to avoid catching /instances, /my, etc.) # ============================================================================= @router.get("/{featureCode}", response_model=Dict[str, Any]) @limiter.limit("60/minute") async def getFeature( request: Request, featureCode: str, context: RequestContext = Depends(getRequestContext) ) -> Dict[str, Any]: """ Get a specific feature by code. IMPORTANT: This route must be defined LAST to avoid catching paths like /instances, /my, /templates, etc. Args: featureCode: Feature code (e.g., 'trustee', 'chatbot') """ try: rootInterface = getRootInterface() featureInterface = getFeatureInterface(rootInterface.db) feature = featureInterface.getFeature(featureCode) if not feature: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail=f"Feature '{featureCode}' not found" ) return feature.model_dump() except HTTPException: raise except Exception as e: logger.error(f"Error getting feature {featureCode}: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to get feature: {str(e)}" ) # ============================================================================= # Helper Functions # ============================================================================= def _hasMandateAdminRole(context: RequestContext) -> bool: """ Check if the user has mandate admin role in the current context. A user is mandate admin if they have the 'admin' role at mandate level. """ if context.isSysAdmin: return True if not context.roleIds: return False # Check if any of the user's roles is an admin role try: rootInterface = getRootInterface() from modules.datamodels.datamodelRbac import Role for roleId in context.roleIds: roleRecords = rootInterface.db.getRecordset(Role, recordFilter={"id": roleId}) if roleRecords: role = roleRecords[0] roleLabel = role.get("roleLabel", "") # Admin role at mandate level (not feature-instance level) if roleLabel == "admin" and role.get("mandateId") and not role.get("featureInstanceId"): return True return False except Exception as e: logger.error(f"Error checking mandate admin role: {e}") return False