6811264756
Python (6 files in klausur-service): - rbac.py (1,132 → 4), admin_api.py (1,012 → 4) - routes/eh.py (1,111 → 4), ocr_pipeline_geometry.py (1,105 → 5) Python (2 files in backend-lehrer): - unit_api.py (1,226 → 6), game_api.py (1,129 → 5) Website (6 page files): - 4x klausur-korrektur pages (1,249-1,328 LOC each) → shared components in website/components/klausur-korrektur/ (17 shared files) - companion (1,057 → 10), magic-help (1,017 → 8) All re-export barrels preserve backward compatibility. Zero import errors verified. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
222 lines
9.9 KiB
Python
222 lines
9.9 KiB
Python
"""
|
|
RBAC Permission Matrix
|
|
|
|
Default role-to-resource permission mappings for
|
|
Klausur-Korrektur and Zeugnis workflows.
|
|
Extracted from rbac.py for file-size compliance.
|
|
"""
|
|
|
|
from typing import Dict, Set
|
|
|
|
from rbac_types import Role, Action, ResourceType
|
|
|
|
|
|
# =============================================
|
|
# RBAC PERMISSION MATRIX
|
|
# =============================================
|
|
|
|
# Standard-Berechtigungsmatrix (kann durch Policies ueberschrieben werden)
|
|
DEFAULT_PERMISSIONS: Dict[Role, Dict[ResourceType, Set[Action]]] = {
|
|
# Erstkorrektor
|
|
Role.ERSTKORREKTOR: {
|
|
ResourceType.EXAM_PACKAGE: {Action.READ, Action.UPDATE, Action.SHARE_KEY, Action.LOCK},
|
|
ResourceType.STUDENT_WORK: {Action.READ, Action.UPDATE},
|
|
ResourceType.EH_DOCUMENT: {Action.READ, Action.UPLOAD, Action.UPDATE},
|
|
ResourceType.RUBRIC: {Action.READ, Action.UPDATE},
|
|
ResourceType.ANNOTATION: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE},
|
|
ResourceType.EVALUATION: {Action.CREATE, Action.READ, Action.UPDATE},
|
|
ResourceType.REPORT: {Action.CREATE, Action.READ, Action.UPDATE},
|
|
ResourceType.GRADE_DECISION: {Action.CREATE, Action.READ, Action.UPDATE},
|
|
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
},
|
|
|
|
# Zweitkorrektor (Standard: FULL visibility)
|
|
Role.ZWEITKORREKTOR: {
|
|
ResourceType.EXAM_PACKAGE: {Action.READ},
|
|
ResourceType.STUDENT_WORK: {Action.READ, Action.UPDATE},
|
|
ResourceType.EH_DOCUMENT: {Action.READ},
|
|
ResourceType.RUBRIC: {Action.READ},
|
|
ResourceType.ANNOTATION: {Action.CREATE, Action.READ, Action.UPDATE},
|
|
ResourceType.EVALUATION: {Action.CREATE, Action.READ, Action.UPDATE},
|
|
ResourceType.REPORT: {Action.CREATE, Action.READ, Action.UPDATE},
|
|
ResourceType.GRADE_DECISION: {Action.CREATE, Action.READ, Action.UPDATE},
|
|
ResourceType.EXPORT: {Action.READ, Action.DOWNLOAD},
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
},
|
|
|
|
# Drittkorrektor
|
|
Role.DRITTKORREKTOR: {
|
|
ResourceType.EXAM_PACKAGE: {Action.READ},
|
|
ResourceType.STUDENT_WORK: {Action.READ, Action.UPDATE},
|
|
ResourceType.EH_DOCUMENT: {Action.READ},
|
|
ResourceType.RUBRIC: {Action.READ},
|
|
ResourceType.ANNOTATION: {Action.CREATE, Action.READ, Action.UPDATE},
|
|
ResourceType.EVALUATION: {Action.CREATE, Action.READ, Action.UPDATE},
|
|
ResourceType.REPORT: {Action.CREATE, Action.READ, Action.UPDATE},
|
|
ResourceType.GRADE_DECISION: {Action.CREATE, Action.READ, Action.UPDATE},
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
},
|
|
|
|
# Fachvorsitz
|
|
Role.FACHVORSITZ: {
|
|
ResourceType.TENANT: {Action.READ},
|
|
ResourceType.NAMESPACE: {Action.READ, Action.UPDATE},
