# backend/cli_commands.py """ Flask CLI commands for user management and system initialization """ import click from flask.cli import with_appcontext from models import db from models.user import User from models.role import Role from models.permission import Permission from models.role_permissions import RolePermission from models.user_role import UserRole import logging logger = logging.getLogger(__name__) @click.command('create-super-admin') @click.option('--email', prompt='Email', help='Super admin email') @click.option('--username', prompt='Username', default=None, help='Super admin username') @click.option('--password', prompt=True, hide_input=True, confirmation_prompt=True, help='Super admin password') @click.option('--first-name', prompt='First Name', default='Super', help='First name') @click.option('--last-name', prompt='Last Name', default='Admin', help='Last name') @with_appcontext def create_super_admin(email, username, password, first_name, last_name): """Create a super admin user with all permissions""" try: # Check if user exists existing = User.query.filter_by(email=email).first() if existing: click.echo(f'[ERROR] User with email {email} already exists') return # Create username from email if not provided if not username: username = email.split('@')[0] # Get or create super admin role super_admin_role = Role.query.filter_by(name='super_admin').first() if not super_admin_role: super_admin_role = Role( name='super_admin', display_name='Super Administrator', description='System-wide super administrator with all permissions', level=100, scope='system', is_system_role=True ) db.session.add(super_admin_role) db.session.flush() click.echo('[OK] Created super_admin role') # Create user user = User( username=username, email=email, first_name=first_name, last_name=last_name, role='super_admin', status='active' ) user.set_password(password) db.session.add(user) db.session.flush() # Assign super admin role user_role = UserRole( user_id=user.id, role_id=super_admin_role.id, assigned_by_id=user.id, # Self-assigned during creation assigned_by_username=username ) db.session.add(user_role) # Assign all permissions to super admin role if not already done permissions = Permission.query.all() assigned_count = 0 for perm in permissions: existing = RolePermission.query.filter_by( role_id=super_admin_role.id, permission_id=perm.id ).first() if not existing: rp = RolePermission( role_id=super_admin_role.id, permission_id=perm.id, is_allowed=True ) db.session.add(rp) assigned_count += 1 db.session.commit() click.echo(f'[OK] Super admin created successfully!') click.echo(f' ID: {user.id}') click.echo(f' Email: {user.email}') click.echo(f' Username: {user.username}') click.echo(f' Role: super_admin') click.echo(f' Permissions assigned to role: {assigned_count}') except Exception as e: db.session.rollback() logger.error(f"Error creating super admin: {str(e)}") click.echo(f'[ERROR] Error: {str(e)}') @click.command('create-test-users') @click.option('--company-id', default=1, help='Company ID to assign users to') @with_appcontext def create_test_users(company_id): """Create test users with different roles for testing""" try: test_users = [ { 'username': 'admin_user', 'email': 'admin@example.com', 'password': 'Admin123!', 'first_name': 'Admin', 'last_name': 'User', 'role': 'admin' }, { 'username': 'manager_user', 'email': 'manager@example.com', 'password': 'Manager123!', 'first_name': 'Manager', 'last_name': 'User', 'role': 'manager' }, { 'username': 'project_manager', 'email': 'pm@example.com', 'password': 'PM123!', 'first_name': 'Project', 'last_name': 'Manager', 'role': 'project_manager' }, { 'username': 'consultant1', 'email': 'consultant1@example.com', 'password': 'Consult123!', 'first_name': 'John', 'last_name': 'Consultant', 'role': 'consultant' }, { 'username': 'consultant2', 'email': 