| """ |
| Authorization middleware — injects permissions and roles into request. |
| """ |
| from django.utils.deprecation import MiddlewareMixin |
|
|
| class AuthorizationMiddleware(MiddlewareMixin): |
| """ |
| Inject user's roles and permissions into the request object. |
| |
| After processing: |
| - request.roles: list of role names (e.g., ["platform_admin"]) |
| - request.permissions: set of permission codenames (e.g., {"users:read"}) |
| """ |
|
|
| def process_view(self, request, view_func, view_args, view_kwargs): |
| if not hasattr(request, "user") or not request.user.is_authenticated: |
| request.roles = [] |
| request.permissions = set() |
| return None |
|
|
| from apps.access.services.rbac_service import get_user_permissions, get_user_roles |
|
|
| roles = get_user_roles(request.user) |
| permissions = get_user_permissions(request.user) |
| |
| if hasattr(request, "tenant") and request.tenant: |
| from apps.organizations.models import OrgRole |
| |
| org_roles = OrgRole.objects.filter(org=request.tenant, user=request.user).select_related('role') |
| |
| for org_role in org_roles: |
| roles.append(org_role.role.name) |
| |
| from apps.access.models import RolePermission |
| perms = RolePermission.objects.filter(role=org_role.role).select_related("permission") |
| for rp in perms: |
| permissions.add(rp.permission.codename) |
|
|
| request.roles = list(set(roles)) |
| request.permissions = permissions |
| return None |
|
|