Spaces:
Sleeping
Sleeping
| # User View Permissions Fix | |
| ## Issue | |
| Project managers and other managers were getting 403 Forbidden errors when trying to view user profiles, even for users in their own organization or shared projects. | |
| **Error:** | |
| ``` | |
| GET /api/v1/users/43b778b0-2062-4724-abbb-916a4835a9b0 β 403 Forbidden | |
| {"detail":"You don't have permission to view this user"} | |
| ``` | |
| ## Root Cause | |
| The `GET /api/v1/users/{user_id}` endpoint had overly restrictive permissions that only allowed: | |
| - Platform admins | |
| - Org admins (client_admin, contractor_admin) | |
| - Self (viewing own profile) | |
| Project managers, sales managers, and dispatchers couldn't view users even in their own organization. | |
| ## Solution | |
| Updated the permission logic in `src/app/api/v1/users.py` to allow: | |
| ### Who Can View User Profiles: | |
| 1. **Platform Admin** - Can view anyone β | |
| 2. **Self** - Can view own profile β | |
| 3. **Org Admins** (client_admin, contractor_admin) - Can view users in their organization β | |
| 4. **Project Managers** - Can view: | |
| - Users in their organization (same client_id or contractor_id) β | |
| - Users in shared projects (for cross-org collaboration) β | |
| 5. **Sales Managers** - Can view: | |
| - Users in their organization β | |
| - Users in shared projects β | |
| 6. **Dispatchers** - Can view: | |
| - Users in their organization β | |
| - Users in shared projects β | |
| ### Permission Hierarchy: | |
| ``` | |
| Platform Admin | |
| ββ Can view ALL users | |
| Org Admins (Client/Contractor Admin) | |
| ββ Can view users in their organization | |
| Managers (PM, Sales Manager, Dispatcher) | |
| ββ Can view users in their organization | |
| ββ Can view users in shared projects | |
| Regular Users | |
| ββ Can view only themselves | |
| ``` | |
| ## Use Cases Enabled | |
| 1. **Team Management**: Project managers can view profiles of team members to assign tasks | |
| 2. **Cross-Project Collaboration**: Managers can view users they collaborate with across projects | |
| 3. **User Import**: Managers can view org users when adding them to new projects | |
| 4. **Profile Review**: Sales managers can review field agent profiles for assignments | |
| ## Code Changes | |
| **File:** `src/app/api/v1/users.py` | |
| **Before:** | |
| ```python | |
| # Only platform_admin, org_admins, and self could view | |
| if current_user.role != 'platform_admin': | |
| if current_user.id == user.id: | |
| return user | |
| if current_user.role in ['client_admin', 'contractor_admin']: | |
| # Check org membership | |
| ... | |
| raise HTTPException(403, "No permission") | |
| ``` | |
| **After:** | |
| ```python | |
| # Added support for managers | |
| if current_user.role in ['project_manager', 'sales_manager', 'dispatcher']: | |
| # Check same organization | |
| if current_user.client_id == user.client_id: | |
| return user | |
| if current_user.contractor_id == user.contractor_id: | |
| return user | |
| # Check shared projects | |
| if shared_projects > 0: | |
| return user | |
| ``` | |
| ## Testing | |
| Test the fix by: | |
| 1. Login as project manager | |
| 2. Navigate to team page | |
| 3. Click on a team member | |
| 4. Should now see user profile (200 OK) instead of 403 Forbidden | |
| ## Related Issues | |
| - Frontend was correctly using `user_id` field (fixed in previous update) | |
| - This completes the user profile viewing workflow | |