Phase 5 of Migration
This commit is contained in:
@@ -129,27 +129,29 @@ async def mqtt_websocket(websocket: WebSocket):
|
||||
|
||||
try:
|
||||
from auth.utils import decode_access_token
|
||||
from shared.firebase import get_db
|
||||
from sqlalchemy import select
|
||||
from database.postgres import AsyncSessionLocal
|
||||
from staff.orm import Staff
|
||||
|
||||
payload = decode_access_token(token)
|
||||
role = payload.get("role", "")
|
||||
|
||||
# sysadmin and admin always have MQTT access
|
||||
if role not in ("sysadmin", "admin"):
|
||||
# Check MQTT permission for editor/user
|
||||
user_sub = payload.get("sub", "")
|
||||
db_inst = get_db()
|
||||
if db_inst:
|
||||
doc = db_inst.collection("admin_users").document(user_sub).get()
|
||||
if doc.exists:
|
||||
perms = doc.to_dict().get("permissions", {})
|
||||
if not perms.get("mqtt", False):
|
||||
await websocket.close(code=4003, reason="MQTT access denied")
|
||||
return
|
||||
else:
|
||||
await websocket.close(code=4003, reason="User not found")
|
||||
return
|
||||
else:
|
||||
await websocket.close(code=4003, reason="Service unavailable")
|
||||
async with AsyncSessionLocal() as session:
|
||||
result = await session.execute(
|
||||
select(Staff).where(Staff.id == user_sub).limit(1)
|
||||
)
|
||||
staff = result.scalar_one_or_none()
|
||||
|
||||
if staff is None:
|
||||
await websocket.close(code=4003, reason="User not found")
|
||||
return
|
||||
|
||||
perms = staff.permissions or {}
|
||||
if not perms.get("mqtt", {}).get("access", False):
|
||||
await websocket.close(code=4003, reason="MQTT access denied")
|
||||
return
|
||||
except Exception:
|
||||
await websocket.close(code=4001, reason="Invalid token")
|
||||
|
||||
Reference in New Issue
Block a user