HartOMat/backend/app/domains/auth/models.py

import uuid
from datetime import datetime
from sqlalchemy import String, Boolean, DateTime, Enum as SAEnum, ForeignKey
from sqlalchemy.orm import Mapped, mapped_column, relationship
from sqlalchemy.dialects.postgresql import UUID
from app.database import Base
import enum


class UserRole(str, enum.Enum):
    # New role hierarchy (Phase 4)
    global_admin = "global_admin"    # platform operator — bypasses RLS, all tenants
    tenant_admin = "tenant_admin"    # per-tenant admin — full control within own tenant
    project_manager = "project_manager"  # order/render management within tenant
    client = "client"               # read own orders, create draft orders

    # Legacy alias — kept for backward compat during migration; use global_admin for new code
    admin = "admin"


# Roles that have administrative privileges (global_admin + legacy admin)
ADMIN_ROLES = {"global_admin", "admin"}

# Roles with tenant-level admin access
TENANT_ADMIN_ROLES = {"global_admin", "tenant_admin", "admin"}

# Roles with project management or above
PM_ROLES = {"global_admin", "tenant_admin", "project_manager", "admin"}

# Roles that bypass RLS (see TenantContextMiddleware + get_db)
RLS_BYPASS_ROLES = {"global_admin", "admin"}


class User(Base):
    __tablename__ = "users"

    id: Mapped[uuid.UUID] = mapped_column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
    email: Mapped[str] = mapped_column(String(255), unique=True, nullable=False, index=True)
    password_hash: Mapped[str] = mapped_column(String(255), nullable=False)
    full_name: Mapped[str] = mapped_column(String(255), nullable=False)
    role: Mapped[UserRole] = mapped_column(SAEnum(UserRole), default=UserRole.client, nullable=False)
    is_active: Mapped[bool] = mapped_column(Boolean, default=True, nullable=False)
    tenant_id: Mapped[uuid.UUID | None] = mapped_column(
        UUID(as_uuid=True), ForeignKey("tenants.id"), nullable=True, index=True
    )
    created_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow, nullable=False)
    updated_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False)

    tenant: Mapped["Tenant | None"] = relationship("Tenant", back_populates="users", lazy="noload")
    orders: Mapped[list["Order"]] = relationship("Order", back_populates="created_by_user", foreign_keys="Order.created_by")
    audit_logs: Mapped[list["AuditLog"]] = relationship("AuditLog", back_populates="user", foreign_keys="AuditLog.user_id")