'consultant2@example.com', 'password': 'Consult123!', 'first_name': 'Jane', 'last_name': 'Consultant', 'role': 'consultant' }, { 'username': 'intern_user', 'email': 'intern@example.com', 'password': 'Intern123!', 'first_name': 'Intern', 'last_name': 'User', 'role': 'intern' }, { 'username': 'client_user', 'email': 'client@example.com', 'password': 'Client123!', 'first_name': 'Client', 'last_name': 'User', 'role': 'client_user' } ] created = [] skipped = [] for user_data in test_users: # Check if user exists existing = User.query.filter_by(email=user_data['email']).first() if existing: skipped.append(user_data['username']) continue # Get role role = Role.query.filter_by(name=user_data['role']).first() if not role: click.echo(f"[WARNING] Role {user_data['role']} not found, skipping...") continue # Create user user = User( username=user_data['username'], email=user_data['email'], first_name=user_data['first_name'], last_name=user_data['last_name'], role=user_data['role'], status='active', company_id=company_id ) user.set_password(user_data['password']) db.session.add(user) db.session.flush() # Assign role user_role = UserRole( user_id=user.id, role_id=role.id, assigned_by_id=1, # Assuming super admin ID 1 exists assigned_by_username='system' ) db.session.add(user_role) created.append(user_data['username']) db.session.commit() click.echo(f'[OK] Created users: {", ".join(created)}') if skipped: click.echo(f' Skipped existing users: {", ".join(skipped)}') except Exception as e: db.session.rollback() logger.error(f"Error creating test users: {str(e)}") click.echo(f'[ERROR] Error: {str(e)}') @click.command('list-users') @with_appcontext def list_users(): """List all users in the system""" try: users = User.query.all() if not users: click.echo('No users found') return click.echo('\n[LIST] Users:') click.echo('=' * 80) click.echo(f"{'ID':<5} {'Username':<15} {'Email':<25} {'Role':<15} {'Status':<10}") click.echo('=' * 80) for user in users: click.echo(f"{user.id:<5} {user.username:<15} {user.email:<25} {user.role:<15} {user.status:<10}") click.echo('=' * 80) click.echo(f'Total: {len(users)} users') except Exception as e: click.echo(f'[ERROR] Error: {str(e)}') @click.command('assign-role') @click.option('--user-id', prompt='User ID', type=int, help='User ID') @click.option('--role-name', prompt='Role Name', help='Role name to assign') @with_appcontext def assign_role_to_user(user_id, role_name): """Assign a role to a user""" try: user = User.query.get(user_id) if not user: click.echo(f'[ERROR] User {user_id} not found') return role = Role.query.filter_by(name=role_name).first() if not role: click.echo(f'[ERROR] Role {role_name} not found') return # Check if already assigned existing = UserRole.query.filter_by( user_id=user_id, role_id=role.id, is_active=True ).first() if existing: click.echo(f'[WARNING] User already has role {role_name}') return user_role = UserRole( user_id=user_id, role_id=role.id, assigned_by_id=1, # Assuming super admin ID 1 assigned_by_username='system' ) db.session.add(user_role) db.session.commit() click.echo(f'[OK] Role {role_name} assigned to user {user.username}') except Exception as e: db.session.rollback() logger.error(f"Error assigning role: {str(e)}") click.echo(f'[ERROR] Error: {str(e)}') @click.command('check-permissions') @click.option('--user-id', prompt='User ID', type=int, help='User ID to check') @with_appcontext def check_user_permissions(user_id): """Check permissions for a specific user""" try: user = User.query.get(user_id) if not user: click.echo(f'[ERROR] User {user_id} not found') return click.echo(f'\n[SEARCH] Permission Check for: {user.username} ({user.email})') click.echo('=' * 60) # Get user roles user_roles = UserRole.query.filter_by(user_id=user_id, is_active=True).all() if user_roles: click.echo('\n Active Roles:') for ur in user_roles: role = ur.role