Add role-based filtering and imporve code

2025-10-15 16:12:49 +02:00
parent 96ad5c6692
commit 8f9e9a7edc
158 changed files with 11033 additions and 1544 deletions
--- a/services/notification/app/api/notification_operations.py
+++ b/services/notification/app/api/notification_operations.py
@@ -22,8 +22,10 @@ from shared.auth.access_control import require_user_role, admin_role_required
 from shared.routing.route_builder import RouteBuilder
 from shared.database.base import create_database_manager
 from shared.monitoring.metrics import track_endpoint_metrics
+from shared.security import create_audit_logger, AuditSeverity, AuditAction

 logger = structlog.get_logger()
+audit_logger = create_audit_logger("notification-service")
 router = APIRouter()
 route_builder = RouteBuilder("notification")

@@ -52,12 +54,25 @@ async def send_notification(
    """Send a single notification with enhanced validation and features"""

    try:
-        # Check permissions for broadcast notifications
-        if notification_data.get("broadcast", False) and current_user.get("role") not in ["admin", "manager"]:
-            raise HTTPException(
-                status_code=status.HTTP_403_FORBIDDEN,
-                detail="Only admins and managers can send broadcast notifications"
-            )
+        # Check permissions for broadcast notifications (Admin+ only)
+        if notification_data.get("broadcast", False):
+            user_role = current_user.get("role", "").lower()
+            if user_role not in ["admin", "owner"]:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="Only admins and owners can send broadcast notifications"
+                )
+
+            # Log HIGH severity audit event for broadcast notifications
+            try:
+                # Note: db session would need to be passed as dependency for full audit logging
+                logger.info("Broadcast notification initiated",
+                           tenant_id=current_user.get("tenant_id"),
+                           user_id=current_user["user_id"],
+                           notification_type=notification_data.get("type"),
+                           severity="HIGH")
+            except Exception as audit_error:
+                logger.warning("Failed to log audit event", error=str(audit_error))

        # Validate required fields
        if not notification_data.get("message"):