Create admin_roles.py

admin_roles.py

@@ -0,0 +1,52 @@
+"""
+Admin Role-Based Access Control
+Defines roles and permission checking for admin users
+"""
+
+from fastapi import HTTPException, Depends
+from typing import Optional
+import logging
+
+logger = logging.getLogger(__name__)
+
+# Admin Roles
+ADMIN_ROLE_SYLLABUS = "admin"  # Can upload syllabus only
+ADMIN_ROLE_ENROLLMENT = "school_admin"  # Can enroll students only
+
+def check_admin_role(admin, required_role: str, action: str = "perform this action"):
+    """Check if admin has the required role"""
+    # Get role from admin object (works with both SQLAlchemy and MongoDB)
+    admin_role = None
+    
+    if hasattr(admin, 'role'):
+        admin_role = admin.role
+    elif isinstance(admin, dict):
+        admin_role = admin.get('role', 'admin')
+    else:
+        # Default to 'admin' if role not found
+        admin_role = 'admin'
+    
+    if admin_role != required_role:
+        logger.warning(f"Access denied: Admin {admin.username if hasattr(admin, 'username') else admin.get('username', 'unknown')} (role: {admin_role}) attempted {action} requiring role: {required_role}")
+        raise HTTPException(
+            status_code=403,
+            detail=f"Access denied. This action requires '{required_role}' role. Your role is '{admin_role}'."
+        )
+    
+    return True
+
+def require_syllabus_admin(admin):
+    """Require admin role (syllabus upload only)"""
+    return check_admin_role(admin, ADMIN_ROLE_SYLLABUS, "upload syllabus")
+
+def require_enrollment_admin(admin):
+    """Require school_admin role (student enrollment only)"""
+    return check_admin_role(admin, ADMIN_ROLE_ENROLLMENT, "enroll students")
+
+def get_admin_role(admin) -> str:
+    """Get admin role"""
+    if hasattr(admin, 'role'):
+        return admin.role
+    elif isinstance(admin, dict):
+        return admin.get('role', 'admin')
+    return 'admin'