[split-required] Split final batch of monoliths >1000 LOC
Python (6 files in klausur-service): - rbac.py (1,132 → 4), admin_api.py (1,012 → 4) - routes/eh.py (1,111 → 4), ocr_pipeline_geometry.py (1,105 → 5) Python (2 files in backend-lehrer): - unit_api.py (1,226 → 6), game_api.py (1,129 → 5) Website (6 page files): - 4x klausur-korrektur pages (1,249-1,328 LOC each) → shared components in website/components/klausur-korrektur/ (17 shared files) - companion (1,057 → 10), magic-help (1,017 → 8) All re-export barrels preserve backward compatibility. Zero import errors verified. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
221
klausur-service/backend/rbac_permissions.py
Normal file
221
klausur-service/backend/rbac_permissions.py
Normal file
@@ -0,0 +1,221 @@
|
||||
"""
|
||||
RBAC Permission Matrix
|
||||
|
||||
Default role-to-resource permission mappings for
|
||||
Klausur-Korrektur and Zeugnis workflows.
|
||||
Extracted from rbac.py for file-size compliance.
|
||||
"""
|
||||
|
||||
from typing import Dict, Set
|
||||
|
||||
from rbac_types import Role, Action, ResourceType
|
||||
|
||||
|
||||
# =============================================
|
||||
# RBAC PERMISSION MATRIX
|
||||
# =============================================
|
||||
|
||||
# Standard-Berechtigungsmatrix (kann durch Policies ueberschrieben werden)
|
||||
DEFAULT_PERMISSIONS: Dict[Role, Dict[ResourceType, Set[Action]]] = {
|
||||
# Erstkorrektor
|
||||
Role.ERSTKORREKTOR: {
|
||||
ResourceType.EXAM_PACKAGE: {Action.READ, Action.UPDATE, Action.SHARE_KEY, Action.LOCK},
|
||||
ResourceType.STUDENT_WORK: {Action.READ, Action.UPDATE},
|
||||
ResourceType.EH_DOCUMENT: {Action.READ, Action.UPLOAD, Action.UPDATE},
|
||||
ResourceType.RUBRIC: {Action.READ, Action.UPDATE},
|
||||
ResourceType.ANNOTATION: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE},
|
||||
ResourceType.EVALUATION: {Action.CREATE, Action.READ, Action.UPDATE},
|
||||
ResourceType.REPORT: {Action.CREATE, Action.READ, Action.UPDATE},
|
||||
ResourceType.GRADE_DECISION: {Action.CREATE, Action.READ, Action.UPDATE},
|
||||
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
},
|
||||
|
||||
# Zweitkorrektor (Standard: FULL visibility)
|
||||
Role.ZWEITKORREKTOR: {
|
||||
ResourceType.EXAM_PACKAGE: {Action.READ},
|
||||
ResourceType.STUDENT_WORK: {Action.READ, Action.UPDATE},
|
||||
ResourceType.EH_DOCUMENT: {Action.READ},
|
||||
ResourceType.RUBRIC: {Action.READ},
|
||||
ResourceType.ANNOTATION: {Action.CREATE, Action.READ, Action.UPDATE},
|
||||
ResourceType.EVALUATION: {Action.CREATE, Action.READ, Action.UPDATE},
|
||||
ResourceType.REPORT: {Action.CREATE, Action.READ, Action.UPDATE},
|
||||
ResourceType.GRADE_DECISION: {Action.CREATE, Action.READ, Action.UPDATE},
|
||||
ResourceType.EXPORT: {Action.READ, Action.DOWNLOAD},
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
},
|
||||
|
||||
# Drittkorrektor
|
||||
Role.DRITTKORREKTOR: {
|
||||
ResourceType.EXAM_PACKAGE: {Action.READ},
|
||||
ResourceType.STUDENT_WORK: {Action.READ, Action.UPDATE},
|
||||
ResourceType.EH_DOCUMENT: {Action.READ},
|
||||
ResourceType.RUBRIC: {Action.READ},
|
||||
ResourceType.ANNOTATION: {Action.CREATE, Action.READ, Action.UPDATE},
|
||||
ResourceType.EVALUATION: {Action.CREATE, Action.READ, Action.UPDATE},
|
||||
ResourceType.REPORT: {Action.CREATE, Action.READ, Action.UPDATE},
|
||||
ResourceType.GRADE_DECISION: {Action.CREATE, Action.READ, Action.UPDATE},
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
},
|
||||
|
||||
# Fachvorsitz
|
||||
Role.FACHVORSITZ: {
|
||||
