implement RBAC

Author: makara4code

backend/app/alembic/versions/ffdac40437ff_add_rbac_tables.py

@@ -0,0 +1,155 @@
+"""add_rbac_tables
+
+Revision ID: ffdac40437ff
+Revises: 832f5763b245
+Create Date: 2025-12-14 14:52:10.919953
+
+"""
+import uuid
+from datetime import datetime, timezone
+
+from alembic import op
+import sqlalchemy as sa
+import sqlmodel.sql.sqltypes
+
+
+# revision identifiers, used by Alembic.
+revision = 'ffdac40437ff'
+down_revision = '832f5763b245'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('permission',
+    sa.Column('name', sqlmodel.sql.sqltypes.AutoString(length=100), nullable=False),
+    sa.Column('description', sqlmodel.sql.sqltypes.AutoString(length=255), nullable=True),
+    sa.Column('resource', sqlmodel.sql.sqltypes.AutoString(length=50), nullable=False),
+    sa.Column('action', sqlmodel.sql.sqltypes.AutoString(length=50), nullable=False),
+    sa.Column('id', sa.Uuid(), nullable=False),
+    sa.Column('created_at', sa.DateTime(), nullable=False),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_permission_name'), 'permission', ['name'], unique=True)
+    op.create_table('role',
+    sa.Column('name', sqlmodel.sql.sqltypes.AutoString(length=100), nullable=False),
+    sa.Column('description', sqlmodel.sql.sqltypes.AutoString(length=255), nullable=True),
+    sa.Column('is_system', sa.Boolean(), nullable=False),
+    sa.Column('id', sa.Uuid(), nullable=False),
+    sa.Column('created_at', sa.DateTime(), nullable=False),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_role_name'), 'role', ['name'], unique=True)
+    op.create_table('role_permission',
+    sa.Column('role_id', sa.Uuid(), nullable=False),
+    sa.Column('permission_id', sa.Uuid(), nullable=False),
+    sa.ForeignKeyConstraint(['permission_id'], ['permission.id'], ),
+    sa.ForeignKeyConstraint(['role_id'], ['role.id'], ),
+    sa.PrimaryKeyConstraint('role_id', 'permission_id')
+    )
+    op.create_table('user_role',
+    sa.Column('user_id', sa.Uuid(), nullable=False),
+    sa.Column('role_id', sa.Uuid(), nullable=False),
+    sa.ForeignKeyConstraint(['role_id'], ['role.id'], ),
+    sa.ForeignKeyConstraint(['user_id'], ['user.id'], ),
+    sa.PrimaryKeyConstraint('user_id', 'role_id')
+    )
+    # ### end Alembic commands ###
+
+    # Seed default permissions
+    permission_table = sa.table(
+        'permission',
+        sa.column('id', sa.Uuid()),
+        sa.column('name', sa.String()),
+        sa.column('description', sa.String()),
+        sa.column('resource', sa.String()),
+        sa.column('action', sa.String()),
+        sa.column('created_at', sa.DateTime()),
+    )
+
+    now = datetime.now(timezone.utc)
+
+    # Define all permissions
+    permissions = [
+        # Users permissions
+        {'id': uuid.uuid4(), 'name': 'users:read', 'description': 'View users', 'resource': 'users', 'action': 'read', 'created_at': now},
+        {'id': uuid.uuid4(), 'name': 'users:create', 'description': 'Create users', 'resource': 'users', 'action': 'create', 'created_at': now},
+        {'id': uuid.uuid4(), 'name': 'users:update', 'description': 'Update users', 'resource': 'users', 'action': 'update', 'created_at': now},
+        {'id': uuid.uuid4(), 'name': 'users:delete', 'description': 'Delete users', 'resource': 'users', 'action': 'delete', 'created_at': now},
+        # Items permissions
+        {'id': uuid.uuid4(), 'name': 'items:read', 'description': 'View items', 'resource': 'items', 'action': 'read', 'created_at': now},
