Added Roles and Permissions. Some minor UI fixes

backend/auth/dependencies.py

@@ -4,6 +4,7 @@ from jose import JWTError
 from auth.utils import decode_access_token
 from auth.models import TokenPayload, Role
 from shared.exceptions import AuthenticationError, AuthorizationError
+from shared.firebase import get_db
 
 security = HTTPBearer()
 
@@ -28,7 +29,7 @@ def require_roles(*allowed_roles: Role):
     async def role_checker(
         current_user: TokenPayload = Depends(get_current_user),
     ) -> TokenPayload:
-        if current_user.role == Role.superadmin:
+        if current_user.role == Role.sysadmin:
             return current_user
         if current_user.role not in [r.value for r in allowed_roles]:
             raise AuthorizationError()
@@ -36,12 +37,63 @@ def require_roles(*allowed_roles: Role):
     return role_checker
 
 
+async def _get_user_permissions(user: TokenPayload) -> dict:
+    """Fetch permissions from Firestore for the given user."""
+    if user.role in (Role.sysadmin, Role.admin):
+        return None  # Full access
+    db = get_db()
+    if not db:
+        raise AuthorizationError()
+    doc = db.collection("admin_users").document(user.sub).get()
+    if not doc.exists:
+        raise AuthorizationError()
+    data = doc.to_dict()
+    return data.get("permissions")
+
+
+def require_permission(section: str, action: str):
+    """Check granular permission for a section and action.
+    section: 'melodies', 'devices', 'app_users', 'equipment', 'mqtt'
+    action: 'view', 'add', 'edit', 'delete' (or ignored for mqtt)
+    """
+    async def permission_checker(
+        current_user: TokenPayload = Depends(get_current_user),
+    ) -> TokenPayload:
+        # sysadmin and admin have full access
+        if current_user.role in (Role.sysadmin, Role.admin):
+            return current_user
+
+        permissions = await _get_user_permissions(current_user)
+        if not permissions:
+            raise AuthorizationError()
+
+        if section == "mqtt":
+            if not permissions.get("mqtt", False):
+                raise AuthorizationError()
+            return current_user
+
+        section_perms = permissions.get(section)
+        if not section_perms:
+            raise AuthorizationError()
+
+        if isinstance(section_perms, dict):
+            if not section_perms.get(action, False):
+                raise AuthorizationError()
+        else:
+            raise AuthorizationError()
+
+        return current_user
+    return permission_checker
+
+
 # Pre-built convenience dependencies
-require_superadmin = require_roles(Role.superadmin)
-require_melody_access = require_roles(Role.superadmin, Role.melody_editor)
-require_device_access = require_roles(Role.superadmin, Role.device_manager)
-require_user_access = require_roles(Role.superadmin, Role.user_manager)
-require_viewer = require_roles(
-    Role.superadmin, Role.melody_editor, Role.device_manager,
-    Role.user_manager, Role.viewer,
+require_sysadmin = require_roles(Role.sysadmin)
+require_admin_or_above = require_roles(Role.sysadmin, Role.admin)
+
+# Staff management: only sysadmin and admin
+require_staff_management = require_roles(Role.sysadmin, Role.admin)
+
+# Viewer-level: any authenticated user (actual permission check per-action)
+require_any_authenticated = require_roles(
+    Role.sysadmin, Role.admin, Role.editor, Role.user,
 )