|
|
ResourceType.EXAM_PACKAGE: {Action.READ, Action.UPDATE, Action.LOCK, Action.UNLOCK, Action.SIGN_OFF},
|
|
ResourceType.STUDENT_WORK: {Action.READ, Action.UPDATE},
|
|
ResourceType.EH_DOCUMENT: {Action.READ, Action.UPLOAD, Action.UPDATE},
|
|
ResourceType.RUBRIC: {Action.READ, Action.UPDATE},
|
|
ResourceType.ANNOTATION: {Action.READ, Action.UPDATE},
|
|
ResourceType.EVALUATION: {Action.READ, Action.UPDATE},
|
|
ResourceType.REPORT: {Action.READ, Action.UPDATE},
|
|
ResourceType.GRADE_DECISION: {Action.READ, Action.UPDATE, Action.SIGN_OFF},
|
|
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
},
|
|
|
|
# Pruefungsvorsitz
|
|
Role.PRUEFUNGSVORSITZ: {
|
|
ResourceType.TENANT: {Action.READ},
|
|
ResourceType.NAMESPACE: {Action.READ, Action.CREATE},
|
|
ResourceType.EXAM_PACKAGE: {Action.READ, Action.SIGN_OFF},
|
|
ResourceType.STUDENT_WORK: {Action.READ},
|
|
ResourceType.EH_DOCUMENT: {Action.READ},
|
|
ResourceType.GRADE_DECISION: {Action.READ, Action.SIGN_OFF},
|
|
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
},
|
|
|
|
# Schul-Admin
|
|
Role.SCHUL_ADMIN: {
|
|
ResourceType.TENANT: {Action.READ, Action.UPDATE},
|
|
ResourceType.NAMESPACE: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE},
|
|
ResourceType.EXAM_PACKAGE: {Action.CREATE, Action.READ, Action.DELETE, Action.ASSIGN_ROLE},
|
|
ResourceType.EH_DOCUMENT: {Action.READ, Action.UPLOAD, Action.DELETE},
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
},
|
|
|
|
# Land-Admin (Behoerde)
|
|
Role.LAND_ADMIN: {
|
|
ResourceType.TENANT: {Action.READ},
|
|
ResourceType.EH_DOCUMENT: {Action.READ, Action.UPLOAD, Action.UPDATE, Action.DELETE, Action.PUBLISH_OFFICIAL},
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
},
|
|
|
|
# Auditor
|
|
Role.AUDITOR: {
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
ResourceType.EXAM_PACKAGE: {Action.READ}, # Nur Metadaten
|
|
# Kein Zugriff auf Inhalte!
|
|
},
|
|
|
|
# Operator
|
|
Role.OPERATOR: {
|
|
ResourceType.TENANT: {Action.READ},
|
|
ResourceType.NAMESPACE: {Action.READ},
|
|
ResourceType.EXAM_PACKAGE: {Action.READ}, # Nur Metadaten
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
# Break-glass separat gehandhabt
|
|
},
|
|
|
|
# Teacher Assistant
|
|
Role.TEACHER_ASSISTANT: {
|
|
ResourceType.STUDENT_WORK: {Action.READ},
|
|
ResourceType.ANNOTATION: {Action.CREATE, Action.READ}, # Nur bestimmte Typen
|
|
ResourceType.EH_DOCUMENT: {Action.READ},
|
|
},
|
|
|
|
# Exam Author (nur Vorabi)
|
|
Role.EXAM_AUTHOR: {
|
|
ResourceType.EH_DOCUMENT: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE},
|
|
ResourceType.RUBRIC: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE},
|
|
},
|
|
|
|
# =============================================
|
|
# ZEUGNIS-WORKFLOW ROLLEN
|
|
# =============================================
|
|
|
|
# Klassenlehrer - Erstellt Zeugnisse, Kopfnoten, Bemerkungen
|
|
Role.KLASSENLEHRER: {
|
|
ResourceType.NAMESPACE: {Action.READ},
|
|
ResourceType.ZEUGNIS: {Action.CREATE, Action.READ, Action.UPDATE},
|
|
ResourceType.ZEUGNIS_ENTWURF: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE},
|
|
ResourceType.ZEUGNIS_VORLAGE: {Action.READ},
|
|
ResourceType.SCHUELER_DATEN: {Action.READ, Action.UPDATE},
|
|
ResourceType.FACHNOTE: {Action.READ}, # Liest Fachnoten der Fachlehrer
|
|
ResourceType.KOPFNOTE: {Action.CREATE, Action.READ, Action.UPDATE},
