a8debcfb4b
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m13s
- Add Access Control card in Settings (admin-only): role defaults display, user overrides CRUD - Add sidebar drag-and-drop reordering with per-user persistence in rbac.json - Backend: GET/PUT /api/auth/preferences endpoints, sidebar order helpers in rbac.py - Frontend: HTML5 drag API with grip handles, smart order merge, debounced save - Preserve sidebar_order when updating page overrides
107 lines
2.9 KiB
Python
107 lines
2.9 KiB
Python
import json
|
|
import os
|
|
from typing import Optional
|
|
from pydantic import BaseModel
|
|
from fastapi import HTTPException, Request, status
|
|
|
|
import config
|
|
|
|
RBAC_FILE = os.path.join(config.VOLUME_ROOT, "docker/nas-dashboard/rbac.json")
|
|
|
|
ROLE_GROUP_MAP = {
|
|
"dashboard_admin": "admin",
|
|
"dashboard_member": "member",
|
|
"dashboard_viewer": "viewer",
|
|
}
|
|
|
|
DEFAULT_RBAC = {
|
|
"role_defaults": {
|
|
"admin": {"pages": "*"},
|
|
"member": {"pages": ["dashboard", "docker", "files", "openclaw", "chat-digest"]},
|
|
"viewer": {"pages": ["dashboard"]},
|
|
},
|
|
"user_overrides": {},
|
|
}
|
|
|
|
|
|
class User(BaseModel):
|
|
username: str
|
|
role: str
|
|
pages: list | str # "*" or list of page ids
|
|
|
|
|
|
def load_rbac() -> dict:
|
|
try:
|
|
if os.path.exists(RBAC_FILE):
|
|
with open(RBAC_FILE) as f:
|
|
return json.load(f)
|
|
except Exception:
|
|
pass
|
|
return DEFAULT_RBAC.copy()
|
|
|
|
|
|
def save_rbac(data: dict):
|
|
os.makedirs(os.path.dirname(RBAC_FILE), exist_ok=True)
|
|
with open(RBAC_FILE, "w") as f:
|
|
json.dump(data, f, indent=2)
|
|
|
|
|
|
def resolve_role(groups: list[str]) -> Optional[str]:
|
|
for group in groups:
|
|
if group in ROLE_GROUP_MAP:
|
|
return ROLE_GROUP_MAP[group]
|
|
return None
|
|
|
|
|
|
def get_pages(username: str, role: str) -> list | str:
|
|
rbac = load_rbac()
|
|
overrides = rbac.get("user_overrides", {})
|
|
if username in overrides:
|
|
return overrides[username].get("pages", rbac["role_defaults"].get(role, {}).get("pages", []))
|
|
return rbac.get("role_defaults", {}).get(role, {}).get("pages", [])
|
|
|
|
|
|
def get_sidebar_order(username: str) -> dict | None:
|
|
rbac = load_rbac()
|
|
overrides = rbac.get("user_overrides", {})
|
|
return overrides.get(username, {}).get("sidebar_order")
|
|
|
|
|
|
def save_sidebar_order(username: str, order: dict):
|
|
rbac = load_rbac()
|
|
rbac.setdefault("user_overrides", {}).setdefault(username, {})["sidebar_order"] = order
|
|
save_rbac(rbac)
|
|
|
|
|
|
def has_page_access(user: User, page: str) -> bool:
|
|
if user.pages == "*":
|
|
return True
|
|
return page in user.pages
|
|
|
|
|
|
def require_page(page: str):
|
|
"""FastAPI dependency factory — 403 if user lacks page access."""
|
|
async def checker(request: Request):
|
|
user: User = request.state.user
|
|
if not has_page_access(user, page):
|
|
raise HTTPException(status_code=403, detail="Access denied")
|
|
return checker
|
|
|
|
|
|
def require_admin():
|
|
"""FastAPI dependency — 403 if user is not admin."""
|
|
async def checker(request: Request):
|
|
user: User = request.state.user
|
|
if user.role != "admin":
|
|
raise HTTPException(status_code=403, detail="Admin only")
|
|
return checker
|
|
|
|
|
|
def require_write():
|
|
"""FastAPI dependency — 403 if viewer tries non-GET method."""
|
|
async def checker(request: Request):
|
|
user: User = request.state.user
|
|
if user.role == "viewer" and request.method != "GET":
|
|
raise HTTPException(status_code=403, detail="Read-only access")
|
|
return checker
|