Added more permsison

Author: MySecondLanguage

nxtbn/core/admin_permissions.py

@@ -1,3 +1,30 @@
+"""
+Dashboard User Permission Hierarchy:
+
+- `is_superuser`:  
+    Grants unrestricted access to all dashboard functionalities without any limitations.  
+    Inherits all permissions of `is_store_admin` by default.  
+
+- `is_staff`:  
+    Required for all users to access the dashboard.  
+
+- `is_store_admin`:  
+    Has extensive permissions and authority within the dashboard.  
+    Can perform almost all operations except a few critical ones restricted to the superuser.  
+    Inherits all permissions assigned to other users by default.  
+
+- `is_store_staff`:  
+    Has limited access to the dashboard.  
+    Their permissions can be extended granularly by assigning specific permissions, which are managed by the store admin.  
+
+**Additional Notes:**  
+- All users have read permissions by default, except for certain critical data that require explicit authorization.  
+- The superuser automatically inherits all permissions of a store admin.  
+- A store admin inherits all permissions granted to other users by default.  
+"""
+
+
+
 from rest_framework.permissions import BasePermission
 from rest_framework.permissions import SAFE_METHODS
 
@@ -7,22 +34,41 @@
 import functools
 from graphql import GraphQLError
 
-class IsStaffUser(BasePermission):
+
+class IsStoreAdmin(BasePermission):
+    def has_permission(self, request, view):
+        if not request.user.is_staff:
+            return False
+        return request.user.is_store_admin
+    
+class IsStoreStaff(BasePermission):
     def has_permission(self, request, view):
-        return request.user.is_staff
+        if not request.user.is_staff:
+            return False
+        
+        if request.user.is_superuser:
+            return True
+        
+        if request.user.is_store_admin:
+            return True
+
+        return request.user.is_store_staff
 
 class GranularPermission(BasePermission):
     def get_permission_name(self, model_name, action):
 
         return f"{model_name}.{action}"
 
     def has_permission(self, request, view):
-        if not request.user.is_authenticated:
+        if not request.user.is_staff:
             return False
 
         if request.user.is_superuser:
             return True
 
+        if request.user.is_store_admin:
+            return True
+        
         if request.method in SAFE_METHODS and request.user.is_staff: # Every staff can view
             return True
 
@@ -47,12 +93,15 @@ def has_permission(self, request, view):
 class CommonPermissions(BasePermission):
 
     def has_permission(self, request, view):
-        if not request.user.is_authenticated:
+        if not request.user.is_staff:
             return False
 
         if request.user.is_superuser:
             return True
 
+        if request.user.is_store_admin:
+            return True
+        
         if request.method in SAFE_METHODS and request.user.is_staff: # Every staff can view
             return True
 
@@ -88,11 +137,14 @@ def has_permission(self, request, view):
 
 
 def has_required_perm(user, code: str, model_cls=None):
-    if not user.is_authenticated:
+    if not user.is_staff:
         return False
 
     if user.is_superuser:
         return True
+    
+    if user.is_store_admin:
+        return True
 
     perm_code  = model_cls._meta.app_label + '.' + code
     return user.has_perm(perm_code)

nxtbn/order/api/dashboard/views.py

@@ -21,7 +21,7 @@
 import django_filters
 from django_filters import rest_framework as filters
 
-from nxtbn.core.admin_permissions import GranularPermission, CommonPermissions, IsStaffUser, has_required_perm
+from nxtbn.core.admin_permissions import GranularPermission, CommonPermissions, has_required_perm
 from nxtbn.core.enum_perms import PermissionsEnum
 from nxtbn.core.utils import to_currency_unit
 from nxtbn.order.proccesor.views import OrderProccessorAPIView

nxtbn/tax/api/dashboard/views.py

@@ -4,6 +4,7 @@
 from rest_framework.permissions  import AllowAny
 from rest_framework.exceptions import APIException
 
+from nxtbn.core.admin_permissions import CommonPermissions
 from nxtbn.core.paginator import NxtbnPagination
 
 from nxtbn.tax.models import TaxClass, TaxClassTranslation, TaxRate
@@ -20,17 +21,23 @@
 from nxtbn.users import UserRole
 
 class TaxClassView(generics.ListCreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = TaxClass
     queryset = TaxClass.objects.all()
     serializer_class = TaxClassSerializer
     pagination_class = NxtbnPagination
 
 
 class TaxClassDetailsView(generics.RetrieveUpdateDestroyAPIView):
+    permission_classes = (CommonPermissions, )
+    model = TaxClass
     queryset = TaxClass.objects.all()
     serializer_class = TaxClassDetailSerializer
     lookup_field = 'id'
 
