Add role-based filtering and imporve code

2025-10-15 16:12:49 +02:00
parent 96ad5c6692
commit 8f9e9a7edc
158 changed files with 11033 additions and 1544 deletions
--- a/services/suppliers/app/api/suppliers.py
+++ b/services/suppliers/app/api/suppliers.py
@@ -18,6 +18,7 @@ from app.schemas.suppliers import (
 from shared.auth.decorators import get_current_user_dep
 from shared.routing import RouteBuilder
 from shared.auth.access_control import require_user_role
+from shared.security import create_audit_logger, AuditSeverity, AuditAction

 # Create route builder for consistent URL structure
 route_builder = RouteBuilder('suppliers')
@@ -25,6 +26,7 @@ route_builder = RouteBuilder('suppliers')

 router = APIRouter(tags=["suppliers"])
 logger = structlog.get_logger()
+audit_logger = create_audit_logger("suppliers-service")

@router.post(route_builder.build_base_route("suppliers"), response_model=SupplierResponse)
@require_user_role(['admin', 'owner', 'member'])
@@ -142,9 +144,11 @@ async def update_supplier(
@require_user_role(['admin', 'owner'])
 async def delete_supplier(
    supplier_id: UUID = Path(..., description="Supplier ID"),
+    tenant_id: str = Path(..., description="Tenant ID"),
+    current_user: Dict[str, Any] = Depends(get_current_user_dep),
    db: AsyncSession = Depends(get_db)
 ):
-    """Delete supplier (soft delete)"""
+    """Delete supplier (soft delete, Admin+ only)"""
    try:
        service = SupplierService(db)

@@ -153,10 +157,46 @@ async def delete_supplier(
        if not existing_supplier:
            raise HTTPException(status_code=404, detail="Supplier not found")

+        # Capture supplier data before deletion
+        supplier_data = {
+            "supplier_name": existing_supplier.name,
+            "supplier_type": existing_supplier.supplier_type,
+            "contact_person": existing_supplier.contact_person,
+            "email": existing_supplier.email
+        }
+
        success = await service.delete_supplier(supplier_id)
        if not success:
            raise HTTPException(status_code=404, detail="Supplier not found")

+        # Log audit event for supplier deletion
+        try:
+            # Get sync db session for audit logging
+            from app.core.database import SessionLocal
+            sync_db = SessionLocal()
+            try:
+                await audit_logger.log_deletion(
+                    db_session=sync_db,
+                    tenant_id=tenant_id,
+                    user_id=current_user["user_id"],
+                    resource_type="supplier",
+                    resource_id=str(supplier_id),
+                    resource_data=supplier_data,
+                    description=f"Admin {current_user.get('email', 'unknown')} deleted supplier",
+                    endpoint=f"/suppliers/{supplier_id}",
+                    method="DELETE"
+                )
+                sync_db.commit()
+            finally:
+                sync_db.close()
+        except Exception as audit_error:
+            logger.warning("Failed to log audit event", error=str(audit_error))
+
+        logger.info("Deleted supplier",
+                   supplier_id=str(supplier_id),
+                   tenant_id=tenant_id,
+                   user_id=current_user["user_id"])
+
        return {"message": "Supplier deleted successfully"}
    except HTTPException:
        raise