feat(rbac): auto-sync permission catalog from declared route/plugin guards

2026-03-06 11:30:58 +03:00
parent e7cb5237d3
commit 633c4948f1
4 changed files with 318 additions and 2 deletions
--- a/backend/src/api/routes/admin.py
+++ b/backend/src/api/routes/admin.py
@@ -22,8 +22,12 @@ from ...schemas.auth import (
    ADGroupMappingSchema, ADGroupMappingCreate
 )
 from ...models.auth import User, Role, ADGroupMapping
-from ...dependencies import has_permission
+from ...dependencies import has_permission, get_plugin_loader
 from ...core.logger import logger, belief_scope
+from ...services.rbac_permission_catalog import (
+    discover_declared_permissions,
+    sync_permission_catalog,
+)
 # [/SECTION]

 # [DEF:router:Variable]
@@ -270,9 +274,18 @@ async def delete_role(
@router.get("/permissions", response_model=List[PermissionSchema])
 async def list_permissions(
    db: Session = Depends(get_auth_db),
+    plugin_loader = Depends(get_plugin_loader),
    _ = Depends(has_permission("admin:roles", "READ"))
 ):
    with belief_scope("api.admin.list_permissions"):
+        declared_permissions = discover_declared_permissions(plugin_loader=plugin_loader)
+        inserted_count = sync_permission_catalog(db=db, declared_permissions=declared_permissions)
+        if inserted_count > 0:
+            logger.info(
+                "[api.admin.list_permissions][Action] Synchronized %s missing RBAC permissions into auth catalog",
+                inserted_count,
+            )
+
        repo = AuthRepository(db)
        return repo.list_permissions()
 # [/DEF:list_permissions:Function]