click.echo(f" • {role.display_name} ({role.name}) - Level: {role.level}") # Get permissions for this role perms = RolePermission.query.filter_by( role_id=role.id, is_allowed=True ).all() if perms: click.echo(f" Permissions ({len(perms)}):") for rp in perms[:10]: # Show first 10 perm = rp.permission click.echo(f" - {perm.resource}:{perm.action}") if len(perms) > 10: click.echo(f" ... and {len(perms) - 10} more") else: click.echo('[WARNING] No active roles assigned') # Get direct permissions via user's permissions method if hasattr(user, 'permissions'): all_perms = user.permissions click.echo(f'\n[LIST] Total Effective Permissions: {len(all_perms)}') # Group by resource by_resource = {} for perm in all_perms: if ':' in perm: resource, action = perm.split(':', 1) if resource not in by_resource: by_resource[resource] = [] by_resource[resource].append(action) click.echo('\n Permission Summary by Resource:') for resource, actions in sorted(by_resource.items()): click.echo(f" • {resource}: {len(actions)} actions") except Exception as e: logger.error(f"Error checking permissions: {str(e)}") click.echo(f'[ERROR] Error: {str(e)}') @click.command('init-rbac') @with_appcontext def init_rbac_system(): """Initialize the complete RBAC system with default roles and permissions""" try: click.echo('[ROCKET] Initializing RBAC System...') # Create all permissions from your routes permissions_data = [ # Auth permissions {'resource': 'auth', 'action': 'view_profile', 'name': 'View Profile'}, {'resource': 'auth', 'action': 'update_profile', 'name': 'Update Profile'}, {'resource': 'auth', 'action': 'logout', 'name': 'Logout'}, {'resource': 'auth', 'action': 'verify_token', 'name': 'Verify Token'}, {'resource': 'auth', 'action': 'change_password', 'name': 'Change Password'}, {'resource': 'auth', 'action': 'view_sessions', 'name': 'View Sessions'}, # User permissions {'resource': 'user', 'action': 'read', 'name': 'View Users'}, {'resource': 'user', 'action': 'create', 'name': 'Create Users'}, {'resource': 'user', 'action': 'update', 'name': 'Update Users'}, {'resource': 'user', 'action': 'delete', 'name': 'Delete Users'}, {'resource': 'user', 'action': 'manage', 'name': 'Manage Users'}, {'resource': 'user', 'action': 'view_all', 'name': 'View All Users'}, {'resource': 'user', 'action': 'read_stats', 'name': 'View User Stats'}, {'resource': 'user', 'action': 'batch_import', 'name': 'Batch Import Users'}, # Project permissions {'resource': 'project', 'action': 'read', 'name': 'View Projects'}, {'resource': 'project', 'action': 'create', 'name': 'Create Projects'}, {'resource': 'project', 'action': 'update', 'name': 'Update Projects'}, {'resource': 'project', 'action': 'delete', 'name': 'Delete Projects'}, {'resource': 'project', 'action': 'manage', 'name': 'Manage Projects'}, # Time Log permissions {'resource': 'time_log', 'action': 'read', 'name': 'View Time Logs'}, {'resource': 'time_log', 'action': 'create', 'name': 'Create Time Logs'}, {'resource': 'time_log', 'action': 'update', 'name': 'Update Time Logs'}, {'resource': 'time_log', 'action': 'delete', 'name': 'Delete Time Logs'}, {'resource': 'time_log', 'action': 'update_own', 'name': 'Update Own Logs'}, {'resource': 'time_log', 'action': 'delete_own', 'name': 'Delete Own Logs'}, {'resource': 'time_log', 'action': 'view_team', 'name': 'View Team Logs'}, {'resource': 'time_log', 'action': 'view_all', 'name': 'View All Logs'}, {'resource': 'time_log', 'action': 'read_stats', 'name': 'View Time Stats'}, {'resource': 'time_log', 'action': 'manage', 'name': 'Manage Time Logs'}, # Client permissions {'resource': 'client', 'action': 'read', 'name': 'View Clients'}, {'resource': 'client', 'action': 'create', 'name': 'Create Clients'}, {'resource': 'client', 'action': 'update', 'name': 'Update Clients'}, {'resource': 'client', 'action': 'delete', 'name': 'Delete