Saas-Base / core /middleware /authorization.py
rsnarsna
sixth commit
8cab7c2
Raw
History Blame Contribute Delete
1.68 kB
"""
Authorization middleware — injects permissions and roles into request.
"""
from django.utils.deprecation import MiddlewareMixin
class AuthorizationMiddleware(MiddlewareMixin):
"""
Inject user's roles and permissions into the request object.
After processing:
- request.roles: list of role names (e.g., ["platform_admin"])
- request.permissions: set of permission codenames (e.g., {"users:read"})
"""
def process_view(self, request, view_func, view_args, view_kwargs):
if not hasattr(request, "user") or not request.user.is_authenticated:
request.roles = []
request.permissions = set()
return None
from apps.access.services.rbac_service import get_user_permissions, get_user_roles
roles = get_user_roles(request.user)
permissions = get_user_permissions(request.user)
if hasattr(request, "tenant") and request.tenant:
from apps.organizations.models import OrgRole
# Fetch org-specific roles for the user
org_roles = OrgRole.objects.filter(org=request.tenant, user=request.user).select_related('role')
for org_role in org_roles:
roles.append(org_role.role.name)
# Fetch permissions for this org role
from apps.access.models import RolePermission
perms = RolePermission.objects.filter(role=org_role.role).select_related("permission")
for rp in perms:
permissions.add(rp.permission.codename)
request.roles = list(set(roles))
request.permissions = permissions
return None