fastapi-clean-example/src/app/application/common/services/authorization.py at b678eb0136755421e76f6eed872142e881f57091 · ivan-borovets/fastapi-clean-example · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from collections.abc import Mapping
from typing import Final

from app.application.common.constants import AUTHZ_NOT_AUTHORIZED
from app.application.common.exceptions.authorization import AuthorizationError
from app.domain.enums.user_role import UserRole
from app.domain.value_objects.user_id import UserId

SUBORDINATE_ROLES: Final[Mapping[UserRole, set[UserRole]]] = {
    UserRole.SUPER_ADMIN: {UserRole.ADMIN, UserRole.USER},
    UserRole.ADMIN: {UserRole.USER},
    UserRole.USER: set(),
}


class AuthorizationService:
    def authorize_for_self(
        self,
        current_user_id: UserId,
        /,
        *,
        target_id: UserId,
    ) -> None:
        """
        :raises AuthorizationError:
        """
        if current_user_id != target_id:
            raise AuthorizationError(AUTHZ_NOT_AUTHORIZED)

    def authorize_for_subordinate_role(
        self,
        current_user_role: UserRole,
        /,
        *,
        target_role: UserRole,
    ) -> None:
        """
        :raises AuthorizationError:
        """
        allowed_roles = SUBORDINATE_ROLES.get(current_user_role, set())
        if target_role not in allowed_roles:
            raise AuthorizationError(AUTHZ_NOT_AUTHORIZED)