feat(phase-39): role-based access control overhaul + forced password change · a4a2adccee - Aegis

feat(phase-39): role-based access control overhaul + forced password change

Some checks failed

Aegis CI / lint-and-test (push) Has been cancelled

Details

- Add must_change_password field to User model with migration b023

- Add POST /auth/change-password endpoint with password policy validation

- Add require_password_changed dependency to block requests until password is changed

- Add ChangePasswordModal with live password policy checklist (forced on first login)

- Show password policy in CreateUserModal and EditUserModal

- Fix backend permissions: tests, campaigns, templates, reports, evidence, worklogs

- red_tech/blue_tech: execute only, cannot create tests/campaigns/templates

- red_lead/blue_lead: create/edit tests/campaigns/templates, generate reports, no system access

- viewer: read-only everywhere, can generate reports

- Fix frontend role checks across TestDetailPage, TestDetailHeader, TeamTabs, TestsPage, CampaignsPage, CampaignDetailPage, Sidebar

This commit is contained in:

Kitos

2026-02-18 10:37:02 +01:00

parent 8f764d8e39

commit a4a2adccee

24 changed files with 338 additions and 72 deletions

									
										1

backend/app/schemas/auth.py
									
												View File
												
				@@ -28,6 +28,7 @@ class UserOut(BaseModel):

				    email: str | None = None

				    role: str

				    is_active: bool

				    must_change_password: bool = True

				    class Config:

				        from_attributes = True

feat(phase-39): role-based access control overhaul + forced password change Some checks failed Aegis CI / lint-and-test (push) Has been cancelled Details

1 backend/app/schemas/auth.py Unescape Escape View File

feat(phase-39): role-based access control overhaul + forced password change

Some checks failed

Aegis CI / lint-and-test (push) Has been cancelled

Details

1

backend/app/schemas/auth.py

View File