Add role-based filtering and imporve code

2025-10-15 16:12:49 +02:00
parent 96ad5c6692
commit 8f9e9a7edc
158 changed files with 11033 additions and 1544 deletions
--- a/services/orders/app/api/orders.py
+++ b/services/orders/app/api/orders.py
@@ -14,6 +14,7 @@ import structlog
 from shared.auth.decorators import get_current_user_dep
 from shared.auth.access_control import require_user_role
 from shared.routing import RouteBuilder
+from shared.security import create_audit_logger, AuditSeverity, AuditAction
 from app.core.database import get_db
 from app.services.orders_service import OrdersService
 from app.schemas.order_schemas import (
@@ -23,6 +24,7 @@ from app.schemas.order_schemas import (
 )

 logger = structlog.get_logger()
+audit_logger = create_audit_logger("orders-service")

 # Create route builder for consistent URL structure
 route_builder = RouteBuilder('orders')
@@ -238,7 +240,7 @@ async def delete_order(
    orders_service: OrdersService = Depends(get_orders_service),
    db = Depends(get_db)
 ):
-    """Delete an order (soft delete)"""
+    """Delete an order (Admin+ only, soft delete)"""
    try:
        order = await orders_service.order_repo.get(db, order_id, tenant_id)
        if not order:
@@ -247,10 +249,37 @@ async def delete_order(
                detail="Order not found"
            )

+        # Capture order data before deletion
+        order_data = {
+            "order_number": order.order_number,
+            "customer_id": str(order.customer_id) if order.customer_id else None,
+            "order_status": order.order_status,
+            "total_amount": float(order.total_amount) if order.total_amount else 0.0,
+            "order_date": order.order_date.isoformat() if order.order_date else None
+        }
+
        await orders_service.order_repo.delete(db, order_id, tenant_id)

+        # Log audit event for order deletion
+        try:
+            await audit_logger.log_deletion(
+                db_session=db,
+                tenant_id=str(tenant_id),
+                user_id=current_user["user_id"],
+                resource_type="order",
+                resource_id=str(order_id),
+                resource_data=order_data,
+                description=f"Admin {current_user.get('email', 'unknown')} deleted order {order_data['order_number']}",
+                endpoint=f"/orders/{order_id}",
+                method="DELETE"
+            )
+        except Exception as audit_error:
+            logger.warning("Failed to log audit event", error=str(audit_error))
+
        logger.info("Order deleted successfully",
-                   order_id=str(order_id))
+                   order_id=str(order_id),
+                   tenant_id=str(tenant_id),
+                   user_id=current_user["user_id"])

    except HTTPException:
        raise