feat(phase-39): role-based access control overhaul + forced password change
Some checks failed
Aegis CI / lint-and-test (push) Has been cancelled
Some checks failed
Aegis CI / lint-and-test (push) Has been cancelled
- Add must_change_password field to User model with migration b023 - Add POST /auth/change-password endpoint with password policy validation - Add require_password_changed dependency to block requests until password is changed - Add ChangePasswordModal with live password policy checklist (forced on first login) - Show password policy in CreateUserModal and EditUserModal - Fix backend permissions: tests, campaigns, templates, reports, evidence, worklogs - red_tech/blue_tech: execute only, cannot create tests/campaigns/templates - red_lead/blue_lead: create/edit tests/campaigns/templates, generate reports, no system access - viewer: read-only everywhere, can generate reports - Fix frontend role checks across TestDetailPage, TestDetailHeader, TeamTabs, TestsPage, CampaignsPage, CampaignDetailPage, Sidebar
This commit is contained in:
@@ -91,6 +91,22 @@ async def get_current_user(
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
|
||||
async def require_password_changed(
|
||||
current_user: User = Depends(get_current_user),
|
||||
) -> User:
|
||||
"""Block all requests when the user still needs to change their password.
|
||||
|
||||
Only ``/auth/change-password`` and ``/auth/me`` are exempt — those
|
||||
endpoints do **not** depend on this function.
|
||||
"""
|
||||
if getattr(current_user, "must_change_password", False):
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_403_FORBIDDEN,
|
||||
detail="PASSWORD_CHANGE_REQUIRED",
|
||||
)
|
||||
return current_user
|
||||
|
||||
|
||||
def require_role(required_role: str):
|
||||
"""Return a FastAPI dependency that enforces *required_role*.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user