ResourceType.TENANT: {Action.READ},
|
||||
ResourceType.NAMESPACE: {Action.READ, Action.UPDATE},
|
||||
ResourceType.EXAM_PACKAGE: {Action.READ, Action.UPDATE, Action.LOCK, Action.UNLOCK, Action.SIGN_OFF},
|
||||
ResourceType.STUDENT_WORK: {Action.READ, Action.UPDATE},
|
||||
ResourceType.EH_DOCUMENT: {Action.READ, Action.UPLOAD, Action.UPDATE},
|
||||
ResourceType.RUBRIC: {Action.READ, Action.UPDATE},
|
||||
ResourceType.ANNOTATION: {Action.READ, Action.UPDATE},
|
||||
ResourceType.EVALUATION: {Action.READ, Action.UPDATE},
|
||||
ResourceType.REPORT: {Action.READ, Action.UPDATE},
|
||||
ResourceType.GRADE_DECISION: {Action.READ, Action.UPDATE, Action.SIGN_OFF},
|
||||
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
},
|
||||
|
||||
# Pruefungsvorsitz
|
||||
Role.PRUEFUNGSVORSITZ: {
|
||||
ResourceType.TENANT: {Action.READ},
|
||||
ResourceType.NAMESPACE: {Action.READ, Action.CREATE},
|
||||
ResourceType.EXAM_PACKAGE: {Action.READ, Action.SIGN_OFF},
|
||||
ResourceType.STUDENT_WORK: {Action.READ},
|
||||
ResourceType.EH_DOCUMENT: {Action.READ},
|
||||
ResourceType.GRADE_DECISION: {Action.READ, Action.SIGN_OFF},
|
||||
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
},
|
||||
|
||||
# Schul-Admin
|
||||
Role.SCHUL_ADMIN: {
|
||||
ResourceType.TENANT: {Action.READ, Action.UPDATE},
|
||||
ResourceType.NAMESPACE: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE},
|
||||
ResourceType.EXAM_PACKAGE: {Action.CREATE, Action.READ, Action.DELETE, Action.ASSIGN_ROLE},
|
||||
ResourceType.EH_DOCUMENT: {Action.READ, Action.UPLOAD, Action.DELETE},
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
},
|
||||
|
||||
# Land-Admin (Behoerde)
|
||||
Role.LAND_ADMIN: {
|
||||
ResourceType.TENANT: {Action.READ},
|
||||
ResourceType.EH_DOCUMENT: {Action.READ, Action.UPLOAD, Action.UPDATE, Action.DELETE, Action.PUBLISH_OFFICIAL},
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
},
|
||||
|
||||
# Auditor
|
||||
Role.AUDITOR: {
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
ResourceType.EXAM_PACKAGE: {Action.READ}, # Nur Metadaten
|
||||
# Kein Zugriff auf Inhalte!
|
||||
},
|
||||
|
||||
# Operator
|
||||
Role.OPERATOR: {
|
||||
ResourceType.TENANT: {Action.READ},
|
||||
ResourceType.NAMESPACE: {Action.READ},
|
||||
ResourceType.EXAM_PACKAGE: {Action.READ}, # Nur Metadaten
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
# Break-glass separat gehandhabt
|
||||
},
|
||||
|
||||
# Teacher Assistant
|
||||
Role.TEACHER_ASSISTANT: {
|
||||
ResourceType.STUDENT_WORK: {Action.READ},
|
||||
ResourceType.ANNOTATION: {Action.CREATE, Action.READ}, # Nur bestimmte Typen
|
||||
ResourceType.EH_DOCUMENT: {Action.READ},
|
||||
},
|
||||
|
||||
# Exam Author (nur Vorabi)
|
||||
Role.EXAM_AUTHOR: {
|
||||
ResourceType.EH_DOCUMENT: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE},
|
||||
ResourceType.RUBRIC: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE},
|
||||
},
|
||||
|
||||
# =============================================
|
||||
# ZEUGNIS-WORKFLOW ROLLEN
|
||||
# =============================================
|
||||
|
||||
# Klassenlehrer - Erstellt Zeugnisse, Kopfnoten, Bemerkungen
|
||||
Role.KLASSENLEHRER: {
|
||||
ResourceType.NAMESPACE: {Action.READ},
|
||||
ResourceType.ZEUGNIS: {Action.CREATE, Action.READ, Action.UPDATE},
|
||||
ResourceType.ZEUGNIS_ENTWURF: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE},
|
||||
ResourceType.ZEUGNIS_VORLAGE: {Action.READ},
|
||||
ResourceType.SCHUELER_DATEN: {Action.READ, Action.UPDATE},
|
||||
ResourceType.FACHNOTE: {Action.READ}, # Liest Fachnoten der Fachlehrer
