Add role-based filtering and imporve code

2025-10-15 16:12:49 +02:00
parent 96ad5c6692
commit 8f9e9a7edc
158 changed files with 11033 additions and 1544 deletions
--- a/services/production/app/api/production_batches.py
+++ b/services/production/app/api/production_batches.py
@@ -10,7 +10,9 @@ from uuid import UUID
 import structlog

 from shared.auth.decorators import get_current_user_dep
+from shared.auth.access_control import require_user_role
 from shared.routing import RouteBuilder
+from shared.security import create_audit_logger, AuditSeverity, AuditAction
 from app.core.database import get_db
 from app.services.production_service import ProductionService
 from app.schemas.production import (
@@ -27,6 +29,9 @@ logger = structlog.get_logger()
 route_builder = RouteBuilder('production')
 router = APIRouter(tags=["production-batches"])

+# Initialize audit logger
+audit_logger = create_audit_logger("production-service")
+

 def get_production_service() -> ProductionService:
    """Dependency injection for production service"""
@@ -229,16 +234,33 @@ async def update_production_batch(
@router.delete(
    route_builder.build_resource_detail_route("batches", "batch_id")
 )
+@require_user_role(['admin', 'owner'])
 async def delete_production_batch(
    tenant_id: UUID = Path(...),
    batch_id: UUID = Path(...),
    current_user: dict = Depends(get_current_user_dep),
    production_service: ProductionService = Depends(get_production_service)
 ):
-    """Cancel/delete draft batch (soft delete preferred)"""
+    """Cancel/delete draft batch (Admin+ only, soft delete preferred)"""
    try:
        await production_service.delete_production_batch(tenant_id, batch_id)

+        # Log audit event for batch deletion
+        try:
+            db = next(get_db())
+            await audit_logger.log_deletion(
+                db_session=db,
+                tenant_id=str(tenant_id),
+                user_id=current_user["user_id"],
+                resource_type="production_batch",
+                resource_id=str(batch_id),
+                description=f"Deleted production batch",
+                endpoint=f"/batches/{batch_id}",
+                method="DELETE"
+            )
+        except Exception as audit_error:
+            logger.warning("Failed to log audit event", error=str(audit_error))
+
        logger.info("Deleted production batch",
                   batch_id=str(batch_id), tenant_id=str(tenant_id))

--- a/services/production/app/api/production_schedules.py
+++ b/services/production/app/api/production_schedules.py
@@ -10,7 +10,9 @@ from uuid import UUID
 import structlog

 from shared.auth.decorators import get_current_user_dep
+from shared.auth.access_control import require_user_role
 from shared.routing import RouteBuilder
+from shared.security import create_audit_logger, AuditSeverity, AuditAction
 from app.core.database import get_db
 from app.services.production_service import ProductionService
 from app.schemas.production import (
@@ -24,6 +26,9 @@ logger = structlog.get_logger()
 route_builder = RouteBuilder('production')
 router = APIRouter(tags=["production-schedules"])

+# Initialize audit logger
+audit_logger = create_audit_logger("production-service")
+

 def get_production_service() -> ProductionService:
    """Dependency injection for production service"""
@@ -125,13 +130,14 @@ async def get_production_schedule_details(
    route_builder.build_base_route("schedules"),
    response_model=ProductionScheduleResponse
 )
+@require_user_role(['admin', 'owner'])
 async def create_production_schedule(
    schedule_data: ProductionScheduleCreate,
    tenant_id: UUID = Path(...),
    current_user: dict = Depends(get_current_user_dep),
    production_service: ProductionService = Depends(get_production_service)
 ):
-    """Generate or manually create a daily/shift schedule"""
+    """Generate or manually create a daily/shift schedule (Admin+ only)"""
    try:
        schedule = await production_service.create_production_schedule(tenant_id, schedule_data)

@@ -153,6 +159,7 @@ async def create_production_schedule(
    route_builder.build_resource_detail_route("schedules", "schedule_id"),
    response_model=ProductionScheduleResponse
 )
+@require_user_role(['admin', 'owner'])
 async def update_production_schedule(
    schedule_update: ProductionScheduleUpdate,
    tenant_id: UUID = Path(...),
@@ -160,7 +167,7 @@ async def update_production_schedule(
    current_user: dict = Depends(get_current_user_dep),
    production_service: ProductionService = Depends(get_production_service)
 ):
-    """Edit schedule before finalizing"""
+    """Edit schedule before finalizing (Admin+ only)"""
    try:
        schedule = await production_service.update_production_schedule(tenant_id, schedule_id, schedule_update)

--- a/services/production/app/models/init.py
+++ b/services/production/app/models/init.py
@@ -5,6 +5,13 @@
 Production service models
 """

+# Import AuditLog model for this service
+from shared.security import create_audit_log_model
+from shared.database.base import Base
+
+# Create audit log model for this service
+AuditLog = create_audit_log_model(Base)
+
 from .production import (
    ProductionBatch,
    ProductionSchedule,
@@ -31,4 +38,5 @@ __all__ = [
    "EquipmentStatus",
    "ProcessStage",
    "EquipmentType",
+    "AuditLog",
 ]