kincses/service-finder
1
0
Fork 0
Code Issues 7 Pull Requests Packages Projects 2 Releases Wiki Activity
Files
f53e0b53df3a91eedbd2339a053547ff3fe805a8
service-finder/backend/app/api/v1/endpoints/finance_admin.py
Roo f53e0b53df refaktorálás javításai
2026-03-13 10:22:41 +00:00

77 lines
2.5 KiB
Python
Raw Blame History

# /opt/docker/dev/service_finder/backend/app/api/v1/endpoints/finance_admin.py
"""
Finance Admin API endpoints for managing Issuers with strict RBAC protection.
Only users with rank >= 90 (Superadmin/Finance Admin) can access these endpoints.
"""
from fastapi import APIRouter, Depends, HTTPException, status
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy import select
from typing import List
from app.api import deps
from app.models.identity import User, UserRole
from app.models.finance import Issuer
from app.schemas.finance import IssuerResponse, IssuerUpdate
router = APIRouter()
async def check_finance_admin_access(
current_user: User = Depends(deps.get_current_active_user)
):
"""
RBAC protection: only users with rank >= 90 (Superadmin/Finance Admin) can access.
In our system, this translates to role being 'superadmin' or 'admin'.
"""
if current_user.role not in [UserRole.superadmin, UserRole.admin]:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Not enough permissions. Rank >= 90 (Superadmin/Finance Admin) required."
)
return current_user
@router.get("/", response_model=List[IssuerResponse], tags=["finance-admin"])
async def list_issuers(
db: AsyncSession = Depends(deps.get_db),
admin: User = Depends(check_finance_admin_access)
):
"""
List all Issuers (billing entities).
Only accessible by Superadmin/Finance Admin (rank >= 90).
"""
result = await db.execute(select(Issuer).order_by(Issuer.id))
issuers = result.scalars().all()
return issuers
@router.patch("/{issuer_id}", response_model=IssuerResponse, tags=["finance-admin"])
async def update_issuer(
issuer_id: int,
issuer_update: IssuerUpdate,
db: AsyncSession = Depends(deps.get_db),
admin: User = Depends(check_finance_admin_access)
):
"""
Update an Issuer's details (activate/deactivate, revenue limit, API config).
Only accessible by Superadmin/Finance Admin (rank >= 90).
"""
result = await db.execute(select(Issuer).where(Issuer.id == issuer_id))
issuer = result.scalar_one_or_none()
if not issuer:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail=f"Issuer with ID {issuer_id} not found."
)
# Update fields if provided
update_data = issuer_update.model_dump(exclude_unset=True)
for field, value in update_data.items():
setattr(issuer, field, value)
await db.commit()
await db.refresh(issuer)
return issuer
Reference in New Issue View Git Blame Copy Permalink