""" Access control functions for the Gateway system. Manages user access and permissions. """ from typing import Dict, Any, List, Optional def _uam(currentUser: Dict[str, Any], table: str, recordset: List[Dict[str, Any]], _mandateId: int, _userId: int, db) -> List[Dict[str, Any]]: """ Unified user access management function that filters data based on user privileges and adds access control attributes. Args: currentUser: Current user information dictionary table: Name of the table recordset: Recordset to filter based on access rules _mandateId: Current mandate ID _userId: Current user ID db: Database connector instance Returns: Filtered recordset with access control attributes """ userPrivilege = currentUser.get("privilege", "user") filtered_records = [] # Apply filtering based on privilege if userPrivilege == "sysadmin": filtered_records = recordset # System admins see all records elif userPrivilege == "admin": # Admins see records in their mandate filtered_records = [r for r in recordset if r.get("_mandateId") == _mandateId] else: # Regular users # Users only see records they own within their mandate filtered_records = [r for r in recordset if r.get("_mandateId") == _mandateId and r.get("_userId") == _userId] # Add access control attributes to each record for record in filtered_records: record_id = record.get("id") # Set access control flags based on user permissions if table == "mandates": record["_hideView"] = False # Everyone can view record["_hideEdit"] = not _canModify(currentUser, "mandates", record_id, _mandateId, _userId, db) record["_hideDelete"] = not _canModify(currentUser, "mandates", record_id, _mandateId, _userId, db) elif table == "users": record["_hideView"] = False # Everyone can view record["_hideEdit"] = not _canModify(currentUser, "users", record_id, _mandateId, _userId, db) record["_hideDelete"] = not _canModify(currentUser, "users", record_id, _mandateId, _userId, db) else: # Default access control for other tables record["_hideView"] = False record["_hideEdit"] = not _canModify(currentUser, table, record_id, _mandateId, _userId, db) record["_hideDelete"] = not _canModify(currentUser, table, record_id, _mandateId, _userId, db) return filtered_records def _canModify(currentUser: Dict[str, Any], table: str, recordId: Optional[int] = None, _mandateId: int = None, _userId: int = None, db = None) -> bool: """ Checks if the current user can modify (create/update/delete) records in a table. Args: currentUser: Current user information dictionary table: Name of the table recordId: Optional record ID for specific record check _mandateId: Current mandate ID _userId: Current user ID db: Database connector instance Returns: Boolean indicating permission """ userPrivilege = currentUser.get("privilege", "user") # System admins can modify anything if userPrivilege == "sysadmin": return True # Check specific record permissions if recordId is not None: # Get the record to check ownership records = db.getRecordset(table, recordFilter={"id": recordId}) if not records: return False record = records[0] # Admins can modify anything in their mandate if userPrivilege == "admin" and record.get("_mandateId") == _mandateId: # Exception: Can't modify Root mandate unless you are a sysadmin if table == "mandates" and recordId == 1 and userPrivilege != "sysadmin": return False return True # Users can only modify their own records if (record.get("_mandateId") == _mandateId and record.get("_userId") == _userId): return True return False else: # For general table modify permission (e.g., create) # Admins can create anything in their mandate if userPrivilege == "admin": return True # Regular users can create most entities if table == "mandates": return False # Regular users can't create mandates return True