From 997c1f622bcbb547d4e6647074d416bb4e92203f Mon Sep 17 00:00:00 2001
From: Vadym Samoilenko <vadymsamoilenko@oliver.agency>
Date: Fri, 1 May 2026 14:29:15 +0100
Subject: [PATCH] fix(rbac): allow reviewer role to assign linguists and
 reviewers

assign, assign-reviewer, reassign-reviewer, and bulk-assign endpoints
were gated to project_manager/production/admin only, but the Reviewer
QC Detail page exposes Assign buttons to reviewer users.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/api/v1/routes_language_qc.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/backend/app/api/v1/routes_language_qc.py b/backend/app/api/v1/routes_language_qc.py
index 8e94b30..537e0e0 100644
--- a/backend/app/api/v1/routes_language_qc.py
+++ b/backend/app/api/v1/routes_language_qc.py
@@ -123,7 +123,7 @@ async def assign_language(
     request: AssignRequest,
     http_request: Request,
     current_user: User = Depends(require_roles(
-        UserRole.PROJECT_MANAGER, UserRole.PRODUCTION, UserRole.ADMIN,
+        UserRole.REVIEWER, UserRole.PROJECT_MANAGER, UserRole.PRODUCTION, UserRole.ADMIN,
     )),
     db: AsyncIOMotorDatabase = Depends(get_database),
 ):
@@ -161,7 +161,7 @@ async def assign_reviewer(
     request: AssignReviewerRequest,
     http_request: Request,
     current_user: User = Depends(require_roles(
-        UserRole.PROJECT_MANAGER, UserRole.PRODUCTION, UserRole.ADMIN,
+        UserRole.REVIEWER, UserRole.PROJECT_MANAGER, UserRole.PRODUCTION, UserRole.ADMIN,
     )),
     db: AsyncIOMotorDatabase = Depends(get_database),
 ):
@@ -179,7 +179,7 @@ async def reassign_reviewer(
     request: ReassignReviewerRequest,
     http_request: Request,
     current_user: User = Depends(require_roles(
-        UserRole.PROJECT_MANAGER, UserRole.PRODUCTION, UserRole.ADMIN,
+        UserRole.REVIEWER, UserRole.PROJECT_MANAGER, UserRole.PRODUCTION, UserRole.ADMIN,
     )),
     db: AsyncIOMotorDatabase = Depends(get_database),
 ):
@@ -198,7 +198,7 @@ async def bulk_assign_languages(
     request: BulkAssignRequest,
     http_request: Request,
     current_user: User = Depends(require_roles(
-        UserRole.PROJECT_MANAGER, UserRole.PRODUCTION, UserRole.ADMIN,
+        UserRole.REVIEWER, UserRole.PROJECT_MANAGER, UserRole.PRODUCTION, UserRole.ADMIN,
     )),
     db: AsyncIOMotorDatabase = Depends(get_database),
 ):