Clients'}, {'resource': 'client', 'action': 'manage', 'name': 'Manage Clients'}, {'resource': 'client', 'action': 'read_stats', 'name': 'View Client Stats'}, # Budget permissions {'resource': 'budget', 'action': 'read', 'name': 'View Budgets'}, {'resource': 'budget', 'action': 'create', 'name': 'Create Budgets'}, {'resource': 'budget', 'action': 'update', 'name': 'Update Budgets'}, {'resource': 'budget', 'action': 'delete', 'name': 'Delete Budgets'}, {'resource': 'budget', 'action': 'manage', 'name': 'Manage Budgets'}, {'resource': 'budget', 'action': 'read_alerts', 'name': 'View Budget Alerts'}, {'resource': 'budget', 'action': 'manage_alerts', 'name': 'Manage Budget Alerts'}, {'resource': 'budget', 'action': 'read_history', 'name': 'View Budget History'}, {'resource': 'budget', 'action': 'view_dashboard', 'name': 'View Budget Dashboard'}, {'resource': 'budget', 'action': 'read_forecast', 'name': 'View Forecasts'}, {'resource': 'budget', 'action': 'create_forecast', 'name': 'Create Forecasts'}, {'resource': 'budget', 'action': 'read_all', 'name': 'View All Budgets'}, # Team permissions {'resource': 'team', 'action': 'view_my_team', 'name': 'View My Team'}, {'resource': 'team', 'action': 'assign_consultant', 'name': 'Assign Consultants'}, {'resource': 'team', 'action': 'unassign_consultant', 'name': 'Unassign Consultants'}, {'resource': 'team', 'action': 'view_clients', 'name': 'View Team Clients'}, {'resource': 'team', 'action': 'assign_client', 'name': 'Assign Clients'}, {'resource': 'team', 'action': 'view_projects', 'name': 'View Team Projects'}, {'resource': 'team', 'action': 'assign_project', 'name': 'Assign Projects'}, {'resource': 'team', 'action': 'view_stats', 'name': 'View Team Stats'}, {'resource': 'team', 'action': 'view_company_structure', 'name': 'View Company Structure'}, {'resource': 'team', 'action': 'view_assignments', 'name': 'View Assignments'}, {'resource': 'team', 'action': 'manage', 'name': 'Manage Team'}, # HR permissions {'resource': 'hr_consultation', 'action': 'read', 'name': 'View Consultations'}, {'resource': 'hr_consultation', 'action': 'create', 'name': 'Create Consultations'}, {'resource': 'hr_consultation', 'action': 'update', 'name': 'Update Consultations'}, {'resource': 'hr_consultation', 'action': 'delete', 'name': 'Delete Consultations'}, {'resource': 'hr_consultation', 'action': 'update_status', 'name': 'Update Consultation Status'}, {'resource': 'hr_consultation', 'action': 'manage', 'name': 'Manage Consultations'}, {'resource': 'recruitment', 'action': 'read', 'name': 'View Recruitment'}, {'resource': 'recruitment', 'action': 'create', 'name': 'Create Recruitment'}, {'resource': 'recruitment', 'action': 'update', 'name': 'Update Recruitment'}, {'resource': 'recruitment', 'action': 'delete', 'name': 'Delete Recruitment'}, {'resource': 'recruitment', 'action': 'match_candidates', 'name': 'Match Candidates'}, # Analytics permissions {'resource': 'analytics', 'action': 'view_utilization', 'name': 'View Utilization'}, {'resource': 'analytics', 'action': 'view_projects', 'name': 'View Project Analytics'}, {'resource': 'analytics', 'action': 'view_clients', 'name': 'View Client Analytics'}, {'resource': 'analytics', 'action': 'view_financial', 'name': 'View Financial Analytics'}, {'resource': 'analytics', 'action': 'view_time_trends', 'name': 'View Time Trends'}, {'resource': 'analytics', 'action': 'manage_reports', 'name': 'Manage Reports'}, {'resource': 'analytics', 'action': 'view_all', 'name': 'View All Analytics'}, # Chart permissions {'resource': 'chart', 'action': 'view_utilization', 'name': 'View Utilization Charts'}, {'resource': 'chart', 'action': 'view_project_distribution', 'name': 'View Project Distribution'}, {'resource': 'chart', 'action': 'view_team_performance', 'name': 'View Team Performance'}, {'resource': 'chart', 'action': 'view_financial', 