a168af1aa7
- Two-stage QC workflow: linguist edits + submits → reviewer approves/rejects per language. New statuses: in_progress, pending_review, in_review. New service functions: submit_for_review, open_review, assign_reviewer, reassign_reviewer, add_comment. Linguist and reviewer deadlines. - Reject now resets language to in_progress so linguist can iterate without full re-assignment. - QC comment threads per language (append-only), visible to all assignees. - Email notifications via Mailgun on: assignment, submit-for-review, comment, approve, reject. Best-effort (failures do not roll back QC actions). asyncio.gather for parallel fan-out. - New audit actions: LANGUAGE_QC_REVIEWER_ASSIGN/REASSIGN, LANGUAGE_QC_SUBMIT, LANGUAGE_QC_OPEN_REVIEW, LANGUAGE_QC_COMMENT. - Inline project picker in NewJob: "+ Create new project…" option with name, default languages, default linguist, default reviewer. Pre-fills languages on the new job. - Project model extended with default_languages, default_linguist_id, default_reviewer_id. - RBAC: CLIENT org-members can now create projects (backend guard relaxed). - LinguistQueue: role toggle "As linguist / As reviewer" + new status tabs. - QCDetail: two-slot assignment cards (linguist + reviewer), deadline display, role-aware action buttons, comments panel with optimistic insert and 15s refetch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
182 lines
5.9 KiB
Python
182 lines
5.9 KiB
Python
from typing import Optional
|
|
|
|
from fastapi import Depends, HTTPException, Request, status
|
|
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
|
|
from motor.motor_asyncio import AsyncIOMotorDatabase
|
|
|
|
from ..models.user import User, UserRole
|
|
from .config import settings
|
|
from .database import get_database
|
|
from .security import decode_token
|
|
|
|
security = HTTPBearer()
|
|
|
|
# Only admins bypass tenant isolation; other staff are scoped by team membership
|
|
STAFF_ROLES = {UserRole.ADMIN}
|
|
|
|
|
|
async def get_current_user(
|
|
credentials: HTTPAuthorizationCredentials = Depends(security),
|
|
db: AsyncIOMotorDatabase = Depends(get_database),
|
|
) -> User:
|
|
token = credentials.credentials
|
|
payload = decode_token(token)
|
|
|
|
if payload.get("type") == "refresh":
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Could not validate credentials",
|
|
)
|
|
|
|
user_id: str = payload.get("sub")
|
|
|
|
if user_id is None:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Could not validate credentials",
|
|
)
|
|
|
|
user_doc = await db.users.find_one({"_id": user_id})
|
|
if user_doc is None:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="User not found",
|
|
)
|
|
|
|
return User(**user_doc)
|
|
|
|
|
|
def require_role(required_role: UserRole):
|
|
async def role_checker(current_user: User = Depends(get_current_user)) -> User:
|
|
if current_user.role != required_role and current_user.role != UserRole.ADMIN:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Insufficient permissions",
|
|
)
|
|
return current_user
|
|
|
|
return role_checker
|
|
|
|
|
|
def require_roles(*required_roles: UserRole):
|
|
async def roles_checker(current_user: User = Depends(get_current_user)) -> User:
|
|
if current_user.role not in required_roles and current_user.role != UserRole.ADMIN:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Insufficient permissions",
|
|
)
|
|
return current_user
|
|
|
|
return roles_checker
|
|
|
|
|
|
async def get_current_user_optional(
|
|
request: Request,
|
|
db: AsyncIOMotorDatabase = Depends(get_database),
|
|
) -> Optional[User]:
|
|
authorization: str = request.headers.get("Authorization")
|
|
if not authorization:
|
|
return None
|
|
|
|
try:
|
|
scheme, token = authorization.split()
|
|
if scheme.lower() != "bearer":
|
|
return None
|
|
|
|
payload = decode_token(token)
|
|
if payload.get("type") == "refresh":
|
|
return None
|
|
|
|
user_id: str = payload.get("sub")
|
|
|
|
if user_id is None:
|
|
return None
|
|
|
|
user_doc = await db.users.find_one({"_id": user_id})
|
|
if user_doc is None:
|
|
return None
|
|
|
|
return User(**user_doc)
|
|
except Exception:
|
|
return None
|
|
|
|
|
|
async def get_accessible_project_ids(
|
|
user: User,
|
|
db: AsyncIOMotorDatabase,
|
|
) -> Optional[list[str]]:
|
|
"""
|
|
Returns project IDs the user may access, or None meaning "see everything".
