"""Permission management router.""" from fastapi import APIRouter, Depends, HTTPException, status from sqlalchemy.orm import Session from app.database import get_db from app.models.permission import Permission, Role from app.models.user import User from app.models.user_house_role import UserHouseRole from app.schemas.permission import ( PermissionRead, RoleRead, UserHouseRoleAssign, UserHouseRoleRead, ) from app.services.auth_service import get_current_user from app.services.permission_service import get_user_permissions from app.utils.helpers import generate_uuid router = APIRouter() @router.get( "/api/permissions", response_model=list[PermissionRead], summary="获取所有权限列表", ) def list_permissions( db: Session = Depends(get_db), _: User = Depends(get_current_user), ): """List all available permissions.""" permissions = db.query(Permission).order_by(Permission.resource, Permission.action).all() return [PermissionRead.model_validate(p) for p in permissions] @router.get( "/api/roles", response_model=list[RoleRead], summary="获取所有角色列表", ) def list_roles( db: Session = Depends(get_db), _: User = Depends(get_current_user), ): """List all available roles.""" roles = db.query(Role).order_by(Role.name).all() return [RoleRead.model_validate(r) for r in roles] @router.get( "/api/houses/{hid}/users/{uid}/permissions", response_model=dict, summary="获取用户在房屋中的权限", ) def get_user_house_permissions( hid: str, uid: str, db: Session = Depends(get_db), _: User = Depends(get_current_user), ): """Get all permissions for a specific user in a specific house.""" permission_codes = get_user_permissions(uid, hid, db) # Also fetch role details user_roles = ( db.query(UserHouseRole) .filter( UserHouseRole.user_id == uid, UserHouseRole.house_id == hid, ) .all() ) role_info = [] for uhr in user_roles: role = db.query(Role).filter(Role.id == uhr.role_id).first() if role: role_info.append(RoleRead.model_validate(role)) return { "user_id": uid, "house_id": hid, "permissions": permission_codes, "roles": [r.model_dump() for r in role_info], } @router.post( "/api/houses/{hid}/users/{uid}/roles", response_model=dict, status_code=status.HTTP_201_CREATED, summary="为用户分配角色", ) def assign_role( hid: str, uid: str, body: UserHouseRoleAssign, db: Session = Depends(get_db), current_user: User = Depends(get_current_user), ): """Assign a role to a user in a house context.""" # Validate user exists user = db.query(User).filter(User.id == uid).first() if not user: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail="用户不存在", ) # Validate role exists role = db.query(Role).filter(Role.id == body.role_id).first() if not role: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail="角色不存在", ) # Check for duplicate existing = ( db.query(UserHouseRole) .filter( UserHouseRole.user_id == uid, UserHouseRole.house_id == hid, UserHouseRole.role_id == body.role_id, ) .first() ) if existing: raise HTTPException( status_code=status.HTTP_409_CONFLICT, detail="该用户已拥有此角色", ) uhr = UserHouseRole( id=generate_uuid(), user_id=uid, house_id=hid, role_id=body.role_id, granted_by=current_user.id, ) db.add(uhr) db.commit() return { "message": "角色已分配", "user_id": uid, "house_id": hid, "role_id": body.role_id, } @router.delete( "/api/houses/{hid}/users/{uid}/roles/{rid}", status_code=status.HTTP_200_OK, summary="移除用户角色", ) def remove_role( hid: str, uid: str, rid: str, db: Session = Depends(get_db), _: User = Depends(get_current_user), ): """Remove a role from a user in a house context.""" uhr = ( db.query(UserHouseRole) .filter( UserHouseRole.user_id == uid, UserHouseRole.house_id == hid, UserHouseRole.role_id == rid, ) .first() ) if not uhr: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail="该用户在此房屋中没有此角色", ) db.delete(uhr) db.commit() return { "message": "角色已移除", "user_id": uid, "house_id": hid, "role_id": rid, }