|
|
ResourceType.FEHLZEITEN: {Action.READ, Action.UPDATE},
|
|
ResourceType.BEMERKUNG: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE},
|
|
ResourceType.VERSETZUNG: {Action.READ},
|
|
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
},
|
|
|
|
# Fachlehrer - Traegt Fachnoten ein
|
|
Role.FACHLEHRER: {
|
|
ResourceType.NAMESPACE: {Action.READ},
|
|
ResourceType.SCHUELER_DATEN: {Action.READ}, # Nur eigene Schueler
|
|
ResourceType.FACHNOTE: {Action.CREATE, Action.READ, Action.UPDATE}, # Nur eigenes Fach
|
|
ResourceType.BEMERKUNG: {Action.CREATE, Action.READ}, # Fachbezogene Bemerkungen
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
},
|
|
|
|
# Zeugnisbeauftragter - Qualitaetskontrolle
|
|
Role.ZEUGNISBEAUFTRAGTER: {
|
|
ResourceType.NAMESPACE: {Action.READ, Action.UPDATE},
|
|
ResourceType.ZEUGNIS: {Action.READ, Action.UPDATE},
|
|
ResourceType.ZEUGNIS_ENTWURF: {Action.READ, Action.UPDATE},
|
|
ResourceType.ZEUGNIS_VORLAGE: {Action.READ, Action.UPDATE, Action.UPLOAD},
|
|
ResourceType.SCHUELER_DATEN: {Action.READ},
|
|
ResourceType.FACHNOTE: {Action.READ},
|
|
ResourceType.KOPFNOTE: {Action.READ, Action.UPDATE},
|
|
ResourceType.FEHLZEITEN: {Action.READ},
|
|
ResourceType.BEMERKUNG: {Action.READ, Action.UPDATE},
|
|
ResourceType.VERSETZUNG: {Action.READ},
|
|
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
},
|
|
|
|
# Sekretariat - Druck, Versand, Archivierung
|
|
Role.SEKRETARIAT: {
|
|
ResourceType.ZEUGNIS: {Action.READ, Action.DOWNLOAD},
|
|
ResourceType.ZEUGNIS_VORLAGE: {Action.READ},
|
|
ResourceType.SCHUELER_DATEN: {Action.READ}, # Fuer Adressdaten
|
|
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
},
|
|
|
|
# Schulleitung - Finale Zeugnis-Freigabe
|
|
Role.SCHULLEITUNG: {
|
|
ResourceType.TENANT: {Action.READ},
|
|
ResourceType.NAMESPACE: {Action.READ, Action.CREATE},
|
|
ResourceType.ZEUGNIS: {Action.READ, Action.SIGN_OFF, Action.LOCK},
|
|
ResourceType.ZEUGNIS_ENTWURF: {Action.READ, Action.UPDATE},
|
|
ResourceType.ZEUGNIS_VORLAGE: {Action.READ, Action.UPDATE},
|
|
ResourceType.SCHUELER_DATEN: {Action.READ},
|
|
ResourceType.FACHNOTE: {Action.READ},
|
|
ResourceType.KOPFNOTE: {Action.READ, Action.UPDATE},
|
|
ResourceType.FEHLZEITEN: {Action.READ},
|
|
ResourceType.BEMERKUNG: {Action.READ, Action.UPDATE},
|
|
ResourceType.KONFERENZ_BESCHLUSS: {Action.CREATE, Action.READ, Action.UPDATE, Action.SIGN_OFF},
|
|
ResourceType.VERSETZUNG: {Action.CREATE, Action.READ, Action.UPDATE, Action.SIGN_OFF},
|
|
ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD},
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
},
|
|
|
|
# Stufenleitung - Stufenkoordination (z.B. Oberstufe)
|
|
Role.STUFENLEITUNG: {
|
|
ResourceType.NAMESPACE: {Action.READ, Action.UPDATE},
|
|
ResourceType.ZEUGNIS: {Action.READ, Action.UPDATE},
|
|
ResourceType.ZEUGNIS_ENTWURF: {Action.READ, Action.UPDATE},
|
|
ResourceType.SCHUELER_DATEN: {Action.READ},
|
|
ResourceType.FACHNOTE: {Action.READ},
|
|
ResourceType.KOPFNOTE: {Action.READ},
|
|
ResourceType.FEHLZEITEN: {Action.READ},
|
|
ResourceType.BEMERKUNG: {Action.READ, Action.UPDATE},
|
|
ResourceType.KONFERENZ_BESCHLUSS: {Action.READ},
|
|
ResourceType.VERSETZUNG: {Action.READ, Action.UPDATE},
|
|
ResourceType.EXPORT: {Action.READ, Action.DOWNLOAD},
|
|
ResourceType.AUDIT_LOG: {Action.READ},
|
|
},
|
|
}
|