|
|
|
|
- Admin → None (unrestricted)
|
|
- Staff (REVIEWER/LINGUIST/PRODUCTION) → scoped by team membership;
|
|
if not yet assigned to any team, falls back to None (see all)
|
|
so existing staff aren't locked out before teams are configured
|
|
- PM → projects in accessible orgs/clients (pm_client_ids legacy)
|
|
- CLIENT → projects in orgs where the user holds any membership
|
|
"""
|
|
if user.role in STAFF_ROLES:
|
|
return None
|
|
|
|
user_id = str(user.id)
|
|
|
|
# Primary path: use memberships collection (Phase 3 SaaS)
|
|
membership_cursor = db.memberships.find({"user_id": user_id}, {"organization_id": 1})
|
|
org_ids = [doc["organization_id"] async for doc in membership_cursor]
|
|
|
|
if org_ids:
|
|
projects = await db.projects.find(
|
|
{"client_id": {"$in": org_ids}, "is_active": True},
|
|
{"_id": 1},
|
|
).to_list(None)
|
|
return [str(p["_id"]) for p in projects]
|
|
|
|
# Legacy fallback: team membership (used by REVIEWER/LINGUIST/PRODUCTION and legacy CLIENT)
|
|
teams = await db.teams.find(
|
|
{"member_user_ids": user_id},
|
|
{"client_id": 1},
|
|
).to_list(None)
|
|
client_ids = list({t["client_id"] for t in teams})
|
|
|
|
if client_ids:
|
|
projects = await db.projects.find(
|
|
{"client_id": {"$in": client_ids}, "is_active": True},
|
|
{"_id": 1},
|
|
).to_list(None)
|
|
return [str(p["_id"]) for p in projects]
|
|
|
|
# PM legacy: scoped via pm_client_ids
|
|
if user.role == UserRole.PROJECT_MANAGER:
|
|
pm_client_ids = user.pm_client_ids or []
|
|
if not pm_client_ids:
|
|
return []
|
|
projects = await db.projects.find(
|
|
{"client_id": {"$in": pm_client_ids}, "is_active": True},
|
|
{"_id": 1},
|
|
).to_list(None)
|
|
return [str(p["_id"]) for p in projects]
|
|
|
|
# Staff with no team assignments → unrestricted until teams are configured
|
|
if user.role in {UserRole.REVIEWER, UserRole.LINGUIST, UserRole.PRODUCTION}:
|
|
return None
|
|
|
|
# CLIENT with no memberships and no teams → show nothing
|
|
return []
|
|
|
|
|
|
def require_pm_for_client(client_id_param: str = "client_id"):
|
|
"""Dependency: ensures the current user is an Admin or PM for the given client."""
|
|
async def checker(
|
|
request: Request,
|
|
current_user: User = Depends(get_current_user),
|
|
) -> User:
|
|
if current_user.role == UserRole.ADMIN:
|
|
return current_user
|
|
if current_user.role != UserRole.PROJECT_MANAGER:
|
|
raise HTTPException(status_code=403, detail="Insufficient permissions")
|
|
client_id = request.path_params.get(client_id_param)
|
|
if client_id not in (current_user.pm_client_ids or []):
|
|
raise HTTPException(status_code=403, detail="Not a manager for this client")
|
|
return current_user
|
|
|
|
return checker
|