feat: implement org admin permissions, org-scoped filtering, and audit log updates

src/app/api/deps.py

@@ -98,3 +98,30 @@ async def get_current_active_user(
             detail="Inactive user"
         )
     return current_user
+
+
+def get_org_scope(user: User) -> dict:
+    """
+    Get organization scope for org admin users.
+    
+    Returns dict with org filtering info:
+    - is_org_scoped: bool - Whether user is org admin (needs scoping)
+    - client_id: UUID or None - Client org to filter by
+    - contractor_id: UUID or None - Contractor org to filter by
+    
+    Platform admins and non-org-admins return is_org_scoped=False
+    """
+    if user.role in ['client_admin', 'contractor_admin']:
+        return {
+            'is_org_scoped': True,
+            'client_id': user.client_id,
+            'contractor_id': user.contractor_id,
+            'org_type': 'client' if user.client_id else 'contractor'
+        }
+    
+    return {
+        'is_org_scoped': False,
+        'client_id': None,
+        'contractor_id': None,
+        'org_type': None
+    }

src/app/api/v1/audit_logs.py

@@ -17,7 +17,7 @@ router = APIRouter()
 
 
 @router.get("", response_model=AuditLogListResponse)
-@require_role(["platform_admin"])
+@require_role(["platform_admin", "client_admin", "contractor_admin"])
 def get_audit_logs(
     skip: int = Query(0, ge=0),
     limit: int = Query(100, ge=1, le=1000),
@@ -31,7 +31,11 @@ def get_audit_logs(
     current_user: User = Depends(get_current_user)
 ):
     """
-    Get audit logs with filtering and pagination (Platform Admin only)
+    Get audit logs with filtering and pagination
+    
+    **Authorization:**
+    - Platform admins see all audit logs
+    - Org admins see only logs from users in their organization
     
     Query parameters:
     - skip: Number of records to skip (pagination)
@@ -46,6 +50,22 @@ def get_audit_logs(
     # Build query
     query = db.query(AuditLog)
     
+    # Org scoping for org admins
+    # Filter to show only logs from users in their organization
+    if current_user.role in ['client_admin', 'contractor_admin']:
+        # Get all user IDs in the same org
+        org_users_query = db.query(User.id).filter(User.deleted_at == None)
+        
+        if current_user.client_id:
+            org_users_query = org_users_query.filter(User.client_id == current_user.client_id)
+        elif current_user.contractor_id:
+            org_users_query = org_users_query.filter(User.contractor_id == current_user.contractor_id)
+        
+        org_user_ids = [str(u.id) for u in org_users_query.all()]
+        
+        # Filter audit logs to only show actions by users in the org
+        query = query.filter(AuditLog.user_id.in_(org_user_ids))
+    
     # Apply filters
     if user_id:
         query = query.filter(AuditLog.user_id == user_id)
@@ -86,27 +106,50 @@ def get_audit_logs(
 
 
 @router.get("/{audit_log_id}", response_model=AuditLogResponse)
-@require_role(["platform_admin"])
+@require_role(["platform_admin", "client_admin", "contractor_admin"])
 def get_audit_log(
     audit_log_id: str,
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
     """
-    Get a specific audit log entry by ID (Platform Admin only)
+    Get a specific audit log entry by ID
+    
+    **Authorization:**
+    - Platform admins can view any log
+    - Org admins can only view logs from users in their organization
     """
     from app.core.exceptions import NotFoundException
+    from fastapi import HTTPException, status
     
     audit_log = db.query(AuditLog).filter(AuditLog.id == audit_log_id).first()
     
     if not audit_log:
-        raise NotFoundException(f"Audit log with ID {audit_log_id} not found")
+        raise NotFoundException("Audit log not found")
+    
+    # Org scoping check
+    if current_user.role in ['client_admin', 'contractor_admin']:
+        # Get the user who performed this action
+        log_user = db.query(User).filter(User.id == audit_log.user_id).first()
+        
+        if log_user:
+            # Check if the log user is in the same org
+            if current_user.client_id and log_user.client_id != current_user.client_id:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="You can only view audit logs from your organization"
+                )
+            if current_user.contractor_id and log_user.contractor_id != current_user.contractor_id:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="You can only view audit logs from your organization"
+                )
     
     return audit_log
 
 
 @router.get("/user/{user_id}", response_model=AuditLogListResponse)
-@require_role(["platform_admin"])
+@require_role(["platform_admin", "client_admin", "contractor_admin"])
 def get_user_audit_logs(
     user_id: str,
     skip: int = Query(0, ge=0),
@@ -115,8 +158,35 @@ def get_user_audit_logs(
     current_user: User = Depends(get_current_user)
 ):
     """
-    Get all audit logs for a specific user (Platform Admin only)
+    Get all audit logs for a specific user
+    
+    **Authorization:**
+    - Platform admins can view logs for any user
+    - Org admins can only view logs for users in their organization
     """
+    from fastapi import HTTPException, status
+    
+    # Org scoping check - verify the target user is in the same org
+    if current_user.role in ['client_admin', 'contractor_admin']:
+        target_user = db.query(User).filter(User.id == user_id).first()
+        
+        if not target_user:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail="User not found"
+            )
+        
+        if current_user.client_id and target_user.client_id != current_user.client_id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="You can only view audit logs for users in your organization"
+            )
+        if current_user.contractor_id and target_user.contractor_id != current_user.contractor_id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="You can only view audit logs for users in your organization"
+            )
+    
     query = db.query(AuditLog).filter(AuditLog.user_id == user_id)
     
     total = query.count()

src/app/api/v1/clients.py

@@ -104,12 +104,21 @@ async def list_clients(
     """
     List all clients with pagination
     
