start "permission" implementation

api/kiwi_vpn_api/main.py

@@ -13,7 +13,8 @@ import uvicorn
 from fastapi import FastAPI
 
 from .config import Config, Settings
-from .db import Connection, User, UserRead
+from .db import Connection, User
+from .permission import Permission
 from .routers import main_router
 
 app = FastAPI(
@@ -43,9 +44,11 @@ async def on_startup() -> None:
         Connection.connect(current_config.db.uri)
 
         # some testing
-        print(UserRead.from_orm(User.get("admin")))
+        print(admin := User.get("admin"))
         print(User.get("nonexistent"))
 
+        print(Permission._(admin, admin))
+
 
 def main() -> None:
     uvicorn.run(

api/kiwi_vpn_api/permission.py

@@ -0,0 +1,35 @@
+from __future__ import annotations
+
+from enum import Enum, auto
+
+from .db import User
+
+
+class Permission(Enum):
+    tag = auto()
+    untag = auto()
+    edit = auto()
+    delete = auto()
+
+    def __repr__(self) -> str:
+        return self.name
+
+    @classmethod
+    def _(
+        cls,
+        actor: User | None,
+        target: User,
+    ) -> set[Permission]:
+        result = set()
+
+        if actor is None:
+            return result
+
+        if isinstance(target, User):
+            if actor.is_admin():
+                if target != actor:
+                    result |= set([cls.tag, cls.untag, cls.delete])
+
+                result.add(cls.edit)
+
+        return result

api/plan.md

@@ -13,7 +13,7 @@
 - custom DN parts: country, state, city, org, OU
 - email
 
-## User caps
+## User tags
 - admin: administrator
 - login: can log into the web interface
 - issue: can certify own devices without approval