+        {'id': uuid.uuid4(), 'name': 'items:create', 'description': 'Create items', 'resource': 'items', 'action': 'create', 'created_at': now},
+        {'id': uuid.uuid4(), 'name': 'items:update', 'description': 'Update items', 'resource': 'items', 'action': 'update', 'created_at': now},
+        {'id': uuid.uuid4(), 'name': 'items:delete', 'description': 'Delete items', 'resource': 'items', 'action': 'delete', 'created_at': now},
+        # Roles permissions
+        {'id': uuid.uuid4(), 'name': 'roles:read', 'description': 'View roles', 'resource': 'roles', 'action': 'read', 'created_at': now},
+        {'id': uuid.uuid4(), 'name': 'roles:create', 'description': 'Create roles', 'resource': 'roles', 'action': 'create', 'created_at': now},
+        {'id': uuid.uuid4(), 'name': 'roles:update', 'description': 'Update roles', 'resource': 'roles', 'action': 'update', 'created_at': now},
+        {'id': uuid.uuid4(), 'name': 'roles:delete', 'description': 'Delete roles', 'resource': 'roles', 'action': 'delete', 'created_at': now},
+        # Permissions (read-only)
+        {'id': uuid.uuid4(), 'name': 'permissions:read', 'description': 'View permissions', 'resource': 'permissions', 'action': 'read', 'created_at': now},
+    ]
+
+    op.bulk_insert(permission_table, permissions)
+
+    # Seed default roles
+    role_table = sa.table(
+        'role',
+        sa.column('id', sa.Uuid()),
+        sa.column('name', sa.String()),
+        sa.column('description', sa.String()),
+        sa.column('is_system', sa.Boolean()),
+        sa.column('created_at', sa.DateTime()),
+    )
+
+    admin_role_id = uuid.uuid4()
+    editor_role_id = uuid.uuid4()
+    viewer_role_id = uuid.uuid4()
+
+    roles = [
+        {'id': admin_role_id, 'name': 'Admin', 'description': 'Full system access', 'is_system': True, 'created_at': now},
+        {'id': editor_role_id, 'name': 'Editor', 'description': 'Can read and modify content', 'is_system': True, 'created_at': now},
+        {'id': viewer_role_id, 'name': 'Viewer', 'description': 'Read-only access', 'is_system': True, 'created_at': now},
+    ]
+
+    op.bulk_insert(role_table, roles)
+
+    # Seed role-permission associations
+    role_permission_table = sa.table(
+        'role_permission',
+        sa.column('role_id', sa.Uuid()),
+        sa.column('permission_id', sa.Uuid()),
+    )
+
+    # Get permission IDs by name for role assignments
+    perm_ids = {p['name']: p['id'] for p in permissions}
+
+    role_permissions = []
+
+    # Admin gets all permissions
+    for perm in permissions:
+        role_permissions.append({'role_id': admin_role_id, 'permission_id': perm['id']})
+
+    # Editor gets read/create/update on users and items
+    editor_perms = ['users:read', 'users:create', 'users:update', 'items:read', 'items:create', 'items:update', 'roles:read', 'permissions:read']
+    for perm_name in editor_perms:
+        role_permissions.append({'role_id': editor_role_id, 'permission_id': perm_ids[perm_name]})
+
+    # Viewer gets read-only
+    viewer_perms = ['users:read', 'items:read', 'roles:read', 'permissions:read']
+    for perm_name in viewer_perms:
+        role_permissions.append({'role_id': viewer_role_id, 'permission_id': perm_ids[perm_name]})
+
+    op.bulk_insert(role_permission_table, role_permissions)
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table('user_role')
+    op.drop_table('role_permission')
+    op.drop_index(op.f('ix_role_name'), table_name='role')
+    op.drop_table('role')
+    op.drop_index(op.f('ix_permission_name'), table_name='permission')
+    op.drop_table('permission')
+    # ### end Alembic commands ###