'name': 'View Financial Charts'}, {'resource': 'chart', 'action': 'view_dashboard', 'name': 'View Dashboard Charts'}, # Report permissions {'resource': 'report', 'action': 'generate_productivity', 'name': 'Generate Productivity Reports'}, {'resource': 'report', 'action': 'generate_project_health', 'name': 'Generate Project Health'}, {'resource': 'report', 'action': 'generate_utilization', 'name': 'Generate Utilization Reports'}, {'resource': 'report', 'action': 'generate_financial', 'name': 'Generate Financial Reports'}, {'resource': 'report', 'action': 'generate_custom', 'name': 'Generate Custom Reports'}, {'resource': 'report', 'action': 'schedule', 'name': 'Schedule Reports'}, {'resource': 'report', 'action': 'view_scheduled', 'name': 'View Scheduled Reports'}, # Export permissions {'resource': 'export', 'action': 'csv', 'name': 'Export CSV'}, {'resource': 'export', 'action': 'excel', 'name': 'Export Excel'}, {'resource': 'export', 'action': 'pdf', 'name': 'Export PDF'}, {'resource': 'export', 'action': 'json', 'name': 'Export JSON'}, {'resource': 'export', 'action': 'project_report', 'name': 'Export Project Reports'}, {'resource': 'export', 'action': 'client_report', 'name': 'Export Client Reports'}, {'resource': 'export', 'action': 'user_summary', 'name': 'Export User Summaries'}, # Search permissions {'resource': 'search', 'action': 'global', 'name': 'Global Search'}, {'resource': 'search', 'action': 'advanced', 'name': 'Advanced Search'}, {'resource': 'search', 'action': 'suggest', 'name': 'Search Suggestions'}, {'resource': 'search', 'action': 'search_projects', 'name': 'Search Projects'}, {'resource': 'search', 'action': 'search_clients', 'name': 'Search Clients'}, {'resource': 'search', 'action': 'search_users', 'name': 'Search Users'}, {'resource': 'search', 'action': 'search_time_logs', 'name': 'Search Time Logs'}, # Notification permissions {'resource': 'notifications', 'action': 'view', 'name': 'View Notifications'}, {'resource': 'notifications', 'action': 'mark_read', 'name': 'Mark Read'}, {'resource': 'notifications', 'action': 'archive', 'name': 'Archive Notifications'}, {'resource': 'notifications', 'action': 'delete', 'name': 'Delete Notifications'}, {'resource': 'notifications', 'action': 'view_preferences', 'name': 'View Preferences'}, {'resource': 'notifications', 'action': 'update_preferences', 'name': 'Update Preferences'}, # Calendar permissions {'resource': 'calendar', 'action': 'view_events', 'name': 'View Calendar Events'}, {'resource': 'calendar', 'action': 'create_events', 'name': 'Create Events'}, {'resource': 'calendar', 'action': 'update_events', 'name': 'Update Events'}, {'resource': 'calendar', 'action': 'delete_events', 'name': 'Delete Events'}, {'resource': 'calendar', 'action': 'view_sources', 'name': 'View Calendar Sources'}, {'resource': 'calendar', 'action': 'create_sources', 'name': 'Create Sources'}, {'resource': 'calendar', 'action': 'sync_sources', 'name': 'Sync Sources'}, {'resource': 'calendar', 'action': 'convert_to_log', 'name': 'Convert to Time Log'}, # Master Data permissions {'resource': 'master_data', 'action': 'read_currencies', 'name': 'View Currencies'}, {'resource': 'master_data', 'action': 'create_currencies', 'name': 'Create Currencies'}, {'resource': 'master_data', 'action': 'read_countries', 'name': 'View Countries'}, {'resource': 'master_data', 'action': 'read_languages', 'name': 'View Languages'}, {'resource': 'master_data', 'action': 'read_timezones', 'name': 'View Timezones'}, {'resource': 'master_data', 'action': 'read_staff_grades', 'name': 'View Staff Grades'}, {'resource': 'master_data', 'action': 'create_staff_grades', 'name': 'Create Staff Grades'}, {'resource': 'master_data', 'action': 'bulk_upload', 'name': 'Bulk Upload Master Data'}, # Admin permissions {'resource': 'admin', 'action': 'view_stats', 'name': 