""" Authorization middleware — injects permissions and roles into request. """ from django.utils.deprecation import MiddlewareMixin class AuthorizationMiddleware(MiddlewareMixin): """ Inject user's roles and permissions into the request object. After processing: - request.roles: list of role names (e.g., ["platform_admin"]) - request.permissions: set of permission codenames (e.g., {"users:read"}) """ def process_view(self, request, view_func, view_args, view_kwargs): if not hasattr(request, "user") or not request.user.is_authenticated: request.roles = [] request.permissions = set() return None from apps.access.services.rbac_service import get_user_permissions, get_user_roles roles = get_user_roles(request.user) permissions = get_user_permissions(request.user) if hasattr(request, "tenant") and request.tenant: from apps.organizations.models import OrgRole # Fetch org-specific roles for the user org_roles = OrgRole.objects.filter(org=request.tenant, user=request.user).select_related('role') for org_role in org_roles: roles.append(org_role.role.name) # Fetch permissions for this org role from apps.access.models import RolePermission perms = RolePermission.objects.filter(role=org_role.role).select_related("permission") for rp in perms: permissions.add(rp.permission.codename) request.roles = list(set(roles)) request.permissions = permissions return None