backend/app/api/router.py

@@ -5,6 +5,7 @@
 from app.modules.items.routes import router as items_router
 from app.modules.owasp_demo.routes import router as owasp_demo_router
 from app.modules.private.routes import router as private_router
+from app.modules.rbac.routes import router as rbac_router
 from app.modules.shortener.routes import router as shortener_router
 from app.modules.users.routes import router as users_router
 from app.modules.utils.routes import router as utils_router
@@ -17,6 +18,7 @@
 api_router.include_router(utils_router)
 api_router.include_router(items_router)
 api_router.include_router(shortener_router)
+api_router.include_router(rbac_router, prefix="/rbac", tags=["rbac"])
 
 # Include private routes only in local environment
 if settings.ENVIRONMENT == "local":

backend/app/modules/rbac/__init__.py

@@ -0,0 +1,21 @@
+"""RBAC module exports."""
+
+from app.modules.rbac.models import (
+    Permission,
+    PermissionBase,
+    Role,
+    RoleBase,
+    RolePermissionLink,
+    UserRoleLink,
+)
+from app.modules.rbac.routes import router
+
+__all__ = [
+    "Permission",
+    "PermissionBase",
+    "Role",
+    "RoleBase",
+    "RolePermissionLink",
+    "UserRoleLink",
+    "router",
+]

backend/app/modules/rbac/models.py

@@ -0,0 +1,72 @@
+"""RBAC models for Role-Based Access Control."""
+
+import uuid
+from datetime import datetime, timezone
+from typing import TYPE_CHECKING
+
+from sqlmodel import Field, Relationship, SQLModel
+
+if TYPE_CHECKING:
+    from app.modules.users.models import User
+
+
+class RolePermissionLink(SQLModel, table=True):
+    """Junction table for Role-Permission many-to-many relationship."""
+
+    __tablename__ = "role_permission"
+
+    role_id: uuid.UUID = Field(foreign_key="role.id", primary_key=True)
+    permission_id: uuid.UUID = Field(foreign_key="permission.id", primary_key=True)
+
+
+class UserRoleLink(SQLModel, table=True):
+    """Junction table for User-Role many-to-many relationship."""
+
+    __tablename__ = "user_role"
+
+    user_id: uuid.UUID = Field(foreign_key="user.id", primary_key=True)
+    role_id: uuid.UUID = Field(foreign_key="role.id", primary_key=True)
+
+
+class PermissionBase(SQLModel):
+    """Base permission properties."""
+
+    name: str = Field(unique=True, index=True, max_length=100)
+    description: str | None = Field(default=None, max_length=255)
+    resource: str = Field(max_length=50)  # e.g., "users", "items", "roles"
+    action: str = Field(max_length=50)  # e.g., "read", "create", "update", "delete"
+
+
+class Permission(PermissionBase, table=True):
+    """Permission database model."""
+
+    id: uuid.UUID = Field(default_factory=uuid.uuid4, primary_key=True)
+    created_at: datetime = Field(default_factory=lambda: datetime.now(timezone.utc))
+
+    # Relationships
+    roles: list["Role"] = Relationship(
+        back_populates="permissions", link_model=RolePermissionLink
+    )
+
+
+class RoleBase(SQLModel):
+    """Base role properties."""
+
+    name: str = Field(unique=True, index=True, max_length=100)
+    description: str | None = Field(default=None, max_length=255)
+    is_system: bool = Field(default=False)  # Protects default roles from deletion
+
+
+class Role(RoleBase, table=True):
+    """Role database model."""
+
+    id: uuid.UUID = Field(default_factory=uuid.uuid4, primary_key=True)
+    created_at: datetime = Field(default_factory=lambda: datetime.now(timezone.utc))
+
+    # Relationships
+    permissions: list[Permission] = Relationship(
+        back_populates="roles", link_model=RolePermissionLink
+    )
+    users: list["User"] = Relationship(
+        back_populates="roles", link_model=UserRoleLink
+    )