feat: implement role-based access control for miniapp
All checks were successful
CI / lint-and-test (push) Successful in 22s
All checks were successful
CI / lint-and-test (push) Successful in 22s
- Introduced a new roles table in the database to manage user roles ('user' and 'admin') for access control.
- Updated the user model to include a foreign key reference to the roles table, allowing for role assignment.
- Enhanced command handlers to support the `/set_role` command for admins to assign roles to users.
- Refactored access control logic to utilize role checks instead of username/phone allowlists, improving security and maintainability.
- Updated documentation to reflect changes in access control mechanisms and role management.
- Added unit tests to ensure correct functionality of role assignment and access checks.
This commit is contained in:
@@ -82,14 +82,11 @@ def test_duties_403_when_init_data_invalid(mock_validate, client):
|
||||
|
||||
@patch("duty_teller.api.dependencies.get_user_by_telegram_id")
|
||||
@patch("duty_teller.api.dependencies.validate_init_data_with_reason")
|
||||
@patch("duty_teller.api.dependencies.config.can_access_miniapp")
|
||||
@patch("duty_teller.api.dependencies.config.MINI_APP_SKIP_AUTH", False)
|
||||
def test_duties_403_when_username_not_allowed(
|
||||
mock_can_access, mock_validate, mock_get_user, client
|
||||
):
|
||||
def test_duties_403_when_user_not_in_db(mock_validate, mock_get_user, client):
|
||||
"""User not in DB -> 403 (access only for users with role or env-admin fallback)."""
|
||||
mock_validate.return_value = (123, "someuser", "ok", "en")
|
||||
mock_can_access.return_value = False
|
||||
mock_get_user.return_value = None # no user in DB or no phone path
|
||||
mock_get_user.return_value = None
|
||||
with patch("duty_teller.api.app.fetch_duties_response") as mock_fetch:
|
||||
r = client.get(
|
||||
"/api/duties",
|
||||
@@ -103,21 +100,21 @@ def test_duties_403_when_username_not_allowed(
|
||||
mock_fetch.assert_not_called()
|
||||
|
||||
|
||||
@patch("duty_teller.api.dependencies.config.can_access_miniapp_by_phone")
|
||||
@patch("duty_teller.api.dependencies.can_access_miniapp_for_telegram_user")
|
||||
@patch("duty_teller.api.dependencies.get_user_by_telegram_id")
|
||||
@patch("duty_teller.api.dependencies.validate_init_data_with_reason")
|
||||
@patch("duty_teller.api.dependencies.config.can_access_miniapp")
|
||||
@patch("duty_teller.api.dependencies.config.MINI_APP_SKIP_AUTH", False)
|
||||
def test_duties_403_when_no_username_and_phone_not_in_allowlist(
|
||||
mock_can_access, mock_validate, mock_get_user, mock_can_access_phone, client
|
||||
def test_duties_403_when_no_username_and_no_access(
|
||||
mock_validate, mock_get_user, mock_can_access, client
|
||||
):
|
||||
"""No username in initData and user's phone not in ALLOWED_PHONES -> 403."""
|
||||
"""User in DB but no miniapp access (no role, not env admin) -> 403."""
|
||||
from types import SimpleNamespace
|
||||
|
||||
mock_validate.return_value = (456, None, "ok", "en")
|
||||
mock_get_user.return_value = SimpleNamespace(
|
||||
phone="+79001111111", full_name="User", username=None
|
||||
)
|
||||
mock_can_access.return_value = False
|
||||
mock_get_user.return_value = SimpleNamespace(phone="+79001111111", full_name="User")
|
||||
mock_can_access_phone.return_value = False
|
||||
with patch("duty_teller.api.app.fetch_duties_response") as mock_fetch:
|
||||
r = client.get(
|
||||
"/api/duties",
|
||||
@@ -128,23 +125,21 @@ def test_duties_403_when_no_username_and_phone_not_in_allowlist(
|
||||
mock_fetch.assert_not_called()
|
||||
|
||||
|
||||
@patch("duty_teller.api.dependencies.config.can_access_miniapp_by_phone")
|
||||
@patch("duty_teller.api.dependencies.can_access_miniapp_for_telegram_user")
|
||||
@patch("duty_teller.api.dependencies.get_user_by_telegram_id")
|
||||
@patch("duty_teller.api.dependencies.validate_init_data_with_reason")
|
||||
@patch("duty_teller.api.dependencies.config.can_access_miniapp")
|
||||
@patch("duty_teller.api.dependencies.config.MINI_APP_SKIP_AUTH", False)
|
||||
def test_duties_200_when_no_username_but_phone_in_allowlist(
|
||||
mock_can_access, mock_validate, mock_get_user, mock_can_access_phone, client
|
||||
def test_duties_200_when_user_has_access(
|
||||
mock_validate, mock_get_user, mock_can_access, client
|
||||
):
|
||||
"""No username in initData but user's phone in ALLOWED_PHONES -> 200."""
