gateway/modules/interfaces/interfaceDbChatAccess.py

"""
Access control module for Chat interface.
Handles user access management and permission checks.
"""

from typing import Dict, Any, List, Optional
from modules.datamodels.datamodelUam import User, UserPrivilege
from modules.datamodels.datamodelChat import ChatWorkflow

class ChatAccess:
    """
    Access control class for Chat interface.
    Handles user access management and permission checks.
    """
    
    def __init__(self, currentUser: User, db):
        """Initialize with user context."""
        self.currentUser = currentUser
        self.mandateId = currentUser.mandateId
        self.userId = currentUser.id
        
        if not self.mandateId or not self.userId:
            raise ValueError("Invalid user context: mandateId and userId are required")
            
        self.db = db

    def uam(self, model_class: type, recordset: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
        """
        Unified user access management function that filters data based on user privileges
        and adds access control attributes.
        
        Args:
            model_class: Pydantic model class for the table
            recordset: Recordset to filter based on access rules
            
        Returns:
            Filtered recordset with access control attributes
        """
        userPrivilege = self.currentUser.privilege
        table_name = model_class.__name__
        filtered_records = []
        
        # Apply filtering based on privilege
        if userPrivilege == UserPrivilege.SYSADMIN:
            filtered_records = recordset  # System admins see all records
        elif userPrivilege == UserPrivilege.ADMIN:
            # Admins see records in their mandate
            filtered_records = [r for r in recordset if r.get("mandateId","-") == self.mandateId]
        else:  # Regular users
            # Users see only their records for other tables
            filtered_records = [r for r in recordset 
                if r.get("mandateId","-") == self.mandateId and r.get("_createdBy") == self.userId]
        
        # Add access control attributes to each record
        for record in filtered_records:
            record_id = record.get("id")
            
            # Set access control flags based on user permissions
            if table_name == "ChatWorkflow":
                record["_hideView"] = False  # Everyone can view
                record["_hideEdit"] = not self.canModify(ChatWorkflow, record_id)
                record["_hideDelete"] = not self.canModify(ChatWorkflow, record_id)
            elif table_name == "ChatMessage":
                record["_hideView"] = False  # Everyone can view
                record["_hideEdit"] = not self.canModify(ChatWorkflow, record.get("workflowId"))
                record["_hideDelete"] = not self.canModify(ChatWorkflow, record.get("workflowId"))
            elif table_name == "ChatLog":
                record["_hideView"] = False  # Everyone can view
                record["_hideEdit"] = not self.canModify(ChatWorkflow, record.get("workflowId"))
                record["_hideDelete"] = not self.canModify(ChatWorkflow, record.get("workflowId"))
            else:
                # Default access control for other tables
                record["_hideView"] = False
                record["_hideEdit"] = not self.canModify(model_class, record_id)
                record["_hideDelete"] = not self.canModify(model_class, record_id)
        
        return filtered_records

    def canModify(self, model_class: type, recordId: Optional[str] = None) -> bool:
        """
        Checks if the current user can modify (create/update/delete) records in a table.
        
        Args:
            model_class: Pydantic model class for the table
            recordId: Optional record ID for specific record check
            
        Returns:
            Boolean indicating permission
        """
        userPrivilege = self.currentUser.privilege
        
        # System admins can modify anything
        if userPrivilege == UserPrivilege.SYSADMIN:
            return True
            
        # For regular users and admins, check specific cases
        if recordId is not None:
            # Get the record to check ownership
            records: List[Dict[str, Any]] = self.db.getRecordset(model_class, recordFilter={"id": recordId})
            if not records:
                return False
                
            record = records[0]
            
            # Admins can modify anything in their mandate, if mandate is specified for a record
            if userPrivilege == UserPrivilege.ADMIN and record.get("mandateId","-") == self.mandateId:
                return True
                
            # Regular users can only modify their own records
            if (record.get("mandateId","-") == self.mandateId and 
                record.get("_createdBy") == self.userId):
                return True
                
            return False
        else:
            # For general modification permission (e.g., create)
            # Admins can create anything in their mandate
            if userPrivilege == UserPrivilege.ADMIN:
                return True
                
            # Regular users can create in most tables
            return True