""" Access control module for Microsoft interface. Handles user access management and permission checks for Microsoft tokens. """ from typing import Dict, Any, List, Optional class MsftAccess: """ Access control class for Microsoft interface. Handles user access management and permission checks for Microsoft tokens. """ def __init__(self, currentUser: Dict[str, Any], db): """Initialize with user context.""" self.currentUser = currentUser self._mandateId = currentUser.get("_mandateId") self._userId = currentUser.get("id") if not self._mandateId or not self._userId: raise ValueError("Invalid user context: _mandateId and id are required") self.db = db def uam(self, table: str, recordset: List[Dict[str, Any]]) -> List[Dict[str, Any]]: """ Unified user access management function that filters data based on user privileges and adds access control attributes. Args: table: Name of the table recordset: Recordset to filter based on access rules Returns: Filtered recordset with access control attributes """ userPrivilege = self.currentUser.get("privilege", "user") filtered_records = [] # Apply filtering based on privilege if userPrivilege == "sysadmin": filtered_records = recordset # System admins see all records elif userPrivilege == "admin": # Admins see records in their mandate filtered_records = [r for r in recordset if r.get("_mandateId") == self._mandateId] else: # Regular users # Users only see their own Microsoft tokens filtered_records = [r for r in recordset if r.get("_mandateId") == self._mandateId and r.get("_userId") == self._userId] # Add access control attributes to each record for record in filtered_records: record_id = record.get("id") # Set access control flags based on user permissions if table == "msftTokens": record["_hideView"] = False # Everyone can view their own tokens record["_hideEdit"] = not self.canModify("msftTokens", record_id) record["_hideDelete"] = not self.canModify("msftTokens", record_id) else: # Default access control for other tables record["_hideView"] = False record["_hideEdit"] = not self.canModify(table, record_id) record["_hideDelete"] = not self.canModify(table, record_id) return filtered_records def canModify(self, table: str, recordId: Optional[str] = None) -> bool: """ Checks if the current user can modify (create/update/delete) records in a table. Args: table: Name of the table recordId: Optional record ID for specific record check Returns: Boolean indicating permission """ userPrivilege = self.currentUser.get("privilege", "user") # System admins can modify anything if userPrivilege == "sysadmin": return True # Check specific record permissions if recordId is not None: # Get the record to check ownership records = self.db.getRecordset(table, recordFilter={"id": recordId}) if not records: return False record = records[0] # Admins can modify anything in their mandate if userPrivilege == "admin" and record.get("_mandateId") == self._mandateId: return True # Users can only modify their own Microsoft tokens if (record.get("_mandateId") == self._mandateId and record.get("_userId") == self._userId): return True return False else: # For general table modify permission (e.g., create) # Admins can create anything in their mandate if userPrivilege == "admin": return True # Regular users can create their own Microsoft tokens if table == "msftTokens": return True return False