|
||||
ResourceType.KOPFNOTE: {Action.CREATE, Action.READ, Action.UPDATE},
|
||||
ResourceType.FEHLZEITEN: {Action.READ, Action.UPDATE},
|
||||
ResourceType.BEMERKUNG: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE},
|
||||
ResourceType.VERSETZUNG: {Action.READ},
|
||||
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
},
|
||||
|
||||
# Fachlehrer - Traegt Fachnoten ein
|
||||
Role.FACHLEHRER: {
|
||||
ResourceType.NAMESPACE: {Action.READ},
|
||||
ResourceType.SCHUELER_DATEN: {Action.READ}, # Nur eigene Schueler
|
||||
ResourceType.FACHNOTE: {Action.CREATE, Action.READ, Action.UPDATE}, # Nur eigenes Fach
|
||||
ResourceType.BEMERKUNG: {Action.CREATE, Action.READ}, # Fachbezogene Bemerkungen
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
},
|
||||
|
||||
# Zeugnisbeauftragter - Qualitaetskontrolle
|
||||
Role.ZEUGNISBEAUFTRAGTER: {
|
||||
ResourceType.NAMESPACE: {Action.READ, Action.UPDATE},
|
||||
ResourceType.ZEUGNIS: {Action.READ, Action.UPDATE},
|
||||
ResourceType.ZEUGNIS_ENTWURF: {Action.READ, Action.UPDATE},
|
||||
ResourceType.ZEUGNIS_VORLAGE: {Action.READ, Action.UPDATE, Action.UPLOAD},
|
||||
ResourceType.SCHUELER_DATEN: {Action.READ},
|
||||
ResourceType.FACHNOTE: {Action.READ},
|
||||
ResourceType.KOPFNOTE: {Action.READ, Action.UPDATE},
|
||||
ResourceType.FEHLZEITEN: {Action.READ},
|
||||
ResourceType.BEMERKUNG: {Action.READ, Action.UPDATE},
|
||||
ResourceType.VERSETZUNG: {Action.READ},
|
||||
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
},
|
||||
|
||||
# Sekretariat - Druck, Versand, Archivierung
|
||||
Role.SEKRETARIAT: {
|
||||
ResourceType.ZEUGNIS: {Action.READ, Action.DOWNLOAD},
|
||||
ResourceType.ZEUGNIS_VORLAGE: {Action.READ},
|
||||
ResourceType.SCHUELER_DATEN: {Action.READ}, # Fuer Adressdaten
|
||||
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
},
|
||||
|
||||
# Schulleitung - Finale Zeugnis-Freigabe
|
||||
Role.SCHULLEITUNG: {
|
||||
ResourceType.TENANT: {Action.READ},
|
||||
ResourceType.NAMESPACE: {Action.READ, Action.CREATE},
|
||||
ResourceType.ZEUGNIS: {Action.READ, Action.SIGN_OFF, Action.LOCK},
|
||||
ResourceType.ZEUGNIS_ENTWURF: {Action.READ, Action.UPDATE},
|
||||
ResourceType.ZEUGNIS_VORLAGE: {Action.READ, Action.UPDATE},
|
||||
ResourceType.SCHUELER_DATEN: {Action.READ},
|
||||
ResourceType.FACHNOTE: {Action.READ},
|
||||
ResourceType.KOPFNOTE: {Action.READ, Action.UPDATE},
|
||||
ResourceType.FEHLZEITEN: {Action.READ},
|
||||
ResourceType.BEMERKUNG: {Action.READ, Action.UPDATE},
|
||||
ResourceType.KONFERENZ_BESCHLUSS: {Action.CREATE, Action.READ, Action.UPDATE, Action.SIGN_OFF},
|
||||
ResourceType.VERSETZUNG: {Action.CREATE, Action.READ, Action.UPDATE, Action.SIGN_OFF},
|
||||
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
},
|
||||
|
||||
# Stufenleitung - Stufenkoordination (z.B. Oberstufe)
|
||||
Role.STUFENLEITUNG: {
|
||||
ResourceType.NAMESPACE: {Action.READ, Action.UPDATE},
|
||||
ResourceType.ZEUGNIS: {Action.READ, Action.UPDATE},
|
||||
ResourceType.ZEUGNIS_ENTWURF: {Action.READ, Action.UPDATE},
|
||||
ResourceType.SCHUELER_DATEN: {Action.READ},
|
||||
ResourceType.FACHNOTE: {Action.READ},
|
||||
ResourceType.KOPFNOTE: {Action.READ},
|
||||
ResourceType.FEHLZEITEN: {Action.READ},
|
||||
ResourceType.BEMERKUNG: {Action.READ, Action.UPDATE},
|
||||
ResourceType.KONFERENZ_BESCHLUSS: {Action.READ},
|
||||
ResourceType.VERSETZUNG: {Action.READ, Action.UPDATE},
|
||||
ResourceType.EXPORT: {Action.READ, Action.DOWNLOAD},
|
||||
ResourceType.AUDIT_LOG: {Action.READ},
|
||||
},
|
||||
}
|
||||
Reference in New Issue
Block a user