|
||||
"""User in DB with miniapp access (role or env fallback) -> 200."""
|
||||
from types import SimpleNamespace
|
||||
|
||||
mock_validate.return_value = (789, None, "ok", "en")
|
||||
mock_can_access.return_value = False
|
||||
mock_get_user.return_value = SimpleNamespace(
|
||||
phone="+7 900 123-45-67", full_name="Иван"
|
||||
phone="+7 900 123-45-67", full_name="Иван", username=None
|
||||
)
|
||||
mock_can_access_phone.return_value = True
|
||||
mock_can_access.return_value = True
|
||||
with patch("duty_teller.api.app.fetch_duties_response") as mock_fetch:
|
||||
mock_fetch.return_value = []
|
||||
r = client.get(
|
||||
@@ -180,10 +175,18 @@ def test_duties_200_with_valid_init_data_and_skip_auth_not_in_allowlist(
|
||||
mock_validate.assert_not_called()
|
||||
|
||||
|
||||
@patch("duty_teller.api.dependencies.can_access_miniapp_for_telegram_user")
|
||||
@patch("duty_teller.api.dependencies.get_user_by_telegram_id")
|
||||
@patch("duty_teller.api.dependencies.validate_init_data_with_reason")
|
||||
@patch("duty_teller.api.dependencies.config.can_access_miniapp")
|
||||
def test_duties_200_with_allowed_user(mock_can_access, mock_validate, client):
|
||||
def test_duties_200_with_allowed_user(
|
||||
mock_validate, mock_get_user, mock_can_access, client
|
||||
):
|
||||
from types import SimpleNamespace
|
||||
|
||||
mock_validate.return_value = (1, "alloweduser", "ok", "en")
|
||||
mock_get_user.return_value = SimpleNamespace(
|
||||
full_name="Иван Иванов", username="alloweduser", phone=None
|
||||
)
|
||||
mock_can_access.return_value = True
|
||||
with patch("duty_teller.api.app.fetch_duties_response") as mock_fetch:
|
||||
mock_fetch.return_value = [
|
||||
@@ -206,11 +209,16 @@ def test_duties_200_with_allowed_user(mock_can_access, mock_validate, client):
|
||||
mock_fetch.assert_called_once_with(ANY, "2025-01-01", "2025-01-31")
|
||||
|
||||
|
||||
def test_duties_e2e_auth_real_validation(client, monkeypatch):
|
||||
@patch("duty_teller.api.dependencies.can_access_miniapp_for_telegram_user")
|
||||
@patch("duty_teller.api.dependencies.get_user_by_telegram_id")
|
||||
def test_duties_e2e_auth_real_validation(
|
||||
mock_get_user, mock_can_access, client, monkeypatch
|
||||
):
|
||||
from types import SimpleNamespace
|
||||
|
||||
test_token = "123:ABC"
|
||||
test_username = "e2euser"
|
||||
monkeypatch.setattr(config, "BOT_TOKEN", test_token)
|
||||
monkeypatch.setattr(config, "ALLOWED_USERNAMES", {test_username})
|
||||
monkeypatch.setattr(config, "ADMIN_USERNAMES", set())
|
||||
monkeypatch.setattr(config, "INIT_DATA_MAX_AGE_SECONDS", 0)
|
||||
init_data = make_init_data(
|
||||
@@ -218,6 +226,10 @@ def test_duties_e2e_auth_real_validation(client, monkeypatch):
|
||||
test_token,
|
||||
auth_date=int(time.time()),
|
||||
)
|
||||
mock_get_user.return_value = SimpleNamespace(
|
||||
full_name="E2E User", username=test_username, phone=None
|
||||
)
|
||||
mock_can_access.return_value = True
|
||||
with patch("duty_teller.api.app.fetch_duties_response") as mock_fetch:
|
||||
mock_fetch.return_value = []
|
||||
r = client.get(
|
||||
|
||||
Reference in New Issue
Block a user