feat: remove poorly implemented permissions layer

Author: danh91

community

@@ -4,11 +4,8 @@
 from karrio.server.core.logging import logger
 
 from karrio.server.user.models import Token
-import karrio.server.iam.permissions as iam
 import karrio.server.providers.models as providers
 
-iam.setup_groups()
-
 
 class APITestCase(BaseAPITestCase):
     def setUp(self) -> None:

ee/insiders

@@ -9,13 +9,10 @@ class IamConfig(AppConfig):
 
     def ready(self):
         from karrio.server.core import utils
-        from karrio.server.iam import signals, permissions
+        from karrio.server.iam import signals
 
         @utils.skip_on_commands()
         def _init():
             signals.register_all()
 
-            # Setup default permission groups and apply to existing orgs on start up
-            utils.run_on_all_tenants(permissions.setup_groups)()
-
         _init()

modules/core/karrio/server/core/tests/base.py

@@ -0,0 +1,91 @@
+# Generated migration to remove permission groups
+
+from django.db import migrations
+
+
+def remove_permission_groups(apps, schema_editor):
+    """
+    Remove all permission groups that were created by setup_groups().
+
+    This migration removes the following groups:
+    - manage_apps
+    - manage_carriers (deprecated)
+    - read_carriers
+    - write_carriers
+    - manage_orders
+    - manage_team
+    - manage_org_owner
+    - manage_webhooks
+    - manage_data
+    - manage_shipments
+    - manage_system
+    """
+    Group = apps.get_model("user", "Group")
+    ContextPermission = apps.get_model("iam", "ContextPermission")
+
+    # List of groups to remove
+    groups_to_remove = [
+        "manage_apps",
+        "manage_carriers",
+        "read_carriers",
+        "write_carriers",
+        "manage_orders",
+        "manage_team",
+        "manage_org_owner",
+        "manage_webhooks",
+        "manage_data",
+        "manage_shipments",
+        "manage_system",
+        "manage_pickups",
+        "manage_trackers",
+    ]
+
+    # First, remove the groups from all ContextPermissions
+    for group_name in groups_to_remove:
+        group = Group.objects.filter(name=group_name).first()
+        if group:
+            # Remove this group from all context permissions
+            for ctx_perm in ContextPermission.objects.filter(groups=group):
+                ctx_perm.groups.remove(group)
+
+    # Then delete the groups themselves
+    Group.objects.filter(name__in=groups_to_remove).delete()
+
+
+def reverse_migration(apps, schema_editor):
+    """
+    Reverse migration - recreate groups (without permissions, which were set dynamically).
+    Note: This won't restore the full permission setup, only creates empty groups.
+    """
+    Group = apps.get_model("user", "Group")
+
+    groups_to_create = [
+        "manage_apps",
+        "manage_carriers",
+        "read_carriers",
+        "write_carriers",
+        "manage_orders",
+        "manage_team",
+        "manage_org_owner",
+        "manage_webhooks",
+        "manage_data",
+        "manage_shipments",
+        "manage_system",
+        "manage_pickups",
+        "manage_trackers",
+    ]
+
+    for group_name in groups_to_create:
+        Group.objects.get_or_create(name=group_name)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("iam", "0002_setup_carrier_permission_groups"),
+        ("user", "0004_group"),
+    ]
+
+    operations = [
+        migrations.RunPython(remove_permission_groups, reverse_migration),
+    ]

