- Introduction of Partner Admin role in combination with 'Management Partner' type.

eveai_app/views/user_views.py

@@ -10,6 +10,7 @@ import ast
 
 from common.models.user import User, Tenant, Role, TenantDomain, TenantProject, Partner
 from common.extensions import db, security, minio_client, simple_encryption
+from common.services.user_service import UserService
 from common.utils.security_utils import send_confirmation_email, send_reset_email
 from config.type_defs.service_types import SERVICE_TYPES
 from .user_forms import TenantForm, CreateUserForm, EditUserForm, TenantDomainForm, TenantSelectionForm, \
@@ -106,7 +107,7 @@ def edit_tenant(tenant_id):
 
 
 @user_bp.route('/user', methods=['GET', 'POST'])
-@roles_accepted('Super User', 'Tenant Admin')
+@roles_accepted('Super User', 'Tenant Admin', 'Partner Admin')
 def user():
     form = CreateUserForm()
     form.tenant_id.data = session.get('tenant').get('id')  # It is only possible to create users for the session tenant
@@ -159,7 +160,7 @@ def user():
 
 
 @user_bp.route('/user/<int:user_id>', methods=['GET', 'POST'])
-@roles_accepted('Super User', 'Tenant Admin')
+@roles_accepted('Super User', 'Tenant Admin', 'Partner Admin')
 def edit_user(user_id):
     user = User.query.get_or_404(user_id)  # This will return a 404 if no user is found
     form = EditUserForm(obj=user)
@@ -174,16 +175,22 @@ def edit_user(user_id):
         # Update roles
         current_roles = set(role.id for role in user.roles)
         selected_roles = set(form.roles.data)
-        # Add new roles
-        for role_id in selected_roles - current_roles:
-            role = Role.query.get(role_id)
-            if role:
-                user.roles.append(role)
-        # Remove unselected roles
-        for role_id in current_roles - selected_roles:
-            role = Role.query.get(role_id)
-            if role:
-                user.roles.remove(role)
+        if UserService.validate_role_assignments(selected_roles):
+            # Add new roles
+            for role_id in selected_roles - current_roles:
+                role = Role.query.get(role_id)
+                if role:
+                    user.roles.append(role)
+            # Remove unselected roles
+            for role_id in current_roles - selected_roles:
+                role = Role.query.get(role_id)
+                if role:
+                    user.roles.remove(role)
+        else:
+            flash('Trying to assign unauthorized roles', 'danger')
+            current_app.logger.error(f"Trying to assign unauthorized roles by user {user_id},"
+                                     f"tenant {session['tenant']['id']}")
+            return redirect(prefixed_url_for('user_bp.edit_user', user_id=user_id))
 
         db.session.commit()
         flash('User updated successfully.', 'success')
@@ -242,14 +249,10 @@ def handle_tenant_selection():
     session.pop('catalog_name', None)
 
     match action:
-        case 'view_users':
-            return redirect(prefixed_url_for('user_bp.view_users', tenant_id=tenant_id))
         case 'edit_tenant':
             return redirect(prefixed_url_for('user_bp.edit_tenant', tenant_id=tenant_id))
         case 'select_tenant':
             return redirect(prefixed_url_for('user_bp.tenant_overview'))
-        case 'new_tenant':
-            return redirect(prefixed_url_for('user_bp.tenant'))
 
     # Add more conditions for other actions
     return redirect(prefixed_url_for('select_tenant'))