diff --git a/api/kiwi_vpn_api/main.py b/api/kiwi_vpn_api/main.py index eb69de2..444871d 100755 --- a/api/kiwi_vpn_api/main.py +++ b/api/kiwi_vpn_api/main.py @@ -13,7 +13,8 @@ import uvicorn from fastapi import FastAPI from .config import Config, Settings -from .db import Connection, User, UserRead +from .db import Connection, User +from .permission import Permission from .routers import main_router app = FastAPI( @@ -43,9 +44,11 @@ async def on_startup() -> None: Connection.connect(current_config.db.uri) # some testing - print(UserRead.from_orm(User.get("admin"))) + print(admin := User.get("admin")) print(User.get("nonexistent")) + print(Permission._(admin, admin)) + def main() -> None: uvicorn.run( diff --git a/api/kiwi_vpn_api/permission.py b/api/kiwi_vpn_api/permission.py new file mode 100644 index 0000000..4f9b83a --- /dev/null +++ b/api/kiwi_vpn_api/permission.py @@ -0,0 +1,35 @@ +from __future__ import annotations + +from enum import Enum, auto + +from .db import User + + +class Permission(Enum): + tag = auto() + untag = auto() + edit = auto() + delete = auto() + + def __repr__(self) -> str: + return self.name + + @classmethod + def _( + cls, + actor: User | None, + target: User, + ) -> set[Permission]: + result = set() + + if actor is None: + return result + + if isinstance(target, User): + if actor.is_admin(): + if target != actor: + result |= set([cls.tag, cls.untag, cls.delete]) + + result.add(cls.edit) + + return result diff --git a/api/plan.md b/api/plan.md index 0822af0..fdeaae1 100644 --- a/api/plan.md +++ b/api/plan.md @@ -13,7 +13,7 @@ - custom DN parts: country, state, city, org, OU - email -## User caps +## User tags - admin: administrator - login: can log into the web interface - issue: can certify own devices without approval