modules/core/karrio/server/iam/apps.py

@@ -1,155 +1,7 @@
-import typing
-from django.db import models
-from django.contrib.auth import get_user_model
-from django.contrib.auth.models import Permission
-from karrio.server.core.logging import logger
-
-import karrio.server.core.utils as utils
-import karrio.server.user.models as users
-import karrio.server.iam.serializers as serializers
-
-User = get_user_model()
-
-
-@utils.skip_on_loadata
-@utils.async_wrapper
-@utils.tenant_aware
-def setup_groups(**_):
-    """This function create all standard group permissions if they don't exsist."""
-    logger.info("Setting up permissions")
-
-    # manage_apps
-    setup_group(
-        serializers.PermissionGroup.manage_apps.name,
-        permissions=Permission.objects.filter(content_type__app_label="apps"),
-    )
-
-    # manage_carriers (deprecated - kept for backward compatibility)
-    setup_group(
-        serializers.PermissionGroup.manage_carriers.name,
-        permissions=[
-            *Permission.objects.filter(content_type__app_label="providers"),
-            *Permission.objects.filter(
-                models.Q(content_type__app_label="orgs")
-                & models.Q(name__icontains="carrier")
-            ),
-        ],
-        override=True,
-    )
-
-    # read_carriers (view permissions only)
-    setup_group(
-        serializers.PermissionGroup.read_carriers.name,
-        permissions=Permission.objects.filter(
-            content_type__app_label="providers", name__icontains="view"
-        ),
-        override=True,
-    )
-
-    # write_carriers (create, update, delete permissions)
-    setup_group(
-        serializers.PermissionGroup.write_carriers.name,
-        permissions=[
-            *Permission.objects.filter(content_type__app_label="providers"),
-            *Permission.objects.filter(
-                models.Q(content_type__app_label="orgs")
-                & models.Q(name__icontains="carrier")
-            ),
-        ],
-        override=True,
-    )
-
-    # manage_orders
-    setup_group(
-        serializers.PermissionGroup.manage_orders.name,
-        permissions=Permission.objects.filter(content_type__app_label="orders"),
-    )
-
-    # manage_team
-    setup_group(
-        serializers.PermissionGroup.manage_team.name,
-        permissions=(
-            Permission.objects.filter(
-                content_type__app_label="orgs", name__icontains="organization"
-            ).exclude(name__icontains="owner")
-        ),
-        override=True,
-    )
-
-    # manage_org_owner
-    setup_group(
-        serializers.PermissionGroup.manage_org_owner.name,
-        permissions=Permission.objects.filter(
-            content_type__model="OrganizationOwner".lower()
-        ),
-    )
-
-    # manage_webhooks
-    setup_group(
-        serializers.PermissionGroup.manage_webhooks.name,
-        permissions=Permission.objects.filter(content_type__model="Webhook".lower()),
-    )
-
-    # manage_data
-    setup_group(
-        serializers.PermissionGroup.manage_data.name,
-        permissions=[
-            *Permission.objects.filter(
-                content_type__app_label__in=["data", "graph", "documents"]
-            ),
-            *Permission.objects.filter(
-                content_type__app_label="audit", name__icontains="view"
-            ),
-            *Permission.objects.filter(
-                content_type__app_label="rest_framework_tracking",
-                name__icontains="view",
-            ),
-        ],
-        override=True,
-    )
-
-    # manage_shipments
-    setup_group(
-        serializers.PermissionGroup.manage_shipments.name,
-        permissions=[
-            *Permission.objects.filter(content_type__app_label="manager"),
-            *Permission.objects.filter(
-                models.Q(content_type__app_label="orgs")
-                & (
-                    models.Q(name__icontains="address")
-                    | models.Q(name__icontains="parcel")
-                    | models.Q(name__icontains="commodity")
-                    | models.Q(name__icontains="customs")
-                    | models.Q(name__icontains="pickup")
-                    | models.Q(name__icontains="tracker")
-                    | models.Q(name__icontains="shipment")
-                )
-            ),
-        ],
-    )
-
-    # manage_system
-    setup_group(
-        serializers.PermissionGroup.manage_system.name,
-        permissions=Permission.objects.filter(
-            content_type__app_label__in=[
-                "admin",
-                "user",
-                "pricing",
-                "providers",
-                "audit",
-                "database",
-                "rest_framework_tracking",
-            ]
-        ),
-    )
-
-
-def setup_group(
-    name: str, permissions: typing.List[Permission], override: bool = False
-):
-    group, created = users.Group.objects.get_or_create(name=name)
-
-    if created or override:
-        group.permissions.set(permissions)
-        group.save()
+# This module previously contained permission group setup logic.
+# The setup_groups() function has been removed to:
+# 1. Fix Django warning about database access during app initialization
+# 2. Prepare for a better RBAC implementation in the future
+#
+# The PermissionGroup enum and ROLES_GROUPS mapping are preserved in
+# karrio.server.iam.serializers for organization role management.

modules/core/karrio/server/iam/migrations/0003_remove_permission_groups.py

@@ -15,7 +15,6 @@ class CreateDataTemplateMutation(utils.BaseMutation):
 
     @staticmethod
     @utils.authentication_required
-    @utils.authorization_required(["DATA_IMPORT_EXPORT"])
     def mutate(
         info: Info, **input: inputs.CreateDataTemplateMutationInput
     ) -> "CreateDataTemplateMutation":
@@ -34,7 +33,6 @@ class UpdateDataTemplateMutation(utils.BaseMutation):
 
     @staticmethod
     @utils.authentication_required
-    @utils.authorization_required(["DATA_IMPORT_EXPORT"])
     def mutate(
         info: Info, **input: inputs.UpdateDataTemplateMutationInput
     ) -> "UpdateDataTemplateMutation":

modules/core/karrio/server/iam/permissions.py

@@ -60,13 +60,11 @@ class BatchOperationType:
 
     @staticmethod
     @utils.authentication_required
-    @utils.authorization_required(["DATA_IMPORT_EXPORT"])
     def resolve(info, id: str) -> typing.Optional["BatchOperationType"]:
         return models.BatchOperation.access_by(info.context.request).filter(id=id).first()
 
     @staticmethod
     @utils.authentication_required
-    @utils.authorization_required(["DATA_IMPORT_EXPORT"])
     def resolve_list(
         info,
         filter: typing.Optional[inputs.BatchOperationFilter] = strawberry.UNSET,