Initial Commit

pyqt6_scaffold/contrib/auth/__init__.py

@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-3.0-or-later
+
+from .role import Role, RoleLevel
+from .database import RBACMixin
+
+__all__ = [
+    "Role",
+    "RoleLevel",
+    "RBACMixin"
+]

pyqt6_scaffold/contrib/auth/database.py

@@ -0,0 +1,45 @@
+# SPDX-License-Identifier: LGPL-3.0-or-later
+
+from pyqt6_scaffold.core.objects import BaseUser
+
+class RBACMixin:
+    """
+    Role-Based Access Control mixin for AbstractDatabase subclasses.
+
+    Provides a can() method that checks user permissions against
+    a permission table in the database. Table and column names
+    are configurable as class attributes.
+
+    Expected table schema:
+        permission_table (permission_column, level_column)
+
+    Example:
+        permission_map (perm VARCHAR, min_level INT)
+    """
+    permission_table: str = "permission_map"
+    permission_column: str = "perm"
+    level_column: str = "min_level"
+
+    def can(self, user: BaseUser, permission: str) -> bool:
+        """
+        Check whether a user has the required permission level.
+
+        Args:
+            user: A BaseUser instance with a role.level attribute.
+            permission: Permission identifier to look up in the database.
+
+        Returns:
+            True if user.role.level >= required level, False otherwise.
+        """
+        with self.execute(
+            f"""
+            SELECT {self.level_column}
+            FROM {self.permission_table}
+            WHERE {self.permission_column} = {self.placeholder}
+            """,
+            (permission,)
+        ) as cursor:
+            row = cursor.fetchone()
+        if not row:
+            return False
+        return user.role.level >= row[0]

pyqt6_scaffold/contrib/auth/role.py

@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: LGPL-3.0-or-later
+
+from enum import Enum
+from dataclasses import dataclass
+
+@dataclass
+class Role:
+    """
+    Represents a user role with a hierarchical access level.
+
+    Attributes:
+        name: Human-readable role name.
+        level: Numeric access level used for permission checks.
+    """
+    name: str
+    level: int
+
+class RoleLevel(Enum):
+    """
+    Predefined access levels for common roles.
+
+    Use these constants when populating the permission table
+    or comparing role levels in application logic.
+    """
+    GUEST = 0
+    CLIENT = 25
+    EMPLOYEE = 50
+    MANAGER = 75
+    ADMIN = 100