feat: permission permissions

Orgs can only grant permissions to groups that they themselves have been granted access to. Super admin bypasses not added, flagged as todos.
2026-06-16 13:51:31 +01:00 · 2026-06-16 13:51:31 +01:00 · 662b9c8e26
commit 662b9c8e26
parent 0a867c9c90
6 changed files with 71 additions and 4 deletions
--- a/src/iam/models.py
+++ b/src/iam/models.py
@ -52,6 +52,10 @@ class Permission(Base):
 		"Group", secondary="group_permissions", back_populates="permission_rel"
 	)

+	org_rel = relationship(
+		"Organisation", secondary="org_permissions", back_populates="permission_rel"
+	)
+

 class Group(Base):
 	__tablename__ = "group"
@ -95,3 +99,13 @@ class UserGroups(Base):
 	group_id = Column(
 		Integer, ForeignKey("group.id", ondelete="CASCADE"), primary_key=True
 	)
+
+
+class OrgPermissions(Base):
+	__tablename__ = "org_permissions"
+	org_id = Column(
+		Integer, ForeignKey("organisation.id", ondelete="CASCADE"), primary_key=True
+	)
+	permission_id = Column(
+		Integer, ForeignKey("permission.id", ondelete="CASCADE"), primary_key=True
+	)
--- a/src/iam/router.py
+++ b/src/iam/router.py
@ -325,6 +325,9 @@ async def add_group_permission(
 	if perm_model in group_model.permission_rel:
 		raise ConflictException("Group already has this permission")

+	if perm_model not in org_model.permission_rel:  # TODO: and not su
+		raise ForbiddenException("You cannot grant this permission")
+
 	group_model.permission_rel.append(perm_model)

 	db.flush()
@ -471,8 +474,10 @@ async def get_permissions(
 	"""
 	Returns a full list of permissions.
 	"""
-	permission_models = db.query(Perm).all()
-
+	# TODO: if su:
+	# permission_models = db.query(Perm).all()
+	# else
+	permission_models = db.query(Perm).filter(Perm.org_rel.any(id=org_model.id)).all()
 	return {"permissions": permission_models}


@ -566,6 +571,9 @@ async def post_permissions(
 	if not (request_model.action is None or request_model.action == ""):
 		permission_query = permission_query.filter(Perm.action == request_model.action)

+	# TODO: if not su:
+	permission_query = permission_query.filter(Perm.org_rel.any(id=org_model.id))
+
 	permission_models = permission_query.all()

 	return {"permissions": permission_models}
--- a/src/organisation/models.py
+++ b/src/organisation/models.py
@ -55,6 +55,10 @@ class Organisation(Base):
 		"Contact", foreign_keys="Organisation.owner_contact_id"
 	)

+	permission_rel = relationship(
+		"Permission", secondary="org_permissions", back_populates="org_rel"
+	)
+

 class OrgUsers(Base):
 	__tablename__ = "orgusers"