Spaces:

kamau1
/

swiftops-backend

Sleeping

App Files Files Community

swiftops-backend / docs /devlogs /fixes /user_view_permissions_fix.md

kamau1

Fix 403 error by updating user view permissions for project managers, sales managers, and dispatchers

d078030 3 months ago

preview code

raw

history blame contribute delete

3.16 kB

User View Permissions Fix

Issue

Project managers and other managers were getting 403 Forbidden errors when trying to view user profiles, even for users in their own organization or shared projects.

Error:

GET /api/v1/users/43b778b0-2062-4724-abbb-916a4835a9b0 → 403 Forbidden
{"detail":"You don't have permission to view this user"}

Root Cause

The GET /api/v1/users/{user_id} endpoint had overly restrictive permissions that only allowed:

Platform admins
Org admins (client_admin, contractor_admin)
Self (viewing own profile)

Project managers, sales managers, and dispatchers couldn't view users even in their own organization.

Solution

Updated the permission logic in src/app/api/v1/users.py to allow:

Who Can View User Profiles:

Platform Admin - Can view anyone ✅
Self - Can view own profile ✅
Org Admins (client_admin, contractor_admin) - Can view users in their organization ✅
Project Managers - Can view:
- Users in their organization (same client_id or contractor_id) ✅
- Users in shared projects (for cross-org collaboration) ✅
Sales Managers - Can view:
- Users in their organization ✅
- Users in shared projects ✅
Dispatchers - Can view:
- Users in their organization ✅
- Users in shared projects ✅

Permission Hierarchy:

Platform Admin
    └─ Can view ALL users

Org Admins (Client/Contractor Admin)
    └─ Can view users in their organization

Managers (PM, Sales Manager, Dispatcher)
    ├─ Can view users in their organization
    └─ Can view users in shared projects

Regular Users
    └─ Can view only themselves

Use Cases Enabled

Team Management: Project managers can view profiles of team members to assign tasks
Cross-Project Collaboration: Managers can view users they collaborate with across projects
User Import: Managers can view org users when adding them to new projects
Profile Review: Sales managers can review field agent profiles for assignments

Code Changes

File: src/app/api/v1/users.py

Before:

# Only platform_admin, org_admins, and self could view
if current_user.role != 'platform_admin':
    if current_user.id == user.id:
        return user
    if current_user.role in ['client_admin', 'contractor_admin']:
        # Check org membership
        ...
    raise HTTPException(403, "No permission")

After:

# Added support for managers
if current_user.role in ['project_manager', 'sales_manager', 'dispatcher']:
    # Check same organization
    if current_user.client_id == user.client_id:
        return user
    if current_user.contractor_id == user.contractor_id:
        return user
    
    # Check shared projects
    if shared_projects > 0:
        return user

Testing

Test the fix by:

Login as project manager
Navigate to team page
Click on a team member
Should now see user profile (200 OK) instead of 403 Forbidden

Related Issues

Frontend was correctly using user_id field (fixed in previous update)
This completes the user profile viewing workflow