'View System Stats'}, {'resource': 'admin', 'action': 'view_audit_log', 'name': 'View Audit Log'}, {'resource': 'admin', 'action': 'export_audit_log', 'name': 'Export Audit Log'}, {'resource': 'admin', 'action': 'view_companies', 'name': 'View Companies'}, {'resource': 'admin', 'action': 'manage_companies', 'name': 'Manage Companies'}, {'resource': 'admin', 'action': 'manage_subscriptions', 'name': 'Manage Subscriptions'}, {'resource': 'admin', 'action': 'view_system_health', 'name': 'View System Health'}, {'resource': 'admin', 'action': 'run_maintenance', 'name': 'Run Maintenance'}, {'resource': 'admin', 'action': 'view_transactions', 'name': 'View Transactions'}, {'resource': 'admin', 'action': 'process_refunds', 'name': 'Process Refunds'}, # Payment permissions {'resource': 'payment', 'action': 'view_transactions', 'name': 'View Transactions'}, {'resource': 'payment', 'action': 'create_payment', 'name': 'Create Payments'}, {'resource': 'payment', 'action': 'process_refund', 'name': 'Process Refunds'}, {'resource': 'payment', 'action': 'view_payment_methods', 'name': 'View Payment Methods'}, {'resource': 'payment', 'action': 'add_payment_method', 'name': 'Add Payment Methods'}, {'resource': 'payment', 'action': 'generate_invoice', 'name': 'Generate Invoices'}, {'resource': 'payment', 'action': 'view_invoices', 'name': 'View Invoices'}, {'resource': 'payment', 'action': 'view_stats', 'name': 'View Payment Stats'}, # Dashboard permissions {'resource': 'dashboard', 'action': 'view_executive', 'name': 'View Executive Dashboard'}, {'resource': 'dashboard', 'action': 'view_project_performance', 'name': 'View Project Performance'}, {'resource': 'dashboard', 'action': 'view_team', 'name': 'View Team Dashboard'}, {'resource': 'dashboard', 'action': 'view_personal', 'name': 'View Personal Dashboard'}, {'resource': 'dashboard', 'action': 'view_client', 'name': 'View Client Dashboard'}, # Service permissions {'resource': 'service', 'action': 'view_status', 'name': 'View Service Status'}, {'resource': 'service', 'action': 'view_alerts', 'name': 'View Service Alerts'}, {'resource': 'service', 'action': 'view_history', 'name': 'View Service History'}, {'resource': 'service', 'action': 'trigger_update', 'name': 'Trigger Service Update'}, {'resource': 'service', 'action': 'restart', 'name': 'Restart Services'}, {'resource': 'service', 'action': 'view_logs', 'name': 'View Service Logs'}, {'resource': 'service', 'action': 'configure', 'name': 'Configure Services'}, ] # Create permissions created_perms = 0 for perm_data in permissions_data: existing = Permission.query.filter_by( resource=perm_data['resource'], action=perm_data['action'] ).first() if not existing: perm = Permission(**perm_data) db.session.add(perm) created_perms += 1 db.session.commit() click.echo(f'[OK] Created {created_perms} new permissions') # Create default roles roles_data = [ { 'name': 'super_admin', 'display_name': 'Super Administrator', 'description': 'System-wide super administrator with all permissions', 'level': 100, 'scope': 'system', 'is_system_role': True }, { 'name': 'admin', 'display_name': 'Company Administrator', 'description': 'Company administrator with full company access', 'level': 90, 'scope': 'company', 'is_system_role': False }, { 'name': 'manager', 'display_name': 'Manager', 'description': 'Department/team manager', 'level': 70, 'scope': 'company', 'is_system_role': False }, { 'name': 'project_manager', 'display_name': 'Project Manager', 'description': 'Manages specific projects', 'level': 60, 'scope': 'project', 'is_system_role': False }, { 'name': 'team_lead', 'display_name': 'Team Lead', 'description': 'Leads a specific team', 'level': 50, 'scope': 'team', 'is_system_role': False }, { 'name': 'consultant', 'display_name': 'Consultant', 'description': 'Regular consultant', 'level': 30, 'scope': 'user', 