 class TaxRateListCreateAPIView(generics.ListCreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = TaxClass
     serializer_class = TaxRateSerializer
     queryset = TaxRate.objects.all()
     filter_backends = [
@@ -43,6 +50,8 @@ class TaxRateListCreateAPIView(generics.ListCreateAPIView):
 
 
 class TaxRateRetrieveUpdateDelete(generics.RetrieveUpdateDestroyAPIView):
+    permission_classes = (CommonPermissions, )
+    model = TaxClass
     serializer_class = TaxRateSerializer
     queryset = TaxRate.objects.all()
     lookup_field = 'id'

nxtbn/users/admin_queries.py

@@ -1,14 +1,28 @@
 import graphene
 
-from nxtbn.users.admin_types import PermissionType
+from nxtbn.users.admin_types import AdminUserType, PermissionType
 from django.contrib.auth.models import Permission
+from graphene_django.filter import DjangoFilterConnectionField
 
 from nxtbn.users.models import User
 
 
 class UserAdminQuery(graphene.ObjectType):
+    users = DjangoFilterConnectionField(AdminUserType)
+    user = graphene.Field(AdminUserType, id=graphene.Int(required=True))
     permissions = graphene.List(PermissionType, user_id=graphene.Int(required=True))
 
+    def resolve_users(self, info, **kwargs):
+        return User.objects.all()
+    
+    def resolve_user(self, info, id):
+        try:
+            user = User.objects.get(id=id)
+        except User.DoesNotExist:
+            raise Exception("User not found")
+        
+        return user
+
     def resolve_permissions(self, info, user_id):
         # Get the user by the provided user_id
         try:
@@ -31,4 +45,4 @@ def resolve_permissions(self, info, user_id):
             )
             for permission in permissions
         ]
-        return permission_data
+        return permission_data

nxtbn/users/admin_types.py

@@ -8,8 +8,30 @@ class AdminUserType(DjangoObjectType):
     db_id = graphene.ID(source='id')
     class Meta:
         model = User
-        fields = ('id', 'username', 'email', 'first_name', 'last_name', 'is_staff', 'is_active', 'date_joined')
+        fields = (
+            'id',
+            'username',
+            'role',
+            'email',
+            'phone_number',
+            'first_name',
+            'last_name',
+            'is_staff',
+            'is_active',
+            'is_superuser',
+            'is_store_admin',
+            'is_store_staff',
+            'date_joined',
+        )
         interfaces = (graphene.relay.Node, )
+        filter_fields = {
+            'id': ['exact'],
+            'is_staff': ['exact'],
+            'is_active': ['exact'],
+            'is_superuser': ['exact'],
+            'is_store_admin': ['exact'],
+            'is_store_staff': ['exact'],
+        }
 
 
     def resolve_full_name(self, info):

nxtbn/users/api/dashboard/serializers.py

@@ -20,7 +20,7 @@ class DashboardLoginSerializer(serializers.Serializer):
 class UserSerializer(serializers.ModelSerializer):
     class Meta:
         model = User
-        fields = ['id', 'avatar', 'username', 'email', 'first_name', 'last_name', 'role', 'full_name', 'phone_number']
+        fields = ['id', 'avatar', 'username', 'email', 'first_name', 'last_name', 'role', 'full_name', 'phone_number', 'is_store_admin', 'is_store_staff']
 
 
 class CustomerSerializer(serializers.ModelSerializer):
@@ -113,6 +113,8 @@ class Meta:
             'is_active',
             'is_staff',
             'is_superuser',
+            'is_store_admin',
+            'is_store_staff',
             'full_name',
             'password',
             'role'

nxtbn/users/migrations/0005_user_is_store_admin_user_is_store_staff_and_more.py

@@ -0,0 +1,28 @@
+# Generated by Django 4.2.11 on 2025-01-31 17:30
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0004_alter_user_role'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user',
+            name='is_store_admin',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='user',
+            name='is_store_staff',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AlterField(
+            model_name='user',
+            name='role',
+            field=models.CharField(default='Store Admin', max_length=255),
+        ),
+    ]

nxtbn/users/models.py

@@ -10,12 +10,18 @@
 
 
 class User(AbstractUser):
-    role = models.CharField(max_length=255, choices=UserRole.choices, default=UserRole.CUSTOMER)
+    role = models.CharField(max_length=255, default='Store Admin')
+
+    # To learn more about permissions hierarchy, check this files: nxtbn/core/admin_permissions.py
+    is_store_admin = models.BooleanField(default=False)
+    is_store_staff = models.BooleanField(default=False)
+
+
     avatar = models.ImageField(upload_to='avatars/', null=True, blank=True)
     phone_number = models.CharField(max_length=255, null=True, blank=True)
 
     def __str__(self):
-        parts = [self.get_full_name(), self.username, self.email, self.get_role_display()]
+        parts = [self.get_full_name(), self.username, self.email]
         return " - ".join(part for part in parts if part)
 
     def full_name(self):