Add role-based filtering and imporve code

2025-10-15 16:12:49 +02:00
parent 96ad5c6692
commit 8f9e9a7edc
158 changed files with 11033 additions and 1544 deletions
--- a/services/forecasting/app/api/analytics.py
+++ b/services/forecasting/app/api/analytics.py
@@ -12,6 +12,7 @@ from app.services.prediction_service import PredictionService
 from shared.database.base import create_database_manager
 from app.core.config import settings
 from shared.routing import RouteBuilder
+from shared.auth.access_control import analytics_tier_required

 route_builder = RouteBuilder('forecasting')
 logger = structlog.get_logger()
@@ -27,13 +28,14 @@ def get_enhanced_prediction_service():
@router.get(
    route_builder.build_analytics_route("predictions-performance")
 )
+@analytics_tier_required
 async def get_predictions_performance(
    tenant_id: str = Path(..., description="Tenant ID"),
    start_date: Optional[date] = Query(None),
    end_date: Optional[date] = Query(None),
    prediction_service: PredictionService = Depends(get_enhanced_prediction_service)
 ):
-    """Get predictions performance analytics"""
+    """Get predictions performance analytics (Professional+ tier required)"""
    try:
        logger.info("Getting predictions performance", tenant_id=tenant_id)

--- a/services/forecasting/app/api/forecasting_operations.py
+++ b/services/forecasting/app/api/forecasting_operations.py
@@ -23,11 +23,22 @@ from shared.monitoring.metrics import get_metrics_collector
 from app.core.config import settings
 from shared.routing import RouteBuilder
 from shared.auth.access_control import require_user_role
+from shared.security import create_audit_logger, create_rate_limiter, AuditSeverity, AuditAction
+from shared.subscription.plans import get_forecast_quota, get_forecast_horizon_limit
+from shared.redis_utils import get_redis_client

 route_builder = RouteBuilder('forecasting')
 logger = structlog.get_logger()
 router = APIRouter(tags=["forecasting-operations"])

+# Initialize audit logger
+audit_logger = create_audit_logger("forecasting-service")
+
+async def get_rate_limiter():
+    """Dependency for rate limiter"""
+    redis_client = await get_redis_client()
+    return create_rate_limiter(redis_client)
+

 def get_enhanced_forecasting_service():
    """Dependency injection for EnhancedForecastingService"""
@@ -194,16 +205,17 @@ async def generate_multi_day_forecast(
    route_builder.build_operations_route("batch"),
    response_model=BatchForecastResponse
 )
-@require_user_role(['viewer', 'member', 'admin', 'owner'])
+@require_user_role(['admin', 'owner'])
@track_execution_time("enhanced_batch_forecast_duration_seconds", "forecasting-service")
 async def generate_batch_forecast(
    request: BatchForecastRequest,
    tenant_id: str = Path(..., description="Tenant ID"),
    request_obj: Request = None,
    current_user: dict = Depends(get_current_user_dep),
-    enhanced_forecasting_service: EnhancedForecastingService = Depends(get_enhanced_forecasting_service)
+    enhanced_forecasting_service: EnhancedForecastingService = Depends(get_enhanced_forecasting_service),
+    rate_limiter = Depends(get_rate_limiter)
 ):
-    """Generate forecasts for multiple products in batch"""
+    """Generate forecasts for multiple products in batch (Admin+ only, quota enforced)"""
    metrics = get_metrics_collector(request_obj)

    try:
@@ -217,6 +229,24 @@ async def generate_batch_forecast(
        if not request.inventory_product_ids:
            raise ValueError("inventory_product_ids cannot be empty")

+        # Get subscription tier and enforce quotas
+        tier = current_user.get('subscription_tier', 'starter')
+
+        # Check daily quota for forecast generation
+        quota_limit = get_forecast_quota(tier)
+        quota_result = await rate_limiter.check_and_increment_quota(
+            tenant_id,
+            "forecast_generation",
+            quota_limit,
+            period=86400  # 24 hours
+        )
+
+        # Validate forecast horizon if specified
+        if request.horizon_days:
+            await rate_limiter.validate_forecast_horizon(
+                tenant_id, request.horizon_days, tier
+            )
+
        batch_result = await enhanced_forecasting_service.generate_batch_forecast(
            tenant_id=tenant_id,
            request=request
--- a/services/forecasting/app/api/scenario_operations.py
+++ b/services/forecasting/app/api/scenario_operations.py
@@ -26,7 +26,7 @@ from shared.monitoring.decorators import track_execution_time
 from shared.monitoring.metrics import get_metrics_collector
 from app.core.config import settings
 from shared.routing import RouteBuilder
-from shared.auth.access_control import require_user_role
+from shared.auth.access_control import require_user_role, enterprise_tier_required

 route_builder = RouteBuilder('forecasting')
 logger = structlog.get_logger()
@@ -43,12 +43,14 @@ def get_enhanced_forecasting_service():
    route_builder.build_analytics_route("scenario-simulation"),
    response_model=ScenarioSimulationResponse
 )
-@require_user_role(['viewer', 'member', 'admin', 'owner'])
+@require_user_role(['admin', 'owner'])
+@enterprise_tier_required
@track_execution_time("scenario_simulation_duration_seconds", "forecasting-service")
 async def simulate_scenario(
    request: ScenarioSimulationRequest,
    tenant_id: str = Path(..., description="Tenant ID"),
    request_obj: Request = None,
+    current_user: dict = Depends(get_current_user_dep),
    forecasting_service: EnhancedForecastingService = Depends(get_enhanced_forecasting_service)
 ):
    """
@@ -62,7 +64,7 @@ async def simulate_scenario(
    - Promotions
    - Supply disruptions

-    **PROFESSIONAL/ENTERPRISE ONLY**
+    **ENTERPRISE TIER ONLY - Admin+ role required**
    """
    metrics = get_metrics_collector(request_obj)
    start_time = datetime.now(timezone.utc)