feat(permissions): centralize workspace role capability checks

2026-04-25 18:48:50 +03:30
parent 5f9d413a57
commit f960ca8221
14 changed files with 925 additions and 222 deletions
--- a/apps/clients/api/permissions.py
+++ b/apps/clients/api/permissions.py
@@ -1,22 +1,46 @@
-from rest_framework import permissions
-from apps.workspaces.models import WorkspaceMembership
-
-
-class IsClientWorkspaceMember(permissions.BasePermission):
-    """
-    Allows access only to users who are active members of the workspace associated with the client.
-    """
-    message = "شما عضو فضای کاری این مشتری نیستید."
-
-    def has_object_permission(self, request, view, obj):
-        """
-        Validates if the user exists in the workspace memberships for the requested client's workspace.
-        """
-        if not request.user.is_authenticated:
-            return False
-            
-        return WorkspaceMembership.objects.filter(
-            workspace=obj.workspace,
-            user=request.user,
-            is_active=True
-        ).exists()
+from rest_framework import permissions
+
+from apps.workspaces.models import Workspace
+from apps.workspaces.services import (
+    CLIENTS_CREATE,
+    CLIENTS_DELETE,
+    CLIENTS_EDIT,
+    CLIENTS_VIEW,
+    has_workspace_capability,
+)
+
+
+class IsClientWorkspaceMember(permissions.BasePermission):
+    """
+    Applies capability-based access checks for client resources.
+    """
+
+    message = "You do not have permission to access this client."
+
+    def has_permission(self, request, view):
+        if not request.user.is_authenticated:
+            return False
+
+        if view.action == "create":
+            workspace_id = request.data.get("workspace_id")
+            if not workspace_id:
+                return False
+            workspace = Workspace.objects.filter(id=workspace_id, is_deleted=False).first()
+            return bool(
+                workspace and has_workspace_capability(request.user, workspace, CLIENTS_CREATE)
+            )
+
+        return True
+
+    def has_object_permission(self, request, view, obj):
+        if not request.user.is_authenticated:
+            return False
+
+        capability = {
+            "retrieve": CLIENTS_VIEW,
+            "list": CLIENTS_VIEW,
+            "update": CLIENTS_EDIT,
+            "partial_update": CLIENTS_EDIT,
+            "destroy": CLIENTS_DELETE,
+        }.get(view.action, CLIENTS_VIEW)
+        return has_workspace_capability(request.user, obj.workspace, capability)