+    **Authorization:**
+    - Platform admins see all clients
+    - Client admins see only their own client organization
+    - Contractor admins see all clients (their business partners)
+    
     - **skip**: Number of records to skip (default: 0)
     - **limit**: Maximum number of records to return (default: 100)
     - **is_active**: Filter by active status (optional)
     """
     query = db.query(Client).filter(Client.deleted_at == None)
     
+    # Org scoping for client_admin
+    if current_user.role == 'client_admin' and current_user.client_id:
+        query = query.filter(Client.id == current_user.client_id)
+    
     if is_active is not None:
         query = query.filter(Client.is_active == is_active)
     

src/app/api/v1/contractors.py

@@ -105,12 +105,21 @@ async def list_contractors(
     """
     List all contractors with pagination
     
+    **Authorization:**
+    - Platform admins see all contractors
+    - Contractor admins see only their own contractor organization
+    - Client admins see all contractors (their service providers)
+    
     - **skip**: Number of records to skip (default: 0)
     - **limit**: Maximum number of records to return (default: 100)
     - **is_active**: Filter by active status (optional)
     """
     query = db.query(Contractor).filter(Contractor.deleted_at == None)
     
+    # Org scoping for contractor_admin
+    if current_user.role == 'contractor_admin' and current_user.contractor_id:
+        query = query.filter(Contractor.id == current_user.contractor_id)
+    
     if is_active is not None:
         query = query.filter(Contractor.is_active == is_active)
     

src/app/api/v1/users.py

@@ -670,6 +670,7 @@ class AdminPasswordResetRequest(BaseModel):
     new_password: str
 
 @router.post("/{user_id}/reset-password", status_code=status.HTTP_200_OK)
+@require_permission("reset_user_password")
 async def admin_reset_user_password(
     user_id: UUID,
     data: AdminPasswordResetRequest,
@@ -681,20 +682,14 @@ async def admin_reset_user_password(
     Admin resets user's password (Supabase Admin API)
     
     **Authorization:**
-    - Platform admin only
+    - Platform admin (all users)
+    - Org admins (users in their organization only)
     
     **Use Cases:**
     - User forgot password and verified via OTP
     - Password recovery after identity verification
     - Emergency access restoration
     """
-    # Only platform admins can reset passwords
-    if current_user.role != 'platform_admin':
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Only platform administrators can reset user passwords"
-        )
-    
     # Get target user
     user = db.query(User).filter(
         User.id == user_id,
@@ -707,6 +702,19 @@ async def admin_reset_user_password(
             detail="User not found"
         )
     
+    # Org admins can only reset passwords for users in their org
+    if current_user.role in ['client_admin', 'contractor_admin']:
+        if current_user.client_id and user.client_id != current_user.client_id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="You can only reset passwords for users in your organization"
+            )
+        if current_user.contractor_id and user.contractor_id != current_user.contractor_id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="You can only reset passwords for users in your organization"
+            )
+    
     try:
         # Use Supabase Admin API to update user password
         response = supabase_admin.auth.admin.update_user_by_id(

src/app/core/permissions.py

@@ -59,15 +59,25 @@ class AppRole(str, Enum):
 # Platform admin has "*" (all permissions)
 # All other roles have explicit permission lists
 ROLE_PERMISSIONS: Dict[AppRole, List[str]] = {
-    AppRole.PLATFORM_ADMIN: ["*"],  # All permissions
+    AppRole.PLATFORM_ADMIN: [
+        "*",  # All permissions
+        "reset_user_password",  # Explicitly included for clarity
+        "view_audit_logs",
+        "view_organizations",
+        "view_billing"
+    ],
     AppRole.CLIENT_ADMIN: [
         # User Management
         "view_users",
         "invite_users",
         "manage_org_users",  # Can manage users in their organization
+        "reset_user_password",  # Can reset passwords for users in their org
+        "view_audit_logs",  # Can view audit logs for their org
         # Organization Management
         "create_clients",
         "create_contractors",  # Can onboard contractors they work with
+        "view_organizations",  # Can view their own organization
+        "view_billing",  # Can view their org's billing/subscription
         # Project Management
         "manage_projects",
         "view_reports",
@@ -83,9 +93,13 @@ ROLE_PERMISSIONS: Dict[AppRole, List[str]] = {
         "invite_users",
         "manage_org_users",  # Can manage users in their organization
         "manage_agents",
+        "reset_user_password",  # Can reset passwords for users in their org
+        "view_audit_logs",  # Can view audit logs for their org
         # Organization Management
         "create_clients",  # Can onboard clients they work with
         "create_contractors",
+        "view_organizations",  # Can view their own organization
+        "view_billing",  # Can view their org's billing/subscription
         # Project Management
         "accept_projects",
         "view_payroll",