'is_system_role': False }, { 'name': 'engineer', 'display_name': 'Engineer', 'description': 'Technical staff', 'level': 30, 'scope': 'user', 'is_system_role': False }, { 'name': 'intern', 'display_name': 'Intern', 'description': 'Intern with limited access', 'level': 10, 'scope': 'user', 'is_system_role': False }, { 'name': 'client_user', 'display_name': 'Client User', 'description': 'Client portal user', 'level': 5, 'scope': 'client', 'is_system_role': False } ] created_roles = 0 for role_data in roles_data: existing = Role.query.filter_by(name=role_data['name']).first() if not existing: role = Role(**role_data) db.session.add(role) created_roles += 1 db.session.commit() click.echo(f'[OK] Created {created_roles} new roles') # Assign all permissions to super_admin super_admin = Role.query.filter_by(name='super_admin').first() if super_admin: all_perms = Permission.query.all() assigned = 0 for perm in all_perms: existing = RolePermission.query.filter_by( role_id=super_admin.id, permission_id=perm.id ).first() if not existing: rp = RolePermission( role_id=super_admin.id, permission_id=perm.id, is_allowed=True ) db.session.add(rp) assigned += 1 db.session.commit() click.echo(f'[OK] Assigned {assigned} permissions to super_admin role') # Assign basic permissions to other roles admin_role = Role.query.filter_by(name='admin').first() if admin_role: admin_perms = Permission.query.filter( Permission.resource.in_(['user', 'project', 'client', 'budget', 'team', 'analytics']) ).all() assigned = 0 for perm in admin_perms: existing = RolePermission.query.filter_by( role_id=admin_role.id, permission_id=perm.id ).first() if not existing: rp = RolePermission( role_id=admin_role.id, permission_id=perm.id, is_allowed=True ) db.session.add(rp) assigned += 1 db.session.commit() click.echo(f'[OK] Assigned {assigned} permissions to admin role') click.echo('\n[CELEBRATE] RBAC System initialized successfully!') click.echo('\nNext steps:') click.echo('1. Create a super admin user: flask create-super-admin') click.echo('2. Create test users: flask create-test-users') click.echo('3. Check permissions: flask check-permissions --user-id 1') except Exception as e: db.session.rollback() logger.error(f"Error initializing RBAC: {str(e)}") click.echo(f'[ERROR] Error: {str(e)}') @click.command('cleanup-tokens') @with_appcontext def cleanup_expired_tokens(): """Remove expired tokens from blocklist""" try: from models.token_blocklist import TokenBlocklist count = TokenBlocklist.cleanup_expired() click.echo(f'[OK] Removed {count} expired tokens from blocklist') except Exception as e: click.echo(f'[ERROR] Error: {str(e)}') @click.command('check-relationships') @with_appcontext def check_relationships(): """Check all model relationships for mapper errors""" from sqlalchemy import inspect from models import ( ServiceBooking, User, Company, TenantDepartment, MasterExchangeRate, APIKey, TokenBlocklist, Notification, AuditLog, TeamMember, TenantBranding ) models_to_check = [ (ServiceBooking, ['payments', 'payment_transactions']), (User, ['audit_logs', 'notifications', 'revoked_tokens', 'api_logs', 'api_keys']), (Company, ['team_members', 'branding', 'api_keys', 'departments']), (TenantDepartment, ['children', 'parent']), (MasterExchangeRate, ['from_currency', 'to_currency']), # Add more models as needed ] all_good = True for model_class, relationships in models_to_check: click.echo(f"\n[LIST] Checking {model_class.__name__}:") inspector = inspect(model_class) existing_rels = [rel.key for rel in inspector.relationships] for rel_name in relationships: if rel_name in existing_rels: click.echo(f" [OK] {rel_name}") else: click.echo(f" [ERROR] {rel_name} - MISSING") all_good = False if all_good: click.echo("\n[OK] All relationships are properly configured!") else: click.echo("\n[ERROR] Some relationships are